Skynet Skynet - Router Firewall & Security Enhancements

[vw-kombi]

Hi Netbug,

You wont believe how many times today I have clicked edit and pasted in the certs!!!! I have tried all the old PIA ports going back years from posts on here with the older security and certs, never any works. I have settled on your config however, as I have someone with apples and apples to compare (are you on the latest merlin release ?). I have been a bit reluctant to disable skynet, if you are using it, and yours is working then it cant be it. I don't have any special ban's going on - I did as a minimum remove my country blocks for ru kr kp ir cn - but that did not help any. And with regards to a factory reset - I only upgraded to the latest firmware three days ago - so still have the pain of keying in everything again then so i am not eager to do that..... yet........

 

[dave14305]

Hi Netbug,

You wont believe how many times today I have clicked edit and pasted in the certs!!!! I have tried all the old PIA ports going back years from posts on here with the older security and certs, never any works. I have settled on your config however, as I have someone with apples and apples to compare (are you on the latest merlin release ?). I have been a bit reluctant to disable skynet, if you are using it, and yours is working then it cant be it. I don't have any special ban's going on - I did as a minimum remove my country blocks for ru kr kp ir cn - but that did not help any. And with regards to a factory reset - I only upgraded to the latest firmware three days ago - so still have the pain of keying in everything again then so i am not eager to do that..... yet........

Have you tried to refresh the VPN whitelist in Skynet? You would probably be seeing OUTBOUND blocks if not, but can't hurt.

sh /jffs/scripts/firewall whitelist vpn

 

[Adamm]

The same piece of advise I give to everyone is, if Skynet is blocking an IP in debug mode, it will always be logged. There is never an exception to this rule.

So enabling debug mode will tell you immediately if it is or isn't Skynet. (which I don't believe is the issue)

 

[vw-kombi]

I ran that - still the same issue, I will remove this issue from this skynet thread then and post it separately to see if anyone has any vpn/pia/openvpn ideas. Thanks.

Dec 20 23:51:14 ovpn-client1[14629]: OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 8 2018
Dec 20 23:51:14 ovpn-client1[14629]: library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.08
Dec 20 23:51:14 ovpn-client1[14630]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Dec 20 23:51:14 ovpn-client1[14630]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 20 23:51:14 ovpn-client1[14630]: Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Dec 20 23:51:14 ovpn-client1[14630]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Dec 20 23:51:14 ovpn-client1[14630]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Dec 20 23:51:14 ovpn-client1[14630]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Dec 20 23:51:14 ovpn-client1[14630]: TCP/UDP: Preserving recently used remote address: [AF_INET6]::ffff:146.112.61.106:1198
Dec 20 23:51:14 ovpn-client1[14630]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Dec 20 23:51:14 ovpn-client1[14630]: UDP link local: (not bound)
Dec 20 23:51:14 ovpn-client1[14630]: UDP link remote: [AF_INET6]::ffff:146.112.61.106:1198
Dec 20 23:51:38 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=176.106.216.180 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=59075 PROTO=TCP SPT=45535 DPT=60389 SEQ=1543055756 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 20 23:51:39 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=162.243.132.123 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=TCP SPT=33422 DPT=27018 SEQ=1989959196 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 20 23:51:40 dropbear[14081]: Exit (admin): Exited normally
Dec 20 23:51:42 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=176.106.216.180 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=36544 PROTO=TCP SPT=45535 DPT=3439 SEQ=1640998661 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 20 23:51:43 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=176.106.216.180 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=29368 PROTO=TCP SPT=45535 DPT=33894 SEQ=2188628596 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 20 23:51:57 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=45.227.253.10 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=28960 PROTO=TCP SPT=57724 DPT=4182 SEQ=2028815836 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 20 23:52:03 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=185.176.26.3 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=32595 PROTO=TCP SPT=53834 DPT=27913 SEQ=356988656 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 20 23:52:14 ovpn-client1[14630]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 20 23:52:14 ovpn-client1[14630]: TLS Error: TLS handshake failed

 

[Adamm]

I ran that - still the same issue, I will remove this issue from this skynet thread then and post it separately to see if anyone has any vpn/pia/openvpn ideas. Thanks.

