1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How a n00b installed Skynet, AB-Solution, pixelserv-tls, and DNSCrypt

Discussion in 'Asuswrt-Merlin' started by JaimeZX, Mar 30, 2018.

  1. JaimeZX

    JaimeZX Regular Contributor

    Joined:
    Mar 10, 2018
    Messages:
    116
    A caveat: I take zero credit for any of this and am documenting it as much for next time I need to set up a router as anything else... but if another n00b shows up trying to figure out exactly where to start, this may be of some help.
    NOTE: Links included where relevant. If much time has passed, the links may be dead. If you are already a regular Linux user then I am certainly going into unnecessary detail. I assume my reader is a Windows user.
    NOTE: In some cases I need to phonetically spell a command out because otherwise this forum will block it. So for example if the command were chk I would type CharlieHotelKilo.

    I will assume that anyone already in here has installed the latest version of Merlin. If not, that would be...

    STEP 1: Install the latest version of Asuswrt-Merlin.

    STEP 2: Lock that $--t down.

    STEP 3: If you don't have one already, locate a suitable SSH terminal program. On the advice of someone here I selected Xshell 5 (free for home use.) Seems to be working okay, YMMV.

    STEP 4: Locate a thumbdrive of at least 1GB.

    STEP 5: Format this thumbdrive in (Linux file system format) ext2 or ext4. Not ext3. The simplest way to do this is to use the unwieldly-titled-but-easy-to-use MiniTool Partition Wizard Free 10.2.3. Simply plug in the thumbdrive into the computer, locate it in MTPWF10.2.3,
    5A) Right-click > Delete (to kill the FAT32 partition)
    5B) Right-click > (New? or Create?) to create a new primary partition. Type should be ext4 or ext2. Name not necessary yet.
    5C) Right-click > Format. Again, choose ext4. Or ext2. Name it something memorable like USBStick or FirewallUSB or YourMom. Whatevs. I'll stick with YourMom from now on.
    5D) In the top-left of MTPWF10.2.3, click the "Apply" button.

    ALTERNATE TECHNIQUE if you're comfortable at a command prompt:
    5i) SSH into the router. The thumbdrive needs to be plugged in but unmounted. In MerlinWRT, you can click the USB symbol at top right, then click "Eject." That'll unmount it, not make it fall out of the router. Haha.
    5ii) Assuming it's the only USB device plugged in, it should be at /dev/sda1. You can type mkfs.ext2 /dev/sda1 -L YourMom. The router SHOULD do its business. But really, the MTPWF10.2.3 technique is much easier. Plus our routers don't seem to be capable of building an ext4 partition, only ext3.
    NOTE: Do your own research on which file system you want to use. Read about journaling and flash media. ext2 is a non-journaling file system. OTOH ext4 is a more efficient file system and you may be able to disable journaling. If you have access to a linux liveCD or other bootable media, try formatting in ext4 using mkfs.ext4 -O ^has_journal /dev/sda1 -L YourMom
    Alternatively, after formatting in ext4, you may be able to remove the journal at the SSH command line using tune2fs -O ^has_journal /dev/sda1
    I have not tried this, however. YMMV.

    STEP 6: Leave YourMom plugged in and reboot the router. The router should then mount YourMom and there will only be one instance of it. [Too many times when I tried to manually mount YourMom I wound up with YourMom and YourMom(1)... which then confused follow-on steps.]

    STEP 7: Install AB-Solution using the script at the top of its thread in this forum.
    NOTE: If any of these installs fail, scroll up in your terminal program to see what the error(s) were. When they fail out they tend to blank the screen and return to the previous menu, but the "blank screen" is just a bunch of blank lines, so you can still scroll back to see what happened.

    STEP 8: Run AMTM using the script at the top of its thread in this forum.

    STEP 9: From the AMTM menu, install Skynet. (Item 5) How big of a cache file you select will depend on how big YourMom is. I am using a 4GB thumbdrive and selected 1GB for the cache size. I have no idea if that's optimal but I wanted to leave room for other stuff.
    * NOTE: If you want to see what Skynet is actually doing you'll need to enable the Debugging Mode option during install. Otherwise you have no idea what's going on when you can't get to a particular website because you can't view the logs.
    * NOTE: Once Skynet starts, if you're in the Merlin WebGUI you'll see the processor usage going bonkers. This lasts for a few minutes. Don't worry about it.

    STEP 10: From the AMTM menu, run [1] AB-Solution. From the AB-Solution menu, type ps to start the Pixelserv-TLS install.
    * NOTE: If this install fails it MAY be due to an issue with Entware. TheLonelyCoder has suggested going into the WebGUI and telling the router to wipe the JFFS partition on reboot, then rebooting, then trying the install again. I would try that first. If the problem persists, you can also (at the command prompt) type: entware-setup.sh which should reinstall it, then repeat step 10.
    * NOTE: Reference the Pixelserv-TLS thread to best understand that software. I used 192.168.10.3 for my Pixelserv IP.
    * NOTE: To extract the certificates, exit out of all menus to the command prompt. Type:
    CharlieDelta /tmp/mnt/YourMom/entware/var/cache/pixelserv [enter]
    LimaSierra -l [enter]

    That will show you ca.crt and ca.key.
    You will need to copy the former to each computer you plan to use on the router. The easiest way is:

    STEP 11a: In the Merlin GUI, go to USB Applications -> Media Services and Servers -> Network Place (Samba) Share. - Enable Share [ON], Enable Guest Login [ON].
    STEP 11b: In Windows Explorer, in the address bar, type \\your router address, like \\192.168.x.1
    That should show you YourMom. Then click in to \\192.168.x.1\YourMom\entware\var\cache\pixelserv
    You will see ca.crt; copy that onto your local machine and distribute it to all relevant devices.

