AC86u Setup query - VPN, Diversion and Netflix

[Inevitable1]

Hello,

I have tried to avoid starting a new thread, but there are some queries I have that I cannot find the answers for.

First, a massive thank you to those who have contributed to these threads, which helped me to setup my router:

• Setup my AC86u using M&M config. https://www.snbforums.com/threads/noob-definition-of-minimal-and-manual-configuration.27115/
• Setup Diversion script. https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/page-331
• Setup my VPN. https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm

I feel I have got to a good place, but it is not exactly working together.

Query 1: VPN and Diversion not working together:
Using policy rules, I can get VPN working without diversion, or diversion blocking ads but traffic not through the VPN. Is there a way to get them working together? I did see this thread, indicating two method (one using Stubby DNS over TLS) but it still seems unclear to me.
https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

Query 2: Netflix and Amazon Prime
Using the apps on my LG TV, both Netflix and Amazon Prime reported that i was behind a proxy and as such, they did not work. I sought advice from my VPN, who just told me to download their latest files for my country. This did not work.
I've seen x3mRouting as a method for this, but I get the impression I will constantly have to update the router with the latest server settings etc. Even then, some users report that this method does not work.

Ultimately, I would ideally like ALL traffic on my network to go through my VPN, with the router ad-blocker. I would also like to continue using my Netflix and Amazon Prime services on a range of devices on my network (laptop, phone, TV).

I have considered dropping diversion for unbound (as an ad-blocker), but I get the impression that this will not address the problem.

Can someone point me towards a clear, step-by-step approach to addressing this problem? Ideally, in a way that doesn't involve me logging into my router settings every over day to tinker with settings.

Thanks in advance for any advice you can give me!

 

[krgck]

Query 1:
Set accept DNS configuration to: disabled
Query 2:
You don't telling where are you from and which VPN provider you are using. But if you are using your local netflix and not trying to access US netflix then i would not bother VPN whole network.

 

[heysoundude]

Because of DRM, you’re going to have issues with Netflix and Amazon going through a VPN. Netflix buys the rights to distribute content to very specific countries/regions, and if your VPN obfuscates your location, Netflix will err on the side of caution and not stream to your IP to avoid litigation.
VPN- you’re aware that there is the school of thought that because you don’t control both ends of the tunnel, you’re not as secure as you might think?
If you REALLY want to outright hide in the Matrix, have you considered going IPv6? Maybe your ISP offers native connectivity, or maybe you’ll need to set up a tunnel. (My ISP offers native IPv6, but since I don’t pay them for a static IP, I rely on DDNS and a tunnel with Hurricane Electric so that anytime my ISP changes my WAN IP, I don’t have to re-configure my LAN).
Diversion with pixelserv is wonderful on the ac86 - that’s what I have and rely on/use, but I’ve recently (within a month) installed unbound. Why the change from DoT? I figure it’s faster for data to travel in the clear, and I also get no small satisfaction that my router is doing what people rely on from quad 8, 1, 9 etc in terms of knowing where to look for and find things on the interwebz.
I’m very happy with my configuration. Hopefully sharing this will give you some things to consider.


Sent from my iPhone using Tapatalk

 

[Inevitable1]

Query 1:
Set accept DNS configuration to: disabled
Query 2:
You don't telling where are you from and which VPN provider you are using. But if you are using your local netflix and not trying to access US netflix then i would not bother VPN whole network.

Hello, many thanks for your quick response. I've changed the DNS config. Just running it now.
I've checked whatismyip and dnsleak and they are both reporting the IP that has been provided by my VPN service - NordVPN.

I am from the UK and am using NordVPN's UK servers. It's interesting that whilst they report UK, the dnsleak website suggests a different IP address with an ISP based in Germany.

 

[Inevitable1]

Because of DRM, you’re going to have issues with Netflix and Amazon going through a VPN. Netflix buys the rights to distribute content to very specific countries/regions, and if your VPN obfuscates your location, Netflix will err on the side of caution and not stream to your IP to avoid litigation.
VPN- you’re aware that there is the school of thought that because you don’t control both ends of the tunnel, you’re not as secure as you might think?
If you REALLY want to outright hide in the Matrix, have you considered going IPv6? Maybe your ISP offers native connectivity, or maybe you’ll need to set up a tunnel. (My ISP offers native IPv6, but since I don’t pay them for a static IP, I rely on DDNS and a tunnel with Hurricane Electric so that anytime my ISP changes my WAN IP, I don’t have to re-configure my LAN).
Diversion with pixelserv is wonderful on the ac86 - that’s what I have and rely on/use, but I’ve recently (within a month) installed unbound. Why the change from DoT? I figure it’s faster for data to travel in the clear, and I also get no small satisfaction that my router is doing what people rely on from quad 8, 1, 9 etc in terms of knowing where to look for and find things on the interwebz.
I’m very happy with my configuration. Hopefully sharing this will give you some things to consider.