Dec 20 23:51:14 ovpn-client1[14629]: OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 8 2018
Dec 20 23:51:14 ovpn-client1[14629]: library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.08
Dec 20 23:51:14 ovpn-client1[14630]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Dec 20 23:51:14 ovpn-client1[14630]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 20 23:51:14 ovpn-client1[14630]: Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Dec 20 23:51:14 ovpn-client1[14630]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Dec 20 23:51:14 ovpn-client1[14630]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Dec 20 23:51:14 ovpn-client1[14630]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Dec 20 23:51:14 ovpn-client1[14630]: TCP/UDP: Preserving recently used remote address: [AF_INET6]::ffff:146.112.61.106:1198
Dec 20 23:51:14 ovpn-client1[14630]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Dec 20 23:51:14 ovpn-client1[14630]: UDP link local: (not bound)
Dec 20 23:51:14 ovpn-client1[14630]: UDP link remote: [AF_INET6]::ffff:146.112.61.106:1198
Dec 20 23:51:38 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=176.106.216.180 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=59075 PROTO=TCP SPT=45535 DPT=60389 SEQ=1543055756 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 20 23:51:39 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=162.243.132.123 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=TCP SPT=33422 DPT=27018 SEQ=1989959196 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 20 23:51:40 dropbear[14081]: Exit (admin): Exited normally
Dec 20 23:51:42 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=176.106.216.180 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=36544 PROTO=TCP SPT=45535 DPT=3439 SEQ=1640998661 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 20 23:51:43 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=176.106.216.180 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=29368 PROTO=TCP SPT=45535 DPT=33894 SEQ=2188628596 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 20 23:51:57 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=45.227.253.10 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=28960 PROTO=TCP SPT=57724 DPT=4182 SEQ=2028815836 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 20 23:52:03 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=185.176.26.3 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=32595 PROTO=TCP SPT=53834 DPT=27913 SEQ=356988656 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 20 23:52:14 ovpn-client1[14630]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 20 23:52:14 ovpn-client1[14630]: TLS Error: TLS handshake failed

I suggest using a quick google search with the error provided.

ovpn-client1[14630]: TLS Error: TLS handshake failed

 

[john9527]

I ran that - still the same issue, I will remove this issue from this skynet thread then and post it separately to see if anyone has any vpn/pia/openvpn ideas. Thanks.

99% of the time the TLS error is bad certs entered.....
But here are two other things to try in your setup
Set Cipher Negotiation to disabled
Change TLS control channel security from Incoming auth to Outgoing auth

 

[RMerlin]

The best way to ensure you have the correct settings is to import the ovpn file generated by PIA. Don't forget to enter the certs, username and password after doing so.

 

[vw-kombi]

I have imported so many times, user in - always same - connecting.......
Trying the Set Cipher Negotiation to disabled and Change TLS control channel security from Incoming auth to Outgoing auth also made no difference.
Thanks for the assistance people..... Im hoping I dont dump this in the too hard basket. I do work in IT Consulting (and used to certs etc for web servers) so not a noob on stuff, just something stopping this working with ANY config it seems. I think I will next import the pia ovpn file to a windows openvpn setup and just test the connection. If that works on a machine here, then I am afraid it is something on the router.

 

[john9527]

Last thoughts.....
Are you sure you matched the certs with the port/cipher...each port/cipher uses a different cert set.

EDIT: Two more things I just saw in your custom config
take out the pull-filter ignore "auth-token" (that's for a problem fixed a long time ago)
take out the stand-alone pull

 

[vw-kombi]

Thanks for the continued review - removed the pull and the auth-token as john9527 suggested (thats new based o other posts).
Tried with multiple settings for cipher negotiation (enable with fallback and disabled), tried different TLS Control Channel security (inbound, outgoing, disabled), tried with Auth digest SHA1 and default), all same issue. Connecting.....

cert authority -
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----

Cert revocation :
-----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----

 

[vw-kombi]

OK - I am making some headway into this now. I installed openvpn on my laptop, imported the file from PIA, and got the same issues on my laptop.
I then connected to my 4g wifi hotspot on my iphone, so outside my LAN, and immediately it worked.
This tells me my router is the issue here. It is blocking this connection somewhere for any devices in my LAN. so I suspect my many vpn configs were fine, but I am firewalled, or something on my router. Does anyone have any idea where I should look for this issue ?

Router logs just shows this from the laptop when trying to connect :
ec 21 15:01:04 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=159.65.91.164 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=19213 PROTO=TCP SPT=32767 DPT=8545 SEQ=4039593670 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 21 15:01:11 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=31.192.108.68 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=12311 PROTO=TCP SPT=49191 DPT=38815 SEQ=632521506 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 21 15:01:13 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=108.178.16.154 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=54321 PROTO=TCP SPT=45160 DPT=8443 SEQ=2767788322 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 21 15:01:17 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=90.151.88.171 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=1814 PROTO=TCP SPT=4486 DPT=23 SEQ=3029738666 ACK=0 WINDOW=7779 RES=0x00 SYN URGP=0
Dec 21 15:01:39 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=194.113.106.121 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=231 ID=58631 PROTO=TCP SPT=43848 DPT=59480 SEQ=149563893 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 21 15:02:21 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=185.176.26.45 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=58399 PROTO=TCP SPT=52414 DPT=33322 SEQ=4140057247 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 21 15:02:21 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=176.119.4.9 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=35150 PROTO=TCP SPT=57465 DPT=7239 SEQ=1486008739 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 21 15:02:58 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=185.208.208.198 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=25537 PROTO=TCP SPT=44380 DPT=23589 SEQ=1835998030 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 21 15:03:32 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=185.10.68.240 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=5982 PROTO=TCP SPT=58581 DPT=3491 SEQ=528236119 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 21 15:04:55 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=194.113.106.121 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=231 ID=58683 PROTO=TCP SPT=43848 DPT=56120 SEQ=953227945 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 21 15:05:06 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=45.227.253.10 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=53539 PROTO=TCP SPT=47195 DPT=3114 SEQ=3891984803 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 21 15:05:16 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=45.227.253.10 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=12502 PROTO=TCP SPT=47195 DPT=4924 SEQ=3424323392 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 21 15:06:13 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=b0:6e:bf:e1:ac:38:00:a7:42:4e:6c:52:08:00 SRC=176.119.4.27 DST=180.150.36.170 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=41145 PROTO=TCP SPT=48177 DPT=56917 SEQ=1324177990 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0

