Diversion [Solved] Adblock is bypassed by SSH tunneling into the router

[ghorvath]

I tried this both with ASUSWRT-Merlin TUF-AX5400 3004.388.9_2-gnuton2 and ASUSWRT-Merlin RT-AX56U 3004.388.8_4 with Diversion 5.4.6 (+Skynet 7.6.5 if it matters), DNS Director is enabled with Global redirection set to Router. I enabled the large filtering (https://big.oisd.nl/dnsmasq2) plus one from StevenBlack (https://raw.githubusercontent.com/S.../alternates/fakenews-gambling-porn-only/hosts)

Diversion works perfectly for machines or phones on LAN, filters out everything defined by the blocklists.

I have one port open to the outside world where dropbear listens with ssh (only private keys, no password allowed on this port). When I ssh into the router with dynamic port forwarding to a port from my laptop, and then set my firefox to use socks5 with this port, and even set the proxying of DNS via socks5, as well, then none of the sites are blocked. Those DNS calls are going through the ssh tunnel on socks5, and not using the local router's DNS, because that also has a working adblocking. But I can't see them on the tunneled router's diversion logs, which is consistent with the undesired behaviour that ads appear.

Is there some trivial setting I am missing that will make sure that all SSH tunneled traffic is also going through Diversion or dnsmasq?

 

[ghorvath]

Any ideas, anyone?

 

[dave14305]

The router won't use it's own dnsmasq server for lookups, but I'm not sure how this is supposed to be working anyway based on your description. Most people will just setup a VPN Server on the router and connect using a VPN client (Wireguard or OpenVPN).

 

[dave14305]

OK, I made a similar setup on my router and I see the DNS will originate from the local router using the servers defined in /etc/resolv.conf, which will go directly to the WAN DNS servers, bypassing dnsmasq and Diversion.

 

[SomeWhereOverTheRainBow]

OK, I made a similar setup on my router and I see the DNS will originate from the local router using the servers defined in /etc/resolv.conf, which will go directly to the WAN DNS servers, bypassing dnsmasq and Diversion.

It has got to be caused by the router specifically treating the ssh traffic as originating from itself. The only way around this specific type of behavior would be to make the router its own local caching resolver, or override /etc/resolv.conf via mount bind. I would recommend it is better to use the VPN site tunnel to skip having to do such, but everyone has their own reasons to do what they do.

 

[ColinTaylor]

It has got to be caused by the router specifically treating the ssh traffic as originating from itself. The only way around this specific type of behavior would be to make the router its own local caching resolver...

There's an option to do this in the "Advanced Tweaks and Hacks" section of Merlin's firmware.

 

[dave14305]

There's an option to do this in the "Advanced Tweaks and Hacks" section of Merlin's firmware.

True enough! Removed from 3006.102, but still available for OP’s version.

 

[ColinTaylor]

True enough! Removed from 3006.102, but still available for OP’s version.

Thanks for that. I had a vague memory that RMerlin said he was going to remove it. But as it's still there in 3004.388.10 I assumed I had imagined that.

 

[SomeWhereOverTheRainBow]

Thanks for that. I had a vague memory that RMerlin said he was going to remove it. But as it's still there in 3004.388.10 I assumed I had imagined that.

I think RMerlin only removed the menu webui option for it, but it could still be available inside the NVRAM? Unless he also changed that as well, I could be wrong.

 

[dave14305]

I think RMerlin only removed the menu webui option for it, but it could still be available inside the NVRAM? Unless he also changed that as well, I could be wrong.

It's all gone.

 

[ghorvath]

There's an option to do this in the "Advanced Tweaks and Hacks" section of Merlin's firmware.

Thank you for the suggestion, this indeed works!
Marked this thread solved.