Sent from my iPhone using Tapatalk

This was an interesting read, thanks for your response.
As you'll see from my above comment, I'm using a UK ISP (Virgin Media), with NordVPN, on a UK server. I've had a brief read about IPv6 but from what I've read, I can't see that Virgin Media are using IPv6 yet.
My main reason for using the VPN is simply based around privacy. I'm not looking to become Neo or Morpheus, just browse the web knowing that my ISP doesn't track my every movement. The occasional use of torrenting and IPTV (although recently I've not needed a VPN to use my service).
When I learned about Diversion, I really became quite interested in router-based ad blocking. It just saves having to get every user on my network downloading ad blocker software onto their various devices. Am I right in that from an ad-blocker perspective, Unbound and Diversion differ based on their approach to DNS?

For the short term, I've used policy rules to have my smart tv bypass the VPN and go straight to WAN, thus Netflix and Amazon Prime work as they should on the TV. This is fine, but still means that using Netflix and Prime on other devices simply cannot be done unless I add more exemptions to policy rules. This means constant tinkering with the router when people want to use those services, which is a bit cumbersome.

 

[heysoundude]

Yes it is. But without a VPN, and with web activities conducted via https, hosting your own recursive DNS and blocking whatever ads at the local distribution point, you’re ahead of probably 80% of the general internet using public. I would say have the VPN on devices themselves that need it and tunnel directly from that device to your VPN provider’s servers as necessary rather than one massive tunnel that everything crawls through.


Sent from my iPhone using Tapatalk

 

[TonyK132]

I'm in the US, so maybe it's different for me, but I'm running Diversion, x3mRouter, Skynet, and PIA VPN, and they all play nice together. x3mRouting takes care of accessing Netflix, Amazon, HBO. I have it set up to cause those services go through the WAN rather than the VPN. Most of all the other router traffic goes through the VPN. And the lists they use are auto-updated, so I do not have to do anything to keep them up to date. The only time they are manually updated is when there is a version change to the scripts. To set them up, look at each for their help information.

 

[Inevitable1]

Hmm. Two interesting options. To confirm, whilst I would call myself IT literate, I am new to the world of networking.

I see one option which is Unbound only on the router, blocking traffic. I assume this would still enable me to use streaming services. Then, where necessary, use VPN as and when I need it on those specific devices through the use of VPN supplied apps.

The other option is based around x3mRouter and Skynet. Tony, you mentioned that x3mRouter takes care of Netflix etc - what is the purpose of Skynet then?

It seems like both these options are relatively safe/secure. So I guess it is a matter of which is easiest?

 

[Kingp1n]

Hello,

I have tried to avoid starting a new thread, but there are some queries I have that I cannot find the answers for.

First, a massive thank you to those who have contributed to these threads, which helped me to setup my router:

• Setup my AC86u using M&M config. https://www.snbforums.com/threads/noob-definition-of-minimal-and-manual-configuration.27115/
• Setup Diversion script. https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/page-331
• Setup my VPN. https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm

I feel I have got to a good place, but it is not exactly working together.

Query 1: VPN and Diversion not working together:
Using policy rules, I can get VPN working without diversion, or diversion blocking ads but traffic not through the VPN. Is there a way to get them working together? I did see this thread, indicating two method (one using Stubby DNS over TLS) but it still seems unclear to me.
https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

Query 2: Netflix and Amazon Prime
Using the apps on my LG TV, both Netflix and Amazon Prime reported that i was behind a proxy and as such, they did not work. I sought advice from my VPN, who just told me to download their latest files for my country. This did not work.
I've seen x3mRouting as a method for this, but I get the impression I will constantly have to update the router with the latest server settings etc. Even then, some users report that this method does not work.

Ultimately, I would ideally like ALL traffic on my network to go through my VPN, with the router ad-blocker. I would also like to continue using my Netflix and Amazon Prime services on a range of devices on my network (laptop, phone, TV).

I have considered dropping diversion for unbound (as an ad-blocker), but I get the impression that this will not address the problem.

Can someone point me towards a clear, step-by-step approach to addressing this problem? Ideally, in a way that doesn't involve me logging into my router settings every over day to tinker with settings.

Thanks in advance for any advice you can give me!

If you're planning on using Diversion with a VPN. Under accept DNS configuration, choose disabled.

I'm in the US, so maybe it's different for me, but I'm running Diversion, x3mRouter, Skynet, and PIA VPN, and they all play nice together. x3mRouting takes care of accessing Netflix, Amazon, HBO. I have it set up to cause those services go through the WAN rather than the VPN. Most of all the other router traffic goes through the VPN. And the lists they use are auto-updated, so I do not have to do anything to keep them up to date. The only time they are manually updated is when there is a version change to the scripts. To set them up, look at each for their help information.

I'm also using x3mRouting script option 3 with the nat-start file and have no issues running Amazon Prime, Netflix, and Disney thru WAN and everything else running thru VPN. I set it and forget it and don't have to be updating at all.

 

[Nebulaz]

If you're planning on using Diversion with a VPN. Under accept DNS configuration, choose disabled..

