Menu
What's new
By:
Filters Better Search

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Jack Yaz said:
opkg update
opkg upgrade
Click to expand...
NO! This can screw up stuff, like syslog-ng. Better to update, then upgrade only the components you intend to upgrade.
 
elorimer said:
Installed the arm7 binary to my 87U, used diversion to purge the certificates and restart pixelserv (separate steps). Seems to be working fine.

I did NOT regenerate ca.crt and key so I didn't have to reimport those. Only one iOS device, in the hands of the the Spouse, who will not permit touching of the Device, so I don't know if she has upgraded to 13.
Click to expand...

i think the issue with ios 13 are the 2048 bit and 2 year only cert requirement. if not u will see a lot of the # of dropped HTTPS requests (other TLS handshake errors) on that iOS 13
 
DonnyJohnny said:
i think the issue with ios 13 are the 2048 bit and 2 year only cert requirement.
Click to expand...
Ah, the penny drops. Unless ca.crt is regenerated the resulting certificates will all be rejected. Thanks.
 
elorimer said:
Installed the arm7 binary to my 87U, used diversion to purge the certificates and restart pixelserv (separate steps). Seems to be working fine.

I did NOT regenerate ca.crt and key so I didn't have to reimport those. Only one iOS device, in the hands of the the Spouse, who will not permit touching of the Device, so I don't know if she has upgraded to 13.
Click to expand...
elorimer said:
Ah, the penny drops. Unless ca.crt is regenerated the resulting certificates will all be rejected. Thanks.
Click to expand...
iOS 13 is not released until 19 Sep., next week. The iOS 13 beta has to be intentionally installed for now. I did it on my new iPad to see it, that is just a casual device, not critical functions. I did load iOS 13 beta on my iPhone and reverted quickly when a needed medical app ceased to function (the only reason now use an iPhone).
 
elorimer said:
NO! This can screw up stuff, like syslog-ng. Better to update, then upgrade only the components you intend to upgrade.
Click to expand...
It really doesn't. opkg will create a -pkg version of any conf files so as to explicitly not affect any of your running applications. Or should, anyway

amtm uses similar code. The main issue is pixelserv, but Diversion can self-heal iirc
Code: 
    # ep Entware packages menu
    if [ -f /opt/bin/opkg ]; then
        upd=" "
        printf "${GREEN_BG} ep${NC} %-9s%s\\n" "update" "Entware packages"
        case_ep(){
            print_end_line
            echo " This updates and upgrades Entware packages"
            if [ -f /opt/bin/diversion ]; then
                echo
                echo " Note: Diversion is installed on this router."
                echo " It's recommended to update Entware packages"
                echo " in Diversion using the ${RED_BG} ep ${NC} option."
                echo " Especially so when pixelserv-tls is installed."
            fi
            if [ -f /jffs/scripts/install_stubby.sh ] && [ -f /opt/etc/stubby/stubby.yml ]; then
                echo
                echo " Note: Stubby DNS Privacy Daemon is installed"
                echo " on this router."
                echo " It's recommended to update Entware packages"
                echo " selectively through the Stubby DNS menu to"
                echo " prevent overwriting configuration files."
            fi
            continue_dialog
            opkg update
            opkg upgrade
            show_amtm " Entware packages updated and upgraded"

Besides, as long as you're taking regular backups (which you should be as a responsible admin), you have a rollback path :)
 
Last edited:
BINGO! got my padlock!

I was not watching the URL since Apple hides the url details by default, showing only site name. Just had to use https://router.asus.com:8443/ and then tell it I really, really, really did want to visit this page and trust it. Now I have the secure site padlock on all three devices and have imported the new cert in all four iThing devices. :D :mad: This is a love / hate thing for me.
 
Butterfly Bones said:
BINGO! got my padlock!

I was not watching the URL since Apple hides the url details by default, showing only site name. Just had to use https://router.asus.com:8443/ and then tell it I really, really, really did want to visit this page and trust it. Now I have the secure site padlock on all three devices and have imported the new cert in all four iThing devices. :D :mad: This is a love / hate thing for me.
Click to expand...

That's not the correct approach, if you generate the correct Root CA and have it imported in the device you won't need to do any of this and iOS/macOS will automatically accept the certificate.

Force trusting the certificate is useless because you'll need to do that for every domain you have in your blocklist otherwise the handshake will fail.
 
