Menu
What's new
By:
Filters Better Search

AdGuardHome Pixelserv-tls Your AdGuardHome

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

SomeWhereOverTheRainBow

SomeWhereOverTheRainBow

Part of the Furniture
-Prerequisites-

Install AdGuardHome using this installer:

www.snbforums.com

AdGuardHome - [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

Asuswrt-Merlin-AdGuardHome-Installer The Official Installer of AdGuardHome for Asuswrt-Merlin Requirements: ARM based ASUS routers (not bridges or access points) that use Asuswrt-Merlin Firmware JFFS support and enabled REQUIRES ENTWARE(!) for package management, and a separate USB drive for...
www.snbforums.com www.snbforums.com

-Instructions-

Install Pixelserv-tls

Code: 
opkg install pixelserv-tls openssl-util

Modify /opt/etc/init.d/S80pixelserv-tls:

Code: 
nano /opt/etc/init.d/S80pixelserv-tls

Code: 
#!/bin/sh
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=pixelserv-tls
ARGS="192.168.1.4"
PREARGS=""
PRECMD="ulimit -s 64"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ifconfig br0:pixelserv $ARGS up && logger -t $(basename $0) "br0:pixelserv $ARGS created."
. /opt/etc/init.d/rc.func

#the 192.168.1.4 can be any address you have reserved outside your DHCP range un-used. If you want 192.168.1.2, you would set your DHCP range to start at 192.168.1.3 instead of 192.168.1.2. ( in my guide mine started at 192.168.1.20, which made 192.168.1.4 perfect to use.)

Next make the Pixelserv-tls cache:

Code: 
mkdir -p /opt/var/cache/pixelserv
cd /opt/var/cache/pixelserv
/opt/bin/openssl genrsa -out ca.key 2048
/opt/bin/openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"
chown -R nobody /opt/var/cache/pixelserv

Start Pixelserv-tls for the first time:

Code: 
/opt/etc/init.d/S80pixelserv-tls start

Last Step is done in the AdGuardHome DNS settings page:

Set a custom IP for blocking. Put pixelservs IP in for AA responses, and use :: (or an ipv4 address mapped to ipv6) for ipv6 (AAAA).

Settings > DNS Settings > DNS Server Configuration > Blocking mode

1645680925716.png
 
Last edited:
IIRC, the generated ca.crt needs to be downloaded and installed into each of the device(s)

To download the ca.crt, think it can be done by visiting http://<pixelserv ip>/ca.crt

Still weighing the "real" advantage of using pixelserv because of the hassle in having to get ca.crt to be installed into each individual device

Assume the last step in setting up AGH is under Settings > DNS Settings > DNS Server Configuration > Blocking mode
 
unknownz said:
IIRC, the generated ca.crt needs to be downloaded and installed into each of the device(s)

To download the ca.crt, think it can be done by visiting http://<pixelserv ip>/ca.crt

Still weighing the "real" advantage of using pixelserv because of the hassle in having to get ca.crt to be installed into each individual device

Assume the last step in setting up AGH is under Settings > DNS Settings > DNS Server Configuration > Blocking mode
Click to expand...
Only seen performance advantage so far is negligible page load timing, and the ca.crt does not actually have to be placed on every client. it is only required for the true added page load advantages. AdGuardHome still works the same regardless. I have been monitoring query times and see if there is any true added benefits. The pixelserv-tls cache store has an autofetch policy for blocked domains which should in theory increase speed of their handling.

That is why I am only offering up a Guide for users who wish to try it out.
 
unknownz said:
Assume the last step in setting up AGH is under Settings > DNS Settings > DNS Server Configuration > Blocking mode
Click to expand...
correct, Normally AGH uses 0.0.0.0, and ::. this will change the 0.0.0.0 to pixelserv-tls, which may inturn add an advantage to serving ads quicker.

proof is in the pudding

Code: 
/entware/var/cache/pixelserv# ls /opt/var/cache/pixelserv
_.adnxs.com                _.crashlytics.com          _.global.ssl.fastly.net    _.gos-gsp.io               _.nel.cloudflare.com       _.rudderlabs.com           app-measurement.com
_.amazon.com               _.g.doubleclick.net        _.google-analytics.com     _.gvt2.com                 _.optimizely.com           _.samsungnyc.com           ca.crt
_.branch.io                _.gcp.gvt2.com             _.googleapis.com           _.logs.roku.com            _.push.samsungosp.com      _.sendpulse.com            ca.key
_.cloudflareinsights.com   _.github.com               _.googlesyndication.com    _.mgid.com                 _.pushmessage.samsung.com  _.telemetry.mozilla.org    prefetch
 