Afternoon,

I was going to give Inevitable1 by setup settings, as I am attempting to do the same thing, however, then I ran into your comment about choosing disabled for "accept DNS config". Is there a reason for that? I have always used "Strict", as that is what NordVPN recommends, but then I also use their DNS servers. How specifically does "disabled" ignoring the VPN DNS servers help Diversion?

I have block queries show up in my Division Stats page. I'd really like to know, as I'm not sure. And I hope its helpful for the Inevitable1 as well.

Thank you.

 

[badtoast]

Thank you @Inevtiable1 and others on this thread for your responses. I too am currently trying to understand and work with a setup similar to @Inevitable1. I have:

- Asuswrt RT-AC86U with
- Diversion 4.1.12,
- pixelserv-tls v2.3.1,
- OpenVPN client to my VPN provider

and am trying to:

1) run Diversion Ad-blocking/pixel-serving on all devices connected to the router
2) have all traffic run through the VPN tunnel (with the exception of my Amazon Fire TV)
3) using secure DNS (DNS-over-TLS) resolving at 1.0.0.1 / 1.1.1.1

My settings look like:

WAN:

LAN:

- DNSFilter OFF


VPN Client:

When I run cloudflare's test here: https://www.cloudflare.com/ssl/encrypted-sni/ I get the result that my DNS may not be secure.
Additionally, I still get adds on some webpages like the add right below the top header of https://www.yahoo.com/

Can someone let me know if you have any suggestions about securing my DNS and ensuring that diversion / pixelserv is configured and working properly?

Thanks in advance!

 

[krgck]

Thank you @Inevtiable1 and others on this thread for your responses. I too am currently trying to understand and work with a setup similar to @Inevitable1. I have:

- Asuswrt RT-AC86U with
- Diversion 4.1.12,
- pixelserv-tls v2.3.1,
- OpenVPN client to my VPN provider

and am trying to:

1) run Diversion Ad-blocking/pixel-serving on all devices connected to the router
2) have all traffic run through the VPN tunnel (with the exception of my Amazon Fire TV)
3) using secure DNS (DNS-over-TLS) resolving at 1.0.0.1 / 1.1.1.1

My settings look like:

WAN:
View attachment 26141

LAN:
View attachment 26142

- DNSFilter OFF


VPN Client:
View attachment 26143
View attachment 26145

When I run cloudflare's test here: https://www.cloudflare.com/ssl/encrypted-sni/ I get the result that my DNS may not be secure.
Additionally, I still get adds on some webpages like the add right below the top header of https://www.yahoo.com/

Can someone let me know if you have any suggestions about securing my DNS and ensuring that diversion / pixelserv is configured and working properly?

Thanks in advance!

Cloudflare test will faill if you have dnssec enabled.
Set dnsfilter global filter as router.

Tried with same setup at yahoo and no ads. Just gray boxes where ads should be.

 

[badtoast]

Cloudflare test will faill if you have dnssec enabled.
Set dnsfilter global filter as router.

Tried with same setup at yahoo and no ads. Just gray boxes where ads should be.

Thanks for your quick reply. I modified Enable DNS Rebind Protection to 'NO' and Enable DNSSEC support to 'NO' and now the Cloudflare site shows:

Also, I turned 'ON' the DNSFilter and set the global filter to Router....but I'm still getting that yahoo.com ad (??). Many other ad-ridden sites appear be to blocking ads ok, but for some reason this one on yahoo.com just doesn't want to go away!

Thanks again
Gary

 

[krgck]

No idea then, maybe larger blocklist is able to block it?

I am using energized ultimate.

GitHub - EnergizedProtection/block: Let's make an annoyance free, better open internet, altogether!

Let's make an annoyance free, better open internet, altogether! - EnergizedProtection/block

github.com

 

[iTyPsIDg]

I found that in my case I didn't need a policy to exclude the smart devices, I just needed to set the DNS for the smart device (FireStick for me) to NordVPNs DNS servers. If I let it use the router, then Netflix could see my region.

 

[Ramz]

Thank you @Inevtiable1 and others on this thread for your responses. I too am currently trying to understand and work with a setup similar to @Inevitable1. I have:

- Asuswrt RT-AC86U with
- Diversion 4.1.12,
- pixelserv-tls v2.3.1,
- OpenVPN client to my VPN provider

and am trying to:

1) run Diversion Ad-blocking/pixel-serving on all devices connected to the router
2) have all traffic run through the VPN tunnel (with the exception of my Amazon Fire TV)
3) using secure DNS (DNS-over-TLS) resolving at 1.0.0.1 / 1.1.1.1

My settings look like:

WAN:
View attachment 26141

LAN:
View attachment 26142

- DNSFilter OFF


VPN Client:
View attachment 26143
View attachment 26145

When I run cloudflare's test here: https://www.cloudflare.com/ssl/encrypted-sni/ I get the result that my DNS may not be secure.
Additionally, I still get adds on some webpages like the add right below the top header of https://www.yahoo.com/

Can someone let me know if you have any suggestions about securing my DNS and ensuring that diversion / pixelserv is configured and working properly?

Thanks in advance!

Hello dont you have to use NOrdvpn DNS servers instead of cloudFlare??