Jack Yaz said:
I've just uploaded the ipks here: https://github.com/jackyaz/pixelserv-tls/releases/tag/2.3.0

Download the ipk, then place on your router using WinSCP or similar. Next run opkg install, e.g.
Code: 
opkg install /jffs/pixelserv-tls_2.3.0-1_aarch64-3.10.ipk
Click to expand...

DonnyJohnny said:
can just use this?
Code: 
cd /opt/var/cache/pixelserv
openssl genrsa -out ca.key 2048
openssl req -key ca.key -new -x509 -days 720 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"
Click to expand...

Butterfly Bones said:
I dl'ed and installed the ipk (aarch64 - AC86U) with no issues, generated new crt and key as DonnyJohnny shows above, and imported it into my iPhone (replaced old Pixelserv CA cert), iPad (running iPadOS 13.1 beta) and MacBook Air.

I added the new Pixelserv CA cert to my AC86U using the script from @kvic in this post #1352, and all seems well. I see no errors in the iPad with iOS 13.1 beta or the iPhone on 12.4.1 or MacBook Air (stable Catalina).
Click to expand...


Installed Jack's pixelserv-tls_2.3.0-1_armv7-2.6.ipk on my AC5300 and its all working smoothly.

Thank you Jack for working on pixleserv and updating it for what we needed.

And thank you Jack, DonnyJohnny, and Butterfly Bones for the various steps to make it super easy.
 
So how do you tell if pixelserv-tls_2.3.0-1 is installed? Does this version display on the Diversion menu?
 
Marin said:
So how do you tell if pixelserv-tls_2.3.0-1 is installed? Does this version display on the Diversion menu?
Click to expand...
In an SSH terminal:
Code: 
opkg list-installed | grep pixelserv

Yes
 
Butterfly Bones said:
In an SSH terminal:
Code: 
opkg list-installed | grep pixelserv

Yes
Click to expand...

My Diversion shows:

upload_2019-9-14_17-33-23.png


Whereas this shows:

Code: 
@RT-AX88U-40E0:/tmp/home/root# opkg list-installed | grep pixelserv
pixelserv-tls - 2.3.0-1

and this shows:

upload_2019-9-14_17-35-46.png


I purged all the other certs and restarted PS

Anything I am doing wrong?
 
SomeWhereOverTheRainBow said:
can you update to this with inside diversion using the update pixelserv option?
Click to expand...
I think Diversion looks at the Entware repository. These newly compiled ink version are not in that repository. Jack Yaz posted instructions in his link.
 
@Marin, it is working fine, it shows the same for me. The -1 doesn’t matter.

I just updated pixelserv folowing the posted instructions.
I was getting an error that I had a newer version installed and I had to use --force-downgrade to make it work. I also had to use opkg update / upgrade libopenssl to get 1.1.1.
Then I generated the new CA, purged the certificates and imported the CA on my iOS13 devices and it works perfectly. Thanks everyone who contributed to this.
 
Last edited:
Marin said:
My Diversion shows:

View attachment 19322

Whereas this shows:

Code: 
@RT-AX88U-40E0:/tmp/home/root# opkg list-installed | grep pixelserv
pixelserv-tls - 2.3.0-1

and this shows:

View attachment 19323

I purged all the other certs and restarted PS

Anything I am doing wrong?
Click to expand...
I am seeing the same compile date in servstats page of May 25, so whatever is wrong, me too.
 
You must log in or register to reply here.

Similar threads

MegaMango
dnsmasq-surrogate for RT-BE88U: Ad Blocking & Security Enhancement
Replies
2
Views
574
MegaMango
MegaMango
L
pixelserv SOLVED - Is PixelServ WebGui script trustworthy at the moment? Redirects to strange website...
Replies
10
Views
4K
gspannu
gspannu
thelonelycoder
Diversion Need help with selecting new set of filter lists / block lists for Diversion 5.0
2
Replies
21
Views
4K
thelonelycoder
thelonelycoder
blacksheep
pixelserv Does "How to best run Pixelserv tls on asuswrt" still apply?
Replies
3
Views
3K
elorimer
E
garycnew
Entware [SOLUTION] Cross-Compile PixelServ-TLS 2.4 Entware Package via Debian Live DVD
Replies
13
Views
3K
garycnew
garycnew
Similar threads
Thread starter Title Forum Replies Date
C Diversion Pixelserv replacement Asuswrt-Merlin AddOns 2
L Is Diversion better than NextDNS, PiHole or AdGuard Home? Asuswrt-Merlin AddOns 10

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 702 (members: 33, guests: 669)
Top