Following through the guide, encountered this error in generating ca.crt

Code: 
Error Loading extension section v3_ca
4145405952:error:22097069:lib(34):func(151):reason(105):NA:0:name=subjectAltName,section=@alt_names
4145405952:error:22098080:lib(34):func(152):reason(128):NA:0:name=subjectAltName, value=@alt_names
 
unknownz said:
Following through the guide, encountered this error in generating ca.crt

Code: 
Error Loading extension section v3_ca
4145405952:error:22097069:lib(34):func(151):reason(105):NA:0:name=subjectAltName,section=@alt_names
4145405952:error:22098080:lib(34):func(152):reason(128):NA:0:name=subjectAltName, value=@alt_names
Click to expand...
here was my terminal output

Code: 
RT-AX88U-C7C0:/tmp/home/root# mkdir -p /opt/var/cache/pixelserv
RT-AX88U-C7C0:/tmp/home/root# cd /opt/var/cache/pixelserv
RT-AX88U-C7C0:/tmp/mnt/My_Part/entware/var/cache/pixelserv# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................+++++
...........+++++
e is 65537 (0x010001)
RT-AX88U-C7C0:/tmp/mnt/My_Part/entware/var/cache/pixelserv# openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"
RT-AX88U-C7C0:/tmp/mnt/My_Part/entware/var/cache/pixelserv# chown -R nobody /opt/var/cache/pixelserv
 
Heres two blocks on my list

1645677467916.png


One for AA which uses pixelserv-tls

one for AAAA which uses ::

AA :

1645677523271.png



AAAA:

1645677558959.png


I don't honestly know if this shows that Pixelserv-TLS is faster, but it is interesting to look at.
 
SomeWhereOverTheRainBow said:
here was my terminal output

Code: 
RT-AX88U-C7C0:/tmp/home/root# mkdir -p /opt/var/cache/pixelserv
RT-AX88U-C7C0:/tmp/home/root# cd /opt/var/cache/pixelserv
RT-AX88U-C7C0:/tmp/mnt/My_Part/entware/var/cache/pixelserv# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................+++++
...........+++++
e is 65537 (0x010001)
RT-AX88U-C7C0:/tmp/mnt/My_Part/entware/var/cache/pixelserv# openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"
RT-AX88U-C7C0:/tmp/mnt/My_Part/entware/var/cache/pixelserv# chown -R nobody /opt/var/cache/pixelserv
Click to expand...
My output as follow,
Code: 
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv# openssl genrsa -out ca.key 2048                                                                         
Generating RSA private key, 2048 bit long modulus (2 primes)                                                                                                               
.+++++                                                                                                                                                                     
...................................+++++                                                                                                                                   
e is 65537 (0x010001)                                                                                                                                                     
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#                                                                                                         
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#                                                                                                         
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv# openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"                                                                                                                                                                       
Error Loading extension section v3_ca                                                                                                                                     
4145405952:error:22097069:lib(34):func(151):reason(105):NA:0:name=subjectAltName,section=@alt_names                                                                       
4145405952:error:22098080:lib(34):func(152):reason(128):NA:0:name=subjectAltName, value=@alt_names                                                                         
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#
 
unknownz said:
My output as follow,
Code: 
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv# openssl genrsa -out ca.key 2048                                                                     
Generating RSA private key, 2048 bit long modulus (2 primes)                                                                                                           
.+++++                                                                                                                                                                 
...................................+++++                                                                                                                               
e is 65537 (0x010001)                                                                                                                                                 
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#                                                                                                     
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#                                                                                                     
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv# openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"                                                                                                                                                                   
Error Loading extension section v3_ca                                                                                                                                 
4145405952:error:22097069:lib(34):func(151):reason(105):NA:0:name=subjectAltName,section=@alt_names                                                                   
4145405952:error:22098080:lib(34):func(152):reason(128):NA:0:name=subjectAltName, value=@alt_names                                                                     
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#
Click to expand...
Try

Code: 
openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions usr_cert -out ca.crt -subj "/CN=Pixelserv CA"

As the last line instead of the one that caused the error.
 
