What's new

Very New and Confused Trying to get Diversion and DNSCrypt Working (Fixed)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Chewie420

Regular Contributor
Hi so I am new to this world and just got my Asus RT-AX88u Router and wanted to put Merlin 384.15 on so I could get my VPN working as suggested by my VPN provider. That opened the door to amtm and I think it might be a bit over my head without asking some questions.

I got amtm installed and also Diversion and DNSCrypt and configured ... well I think. The issue is I don't get ads being blocked unless I enabled DNSFilter and have the setting set to Router and the DNS entries are blank on my Router Settings.

If I go to https://www.dnsleaktest.com/
it shows that I have dns leaks as I am getting various servers like
107.170.57.34 cord.ventricle.us. Digital Ocean

If I use the IP for my pixelserv-tls DNS setting in my router that I setup for Diversion I no longer can go online.

If I use DNSFilter with Quad9 I get no dns leaks but I get ads all servers show *.pch.net.

Anyone willing to give a noob a hand. I thought I had everything working or maybe I just don't understand what I am doing lol.

What is the best way to test that DNScrypt is working?

I was also hoping to have it work with OpenVPN and my VPN client on my router.

Thanks!
 
Last edited:
I now have gone back my to using my pi-hole for LAN DNS Settings and using Quad9 in DNS Filter in Merlin.

I get no ads on all devices and also all my servers for dns leak test are *.pch.net.

I was hoping to get the same results by using Diversion and DNSCrypt but not sure what I am doing wrong.

At least I have Skynet working lol
 
Hi so I am new to this world and just got my Asus RT-AX88u Router and wanted to put Merlin 384.15 on so I could get my VPN working as suggested by my VPN provider. That opened the door to amtm and I think it might be a bit over my head without asking some questions.

I got amtm installed and also Diversion and DNSCrypt and configured ... well I think. The issue is I don't get ads being blocked unless I enabled DNSFilter and have the setting set to Router and the DNS entries are blank on my Router Settings.

If I go to https://www.dnsleaktest.com/
it shows that I have dns leaks as I am getting various servers like
107.170.57.34 cord.ventricle.us. Digital Ocean

If I use the IP for my pixelserv-tls DNS setting in my router that I setup for Diversion I no longer can go online.

If I use DNSFilter with Quad9 I get no dns leaks but I get ads all servers show *.pch.net.

Anyone willing to give a noob a hand. I thought I had everything working or maybe I just don't understand what I am doing lol.

What is the best way to test that DNScrypt is working?

I was also hoping to have it work with OpenVPN and my VPN client on my router.

Thanks!

Welcome to the forum!

.pch.net = Quad9.

Dns filter set to router, & dns fields blank is good.

IMHO, it might be a good idea to get your Diversion-Pixelserv set up happy & working well, before jumping into the DNScrypt scenario.

Deal with one issue at a time?:)
 
@Chewie420, Welcome to the forums and to our world too! :)

Agree with @Treadler above, enable things one at a time and ask questions then when/if things break. ;)
 
Welcome to the forum :)
Make sure you get each script working before going to the next one.
Diversion, Skynet and DNSCrypt works really well together!
https://diversion.ch/diversion/requirements.html
When you have Diversion and Pixelserv-tls running also import CA`s(cert) to your clients
https://github.com/kvic-z/pixelserv...ificate#import-pixelserv-ca-on-client-devices
What servers have you chosen in dnscrypt installer?
I did a little how to for DNSCrypt but with NextDNS(DoH) setup, It should be about the same for whatever servers chosen except the pasting of sdns stamp.
https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/page-74#post-546493
DNSCrypt-proxy v2 supports DoH(DNS over HTTPS) and DNSCrypt protocol servers.
Installed via amtm (DNSCrypt installer)
Merlin firmware have DNS Privacy Protocol DoT (DNS over TLS) in WAN router settings.
You have 3 encrypted DNS protocols at your fingertips ;)(DNSCrypt & Merlins DoT cant be used at the same time)
So it comes down to what DNS servers you want to use.
Specific clients added in DNