What's new

AdGuardHome Pixelserv-tls Your AdGuardHome

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

SomeWhereOverTheRainBow

Part of the Furniture
-Prerequisites-

Install AdGuardHome using this installer:


-Instructions-

Install Pixelserv-tls

Code:
opkg install pixelserv-tls openssl-util

Modify /opt/etc/init.d/S80pixelserv-tls:

Code:
nano /opt/etc/init.d/S80pixelserv-tls

Code:
#!/bin/sh
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=pixelserv-tls
ARGS="192.168.1.4"
PREARGS=""
PRECMD="ulimit -s 64"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ifconfig br0:pixelserv $ARGS up && logger -t $(basename $0) "br0:pixelserv $ARGS created."
. /opt/etc/init.d/rc.func

#the 192.168.1.4 can be any address you have reserved outside your DHCP range un-used. If you want 192.168.1.2, you would set your DHCP range to start at 192.168.1.3 instead of 192.168.1.2. ( in my guide mine started at 192.168.1.20, which made 192.168.1.4 perfect to use.)

Next make the Pixelserv-tls cache:

Code:
mkdir -p /opt/var/cache/pixelserv
cd /opt/var/cache/pixelserv
/opt/bin/openssl genrsa -out ca.key 2048
/opt/bin/openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"
chown -R nobody /opt/var/cache/pixelserv

Start Pixelserv-tls for the first time:

Code:
/opt/etc/init.d/S80pixelserv-tls start

Last Step is done in the AdGuardHome DNS settings page:

Set a custom IP for blocking. Put pixelservs IP in for AA responses, and use :: (or an ipv4 address mapped to ipv6) for ipv6 (AAAA).

Settings > DNS Settings > DNS Server Configuration > Blocking mode

1645680925716.png
 
Last edited:
IIRC, the generated ca.crt needs to be downloaded and installed into each of the device(s)

To download the ca.crt, think it can be done by visiting http://<pixelserv ip>/ca.crt

Still weighing the "real" advantage of using pixelserv because of the hassle in having to get ca.crt to be installed into each individual device

Assume the last step in setting up AGH is under Settings > DNS Settings > DNS Server Configuration > Blocking mode
 
IIRC, the generated ca.crt needs to be downloaded and installed into each of the device(s)

To download the ca.crt, think it can be done by visiting http://<pixelserv ip>/ca.crt

Still weighing the "real" advantage of using pixelserv because of the hassle in having to get ca.crt to be installed into each individual device

Assume the last step in setting up AGH is under Settings > DNS Settings > DNS Server Configuration > Blocking mode
Only seen performance advantage so far is negligible page load timing, and the ca.crt does not actually have to be placed on every client. it is only required for the true added page load advantages. AdGuardHome still works the same regardless. I have been monitoring query times and see if there is any true added benefits. The pixelserv-tls cache store has an autofetch policy for blocked domains which should in theory increase speed of their handling.

That is why I am only offering up a Guide for users who wish to try it out.
 
Assume the last step in setting up AGH is under Settings > DNS Settings > DNS Server Configuration > Blocking mode
correct, Normally AGH uses 0.0.0.0, and ::. this will change the 0.0.0.0 to pixelserv-tls, which may inturn add an advantage to serving ads quicker.

proof is in the pudding

Code:
/entware/var/cache/pixelserv# ls /opt/var/cache/pixelserv
_.adnxs.com                _.crashlytics.com          _.global.ssl.fastly.net    _.gos-gsp.io               _.nel.cloudflare.com       _.rudderlabs.com           app-measurement.com
_.amazon.com               _.g.doubleclick.net        _.google-analytics.com     _.gvt2.com                 _.optimizely.com           _.samsungnyc.com           ca.crt
_.branch.io                _.gcp.gvt2.com             _.googleapis.com           _.logs.roku.com            _.push.samsungosp.com      _.sendpulse.com            ca.key
_.cloudflareinsights.com   _.github.com               _.googlesyndication.com    _.mgid.com                 _.pushmessage.samsung.com  _.telemetry.mozilla.org    prefetch
 
Following through the guide, encountered this error in generating ca.crt

Code:
Error Loading extension section v3_ca
4145405952:error:22097069:lib(34):func(151):reason(105):NA:0:name=subjectAltName,section=@alt_names
4145405952:error:22098080:lib(34):func(152):reason(128):NA:0:name=subjectAltName, value=@alt_names
 
Following through the guide, encountered this error in generating ca.crt

Code:
Error Loading extension section v3_ca
4145405952:error:22097069:lib(34):func(151):reason(105):NA:0:name=subjectAltName,section=@alt_names
4145405952:error:22098080:lib(34):func(152):reason(128):NA:0:name=subjectAltName, value=@alt_names
here was my terminal output

Code:
RT-AX88U-C7C0:/tmp/home/root# mkdir -p /opt/var/cache/pixelserv
RT-AX88U-C7C0:/tmp/home/root# cd /opt/var/cache/pixelserv
RT-AX88U-C7C0:/tmp/mnt/My_Part/entware/var/cache/pixelserv# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................+++++
...........+++++
e is 65537 (0x010001)
RT-AX88U-C7C0:/tmp/mnt/My_Part/entware/var/cache/pixelserv# openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"
RT-AX88U-C7C0:/tmp/mnt/My_Part/entware/var/cache/pixelserv# chown -R nobody /opt/var/cache/pixelserv
 