Last edited:
SomeWhereOverTheRainBow said:
Try

Code: 
openssl req -new -x509 -nodes -extensions usr_cert -days 3650 -key ca.key -out ca.crt -subj "/CN=Pixelserv CA"

As the last line instead of the one that caused the error.
Click to expand...
Throws a different error
Code: 
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv# openssl req -new -x509 -nodes -extensions usr_cert -days 3650 -key ca.key -out ca.crt -subj "/CN=Pixelserv CA"
Can't load /root/.rnd into RNG
4151664640:error:2406F079:lib(36):func(111):reason(121):NA:0:Filename=/root/.rnd
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#
 
unknownz said:
Throws a different error
Code: 
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv# openssl req -new -x509 -nodes -extensions usr_cert -days 3650 -key ca.key -out ca.crt -subj "/CN=Pixelserv CA"
Can't load /root/.rnd into RNG
4151664640:error:2406F079:lib(36):func(111):reason(121):NA:0:Filename=/root/.rnd
admin@RT-AC86U-7510:/tmp/mnt/mntASUS/entware/var/cache/pixelserv#
Click to expand...
Honestly I am not quite sure what is causing the issue for you. It may have something to do with how the libraries are linked with openssl on your particular Router model. I am even able to generate this on an RT-AC68U, so i am not sure what is causing the issue. I wonder if @thelonelycoder may be able to indicate the error in my suggestions.
 
unknownz said:
This method of generating ca.crt works for me.

My router is RT-AC86U; not sure if that makes any difference
Click to expand...
So you are not the only user I have encountered who had to make that adjustment, but I am glad it worked this time.

I added the changes to the main guide for users that run into the same error.
 
SomeWhereOverTheRainBow said:
So you are not the only user I have encountered who had to make that adjustment, but I am glad it worked this time.

I added the changes to the main guide for users that run into the same error.
Click to expand...
Previously I was using diversion + pixelserv-tls and it had no issue with the generation.

Perhaps like you have mentioned, @thelonelycoder can share insights on how he handled the generation
 
unknownz said:
Previously I was using diversion + pixelserv-tls and it had no issue with the generation.

Perhaps like you have mentioned, @thelonelycoder can share insights on how he handled the generation
Click to expand...
Let me know if you experience any advantages. So far my visual result benefits has been minimal, but query logs show otherwise on some instances of response times.

Additionally adblocking on my mobile devices appears to be better.
 
Last edited:
I suspect I could not trust the certificate in my iphone. I try to change the day from 3650 to 365 but still see TLS handshake errors.

slu22# of dropped HTTPS requests (other TLS handshake errors)

About upcoming limits on trusted certificates - Apple Support

In our ongoing efforts to improve web security for our users, Apple is reducing the maximum allowed lifetimes of TLS server certificates.
support.apple.com support.apple.com

Requirements for trusted certificates in iOS 13 and macOS 10.15 - Apple Support

Learn about new security requirements for TLS server certificates in iOS 13 and macOS 10.15.
support.apple.com support.apple.com

Referring to https://github.com/kvic-z/pixelserv...ificate#import-pixelserv-ca-on-client-devices, I do not have the option to turn on trust for Pixelserv CA.
 
You must log in or register to reply here.

Similar threads

johndoe85
Tutorial How to install Wireproxy on your Asus-Merlin Router
Replies
0
Views
1K
johndoe85
johndoe85
JA93
Tutorial **Tailscale On Merlin**
5 6 7
Replies
127
Views
15K
jksmurf
J
Demontager
Entware rc.func not found
Replies
9
Views
2K
ColinTaylor
C
S
Tutorial Installing Caddy reverse proxy
Replies
5
Views
2K
spindrift
S
bbeny123
Tutorial Debian 12 Bookworm + Plex Media Server (Asus RT-AX86S)
2
Replies
22
Views
7K
Rexawl
Rexawl
Similar threads
Thread starter Title Forum Replies Date
C Diversion Pixelserv replacement Asuswrt-Merlin AddOns 2
D freeradius3 : (TLS) Failed loading legacy provider Asuswrt-Merlin AddOns 2
M AdGuardHome IPTables blocking TLS port 853 from other hosts Asuswrt-Merlin AddOns 3
J AdGuardHome AdGuardHome stops working after every router reboot - have to un-/reinstall it every time Asuswrt-Merlin AddOns 0
G AdGuardHome AdguardHome install issue Asuswrt-Merlin AddOns 26
Bogey AdGuardHome AdguardHome errors: dnsproxy timeouts? Asuswrt-Merlin AddOns 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 657 (members: 18, guests: 639)
Top