Menu
What's new
By:
Filters Better Search

AdGuardHome Pixelserv-tls Your AdGuardHome

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

chongnt said:
I suspect I could not trust the certificate in my iphone. I try to change the day from 3650 to 365 but still see TLS handshake errors.

slu22# of dropped HTTPS requests (other TLS handshake errors)

About upcoming limits on trusted certificates - Apple Support

In our ongoing efforts to improve web security for our users, Apple is reducing the maximum allowed lifetimes of TLS server certificates.
support.apple.com support.apple.com

Requirements for trusted certificates in iOS 13 and macOS 10.15 - Apple Support

Learn about new security requirements for TLS server certificates in iOS 13 and macOS 10.15.
support.apple.com support.apple.com

Referring to https://github.com/kvic-z/pixelserv...ificate#import-pixelserv-ca-on-client-devices, I do not have the option to turn on trust for Pixelserv CA.
Click to expand...

Some highlighted facts:
"This change will not affect certificates issued from user-added or administrator-added Root CAs."

Also the slu errors could be coming from any device without a properly configured certificate as it is an indication of a connection refusal. Pixelserv tls will still behave in the same manner as 0.0.0.0 for these types of connection shuts.
 
Last edited:
From my testing, it appears I do get more ads blocked on mobile devices with the inclusion of pixelserv-tls. I havent had a chance yet to play with my apple mobile products, but for my Android it appears better.
 
SomeWhereOverTheRainBow said:
Some highlighted facts:
"This change will not affect certificates issued from user-added or administrator-added Root CAs."

Also the slu errors could be coming from any device without a properly configured certificate as it is an indication of a connection refusal. Pixelserv tls will still behave in the same manner as 0.0.0.0 for these types of connection shuts.
Click to expand...
I see. Probably it is working. I don't see the difference, not sure what to expect.
 
chongnt said:
I see. Probably it is working. I don't see the difference, not sure what to expect.
Click to expand...
Well for me, on Android, I don't see ads being served on some of the apps that I normally do on just regular adguardhome. I don't know if it is because they have access to using the devices certificate store. Maybe. The only other difference I noticed is some of the query response times for AA which goes to pixelserv tls were noticeable (negligible) quicker. The overall question of added value would be, does it benefit the user to take on this approach.
 
rlw6534 said:
Playing around with this today. Is it best to trust the certificate on clients (for best performance) or does it not matter at all?
Click to expand...
For the best performance benefits the answer to your question is yes, otherwise it will behave similar to the default 0.0.0.0 response. The overall intentions being that if a certificate is stored for a domain previously blocked, then the ad will be served quicker than just a 0.0.0.0 response.
 
SomeWhereOverTheRainBow said:
For the best performance benefits the answer to your question is yes, otherwise it will behave similar to the default 0.0.0.0 response. The overall intentions being that if a certificate is stored for a domain previously blocked, then the ad will be served quicker than just a 0.0.0.0 response.
Click to expand...

Thanks! I have not seen any certificate/trust errors while browsing (as with Diversion), so I was a bit confused. Actually, I still am TBH... Easy enough to trust the cert, though...
 
F
rlw6534 said:
Playing around with this today. Is it best to trust the certificate on clients (for best performance) or does it not matter at all?
Click to expand...
From a performance stand point, one of the biggest user complaints I have seen about incorporation of pixelserv-tls is that it may actually block too much. This could be benefitial if users realize there are certain sites or ads not being blocked by adguardhome, but I am not sure all of it requires testing and verification.
 
I'm not sure Pixelserv-tls is working correctly for me. I have imported and trusted the cert and even rebooted the router and my MacBook. With Diversion "slh" normally increments with browsing. Are you seeing the same?

slh0# of accepted HTTPS requests
slm6# of rejected HTTPS requests (missing certificate)
sle0# of rejected HTTPS requests (certificate available but not usable)
slc0# of dropped HTTPS requests (client disconnect without sending any request)
slu250# of dropped HTTPS requests (other TLS handshake errors)
 
rlw6534 said:
I'm not sure Pixelserv-tls is working correctly for me. I have imported and trusted the cert and even rebooted the router and my MacBook. With Diversion "slh" normally increments with browsing. Are you seeing the same?

slh0# of accepted HTTPS requests
slm6# of rejected HTTPS requests (missing certificate)
sle0# of rejected HTTPS requests (certificate available but not usable)
slc0# of dropped HTTPS requests (client disconnect without sending any request)
slu250# of dropped HTTPS requests (other TLS handshake errors)
Click to expand...
I will have to take a look at my stats serv when I get home. There may be some quirks that have to be remedied for Apple devices.
 
rlw6534 said:
OK. The only glitch I had was the cert creation. I had to use the alternate method you provided.
Click to expand...
Alternatively, users can install diversion which may make the cert differently, which I have not yet confirmed or denied. Pointing adguardhome at pixelservtls would be done the same way.
 
rlw6534 said:
Yes, it seems to work if I install Diversion and copy the certs, uninstall Diversion, reinstall pixelserv-tls and restore the certs generated by Diversion.
Click to expand...
I figured it out, you have to use entwares openssl to generate the key. You remember that error, it is created from using the router stock openssl.
 
chongnt said:
I suspect I could not trust the certificate in my iphone. I try to change the day from 3650 to 365 but still see TLS handshake errors.

slu22# of dropped HTTPS requests (other TLS handshake errors)

About upcoming limits on trusted certificates - Apple Support

In our ongoing efforts to improve web security for our users, Apple is reducing the maximum allowed lifetimes of TLS server certificates.
support.apple.com support.apple.com

Requirements for trusted certificates in iOS 13 and macOS 10.15 - Apple Support

Learn about new security requirements for TLS server certificates in iOS 13 and macOS 10.15.
support.apple.com support.apple.com

Referring to https://github.com/kvic-z/pixelserv...ificate#import-pixelserv-ca-on-client-devices, I do not have the option to turn on trust for Pixelserv CA.
Click to expand...
I had to update the installation instructions if you redo the procedures for generating the certificate, it may fix this issue.

But first do

opkg install openssl-util
 
Last edited:
SomeWhereOverTheRainBow said:
I had to update the installation instructions if you redo the procedures for generating the certificate, it may fix this issue.

But first do

opkg install openssl-util
Click to expand...
IIRC, when ca.crt is re-generated, the existing generated files in cache/pixelserv needs to be removed as well. So that would mean for a redo,
1. stop pixelserv
2. remove all files in cache/pixelserv
3. re-generate ca.crt
4. start pixelserv
 
SomeWhereOverTheRainBow said:
F
From a performance stand point, one of the biggest user complaints I have seen about incorporation of pixelserv-tls is that it may actually block too much. This could be benefitial if users realize there are certain sites or ads not being blocked by adguardhome, but I am not sure all of it requires testing and verification.
Click to expand...
What I am doing so far is not to install ca.crt to any of the devices; it was something that I sort of "dreaded" in having to repeat for all the devices. Some devices, especially smart TV does not support installation of the certificate anyway.

In terms of browsing experience, have not noticed any significant differences. As for performance, this would be hard to quantify as it requires extensive testing and monitoring to a certain extent.

As an alternative, I'm just checking on the "Average processing time" stats in AGH and also "tav" and "tmx" in pixelserv servstats. This would likely be not 100% accurate
 
You must log in or register to reply here.

Similar threads

johndoe85
Tutorial How to install Wireproxy on your Asus-Merlin Router
Replies
0
Views
1K
johndoe85
johndoe85
JA93
Tutorial **Tailscale On Merlin**
5 6 7
Replies
127
Views
15K
jksmurf
J
Demontager
Entware rc.func not found
Replies
9
Views
2K
ColinTaylor
C
S
Tutorial Installing Caddy reverse proxy
Replies
5
Views
2K
spindrift
S
bbeny123
Tutorial Debian 12 Bookworm + Plex Media Server (Asus RT-AX86S)
2
Replies
22
Views
7K
Rexawl
Rexawl
Similar threads
Thread starter Title Forum Replies Date
C Diversion Pixelserv replacement Asuswrt-Merlin AddOns 2
D freeradius3 : (TLS) Failed loading legacy provider Asuswrt-Merlin AddOns 2
M AdGuardHome IPTables blocking TLS port 853 from other hosts Asuswrt-Merlin AddOns 3
J AdGuardHome AdGuardHome stops working after every router reboot - have to un-/reinstall it every time Asuswrt-Merlin AddOns 0
G AdGuardHome AdguardHome install issue Asuswrt-Merlin AddOns 26
Bogey AdGuardHome AdguardHome errors: dnsproxy timeouts? Asuswrt-Merlin AddOns 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 828 (members: 19, guests: 809)
Top