    STEP 12: Install the certificate into your browser(s) of choice. Firefox. Chrome. IE. Android. Safari.

    STEP 13: From the amtm menu, install DNSCrypt. This is pretty straightforward. The only possibly confusing question is "Fastest / b2 / bhalf / random." Next time I set it up I'll choose bhalf, but I think I picked "random" the other day. (It's a question about which DNS server to pick, based on tracking server speeds. Fastest on list / from the top 2 / top half of list/ random from the whole list)

    That's it for installation. Read the threads to understand expected behavior. Monitor for things that don't work correctly so you can see about whitelisting them in AB-Solution or Skynet.

    NOTE: If you've tried this several times and are dying of frustration because it ain't working, try a different thumbdrive.

    ---------------------------
    EDIT: I have now also installed the YazFi script because I not only wanted my guest networks to have different IP ranges but also give them access to the Pixelserv IP for Pixelserving purposes. The only downside of this is that clients on the guest network will no longer show up in "Network Map" because that only displays clients on the main subnet; Merlin can't change this because it's a closed-source part of the firmware.
     
    Last edited: Jun 10, 2018
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. heysoundude

    heysoundude Senior Member

    Joined:
    Sep 20, 2016
    Messages:
    222
    @RMerlin this needs to be stickied at the top of the forum please.
     
    aavvaallooss likes this.
  4. Gasutr 45

    Gasutr 45 Occasional Visitor

    Joined:
    May 23, 2018
    Messages:
    10
    It is important to install the certificates (I do not have them installed), what happens if I do not have them installed?

    I have installed these scripts:
     
    Last edited: May 24, 2018
  5. JaimeZX

    JaimeZX Regular Contributor

    Joined:
    Mar 10, 2018
    Messages:
    116
    If you don't have the certificate installed in your browsers, then Pixelserv-tls will not give a proper response to ads that send their request via HTTPS. Otherwise it's not a big deal.
    Note: if you have computers on your "Guest" wifi, they will not benefit from the Pixelserv-tls script, so it's irrelevant there.
     
    Gasutr 45 likes this.
  6. Gasutr 45

    Gasutr 45 Occasional Visitor

    Joined:
    May 23, 2018
    Messages:
    10
    Look, I found a simpler way to install the certificates in iOS / Android / Firefox / Safari / Chrome / Edge / IE


    Import Pixelserv CA on client devices
    Importing your CA cert on clients is not mandatory but recommended. Your Pixelserv CA cert is available through URL http:// pixelserv ip/ca.crt


    iOS/Android
    The following procedure will import your CA cert and trust it system wide.
    • Open Safari/Chrome. Visit http:// pixelserv ip/ca.crt
    • Follow the prompt to finish the installation.
    CAUTION
    Since iOS 10.3, a user-installed CA cert requires enabling trust explicitly.
    • Go to Settings > General About > Certificate Trust Settings.
    • Under Enable full trust for root certificates, turn on trust for Pixelserv CA.
    This tip is provided by @jrmwvu04 on snbforums.


    Firefox
    Firefox manages its own root CA certificates. The import procedure is same on all platforms.
    1. Open your browser and visit http:// pixelserv ip/ca.crt
    2. Select "Trust this CA to identify websites" on the screen pop-up.
    3. Click "Ok"

    macOS: Safari/Chrome

    The following procedure will import your CA cert and trust it system wide.
    1. Open Safari/Chrome. Visit http:// pixelserv ip/ca.crt
    2. Find the downloaded file, ca.crt
    3. Double click on `ca.crt' to start Keychain's import wizard.
    4. Select keychain "system" and click "Add".
    5. Open Keychain Access and select keychain "System".
    6. Locate "Pixelserv CA" and double click to the CA cert.
    7. Expand "Trust" and select "Always Trust" for "When using this certificate"
    8. Close the window to finish setting update.
    Restart your browser to take effect.


    Windows: Chrome/Edge/IE
    The follow procedure will import your CA cert and trust it system wide.
    1. Open your browser. Visit http:// pixelserv ip/ca.crt
    2. Find the downloaded file, ca.crt
    3. Double click on `ca.crt' to view the certificate.
    4. Click "Install Certificate.." and select "Local Machine".
    5. Click "Place all certificate in the following store" on next screen.
    6. Click "Browse..." and select "Trusted Root Certification Authorities".
    7. Click "Next" and then "Finish" on next screen.
    Restart browser to take effect.

    If the above steps do not work for you, please follow this Windows guide to use MMC for import.


    Others
    You may follow this guide for ChromeOS, and this one for Linux in general.



    Source
    Create and Import the CA Certificate by pixelserv-tls
     
    Last edited: May 25, 2018
    heysoundude and JaimeZX like this.
  7. JaimeZX

    JaimeZX Regular Contributor

    Joined:
    Mar 10, 2018
    Messages:
    116
    Post 1 edited to add YazFi.
     
  8. snakebite3

    snakebite3 Senior Member

    Joined:
    Sep 16, 2014
    Messages:
    253
    I want to thank your mom for this write up. Do you know if the Samba Server or FTP will work with ext2 ?
     
  9. JaimeZX

    JaimeZX Regular Contributor

    Joined:
    Mar 10, 2018
    Messages:
    116
    Happy to help. :) I'm not sure I understand the question though. Are you also thinking of using the extra space on the thumbdrive as a Samba share? I don't see why this would be a problem; ext2 is just an older version of the Linux file system.
     
  10. punkinduster

    punkinduster Regular Contributor

    Joined:
    Dec 6, 2012
    Messages:
    94
    Location:
    PA
    Nice place to find it all in one location. :)
     
    JaimeZX likes this.
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!