Heres two blocks on my list

1645677467916.png


One for AA which uses pixelserv-tls

one for AAAA which uses ::

AA :

1645677523271.png



AAAA:

1645677558959.png


I don't honestly know if this shows that Pixelserv-TLS is faster, but it is interesting to look at.
 
here was my terminal output

Code:
RT-AX88U-C7C0:/tmp/home/root# mkdir -p /opt/var/cache/pixelserv
RT-AX88U-C7C0:/tmp/home/root# cd /opt/var/cache/pixelserv
RT-AX88U-C7C0:/tmp/mnt/My_Part/entware/var/cache/pixelserv# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................+++++
...........+++++
e is 65537 (0x010001)
RT-AX88U-C7C0:/tmp/mnt/My_Part/entware/var/cache/pixelserv# openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"
RT-AX88U-C7C0:/tmp/mnt/My_Part/entware/var/cache/pixelserv# chown -R nobody /opt/var/cache/pixelserv
My output as follow,
Code:
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv# openssl genrsa -out ca.key 2048                                                                         
Generating RSA private key, 2048 bit long modulus (2 primes)                                                                                                               
.+++++                                                                                                                                                                     
...................................+++++                                                                                                                                   
e is 65537 (0x010001)                                                                                                                                                     
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#                                                                                                         
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#                                                                                                         
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv# openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"                                                                                                                                                                       
Error Loading extension section v3_ca                                                                                                                                     
4145405952:error:22097069:lib(34):func(151):reason(105):NA:0:name=subjectAltName,section=@alt_names                                                                       
4145405952:error:22098080:lib(34):func(152):reason(128):NA:0:name=subjectAltName, value=@alt_names                                                                         
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#
 
My output as follow,
Code:
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv# openssl genrsa -out ca.key 2048                                                                     
Generating RSA private key, 2048 bit long modulus (2 primes)                                                                                                           
.+++++                                                                                                                                                                 
...................................+++++                                                                                                                               
e is 65537 (0x010001)                                                                                                                                                 
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#                                                                                                     
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#                                                                                                     
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv# openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"                                                                                                                                                                   
Error Loading extension section v3_ca                                                                                                                                 
4145405952:error:22097069:lib(34):func(151):reason(105):NA:0:name=subjectAltName,section=@alt_names                                                                   
4145405952:error:22098080:lib(34):func(152):reason(128):NA:0:name=subjectAltName, value=@alt_names                                                                     
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#
Try

Code:
openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions usr_cert -out ca.crt -subj "/CN=Pixelserv CA"

As the last line instead of the one that caused the error.
 
Last edited:
Try

Code:
openssl req -new -x509 -nodes -extensions usr_cert -days 3650 -key ca.key -out ca.crt -subj "/CN=Pixelserv CA"

As the last line instead of the one that caused the error.
Throws a different error
Code:
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv# openssl req -new -x509 -nodes -extensions usr_cert -days 3650 -key ca.key -out ca.crt -subj "/CN=Pixelserv CA"
Can't load /root/.rnd into RNG
4151664640:error:2406F079:lib(36):func(111):reason(121):NA:0:Filename=/root/.rnd
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#
 
Throws a different error
Code:
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv# openssl req -new -x509 -nodes -extensions usr_cert -days 3650 -key ca.key -out ca.crt -subj "/CN=Pixelserv CA"
Can't load /root/.rnd into RNG
4151664640:error:2406F079:lib(36):func(111):reason(121):NA:0:Filename=/root/.rnd
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#
Honestly I am not quite sure what is causing the issue for you. It may have something to do with how the libraries are linked with openssl on your particular Router model. I am even able to generate this on an RT-AC68U, so i am not sure what is causing the issue. I wonder if @thelonelycoder may be able to indicate the error in my suggestions.
 
This method of generating ca.crt works for me.

My router is RT-AC86U; not sure if that makes any difference
So you are not the only user I have encountered who had to make that adjustment, but I am glad it worked this time.

I added the changes to the main guide for users that run into the same error.
 
So you are not the only user I have encountered who had to make that adjustment, but I am glad it worked this time.

I added the changes to the main guide for users that run into the same error.
Previously I was using diversion + pixelserv-tls and it had no issue with the generation.

Perhaps like you have mentioned, @thelonelycoder can share insights on how he handled the generation
 
Previously I was using diversion + pixelserv-tls and it had no issue with the generation.

Perhaps like you have mentioned, @thelonelycoder can share insights on how he handled the generation
Let me know if you experience any advantages. So far my visual result benefits has been minimal, but query logs show otherwise on some instances of response times.

Additionally adblocking on my mobile devices appears to be better.
 
Last edited:
I suspect I could not trust the certificate in my iphone. I try to change the day from 3650 to 365 but still see TLS handshake errors.

slu22# of dropped HTTPS requests (other TLS handshake errors)


Referring to https://github.com/kvic-z/pixelserv...ificate#import-pixelserv-ca-on-client-devices, I do not have the option to turn on trust for Pixelserv CA.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top