I disabled skynet, and re-did the laptop test (seeing I know that should work as it does when outside the network), I did not get the above blocked messages in the log anymore - but still same TLS handshake error.

I suspect at this stage this is a general merlin config thing that I need to do on the router...... but no idea what.

 

[dave14305]

I think you’re using OpenDNS and it’s blocking PIA as a proxy/anonymizer site (opendns blocksite IP highlighted in red). Whitelist it in OpenDNS console or change dns servers.

Dec 20 23:51:14 ovpn-client1[14630]: TCP/UDP: Preserving recently used remote address: [AF_INET6]::ffff:146.112.61.106:1198
Dec 20 23:51:14 ovpn-client1[14630]: UDP link remote: [AF_INET6]::ffff:146.112.61.106:1198
Dec 20 23:52:14 ovpn-client1[14630]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 20 23:52:14 ovpn-client1[14630]: TLS Error: TLS handshake failed

 

[vw-kombi]

Oh jeez. FFS, What a knob I am. I forgot I was using opendns. Once of those set and forget things from so many years ago. A simple change to my laptop DNS to 1.1.1.1/1.0.0.1 and immediately it works!!!!! Thanks dave14305 - genius!

Edit - vpn on router immediately started also - well there is 4+ hours of my life wasted!

 

[road hazard]

I recently made this post: https://www.snbforums.com/threads/is-total-youtube-ad-blocking-possible-at-the-router-level.53988/

How effective is Skynet (when coupled with Diversion and Pixel) at blocking YouTube ads network wide?

 

[skeal]

Posting three times (twice in other threads and one that you created yourself) , will not get an answer any faster. Post and wait as others do please.
Remember it's Christmas people are busy.

 

[skeal]

If you get an answer in the Diversion thread that is where you will get the most help with this issue. It has been discussed many times, a simple search of that thread will help you get started.

 

[road hazard]

Posting three times (twice in other threads and one that you created yourself) , will not get an answer any faster. Post and wait as others do please.
Remember it's Christmas people are busy.

Sorry, didn't mean to pollute the forums. The multiple posts wasn't a sign of anxiousness, just wanted to cast a wide net. Maybe people that use Skynet don't use Diversion?! If everyone read every forum, I guess the one would have sufficed.

But, I could have sworn I've seen people state that even after using solution X, ads still sneak by. I plan on spending a few hours on here reading up on everything!

 

[skeal]

Sorry, didn't mean to pollute the forums. The multiple posts wasn't a sign of anxiousness, just wanted to cast a wide net. Maybe people that use Skynet don't use Diversion?! If everyone read every forum, I guess the one would have sufficed.

But, I could have sworn I've seen people state that even after using solution X, ads still sneak by. I plan on spending a few hours on here reading up on everything!

Personally I follow this forum a lot and I have not seen a permanent solution. YouTube keeps things in a dynamic nature. Things change and your settings don't work anymore. People have had the same issue with the Amazon app. For the most part you can get rid of a lot of adds maybe not all though.

 

[road hazard]

Personally I follow this forum a lot and I have not seen a permanent solution. YouTube keeps things in a dynamic nature. Things change and your settings don't work anymore. People have had the same issue with the Amazon app. For the most part you can get rid of a lot of adds maybe not all though.

That is the basis of my main question. How in the world do simple little add-ons like Mikoto/UBlock/ABP block YT ads 100% of the time and why can't THAT technology be scaled up to a home network? What is the magic they are doing? Some sort of man-in-the-middle function!?

 

[john9527]

That is the basis of my main question. How in the world do simple little add-ons like Mikoto/UBlock/ABP block YT ads 100% of the time and why can't THAT technology be scaled up to a home network? What is the magic they are doing? Some sort of man-in-the-middle function!?

Because those solutions have access to the code (browser) that is actually rendering the page and can make decisions based on that. All the router can do is supply or not supply data based on a domain name which may serve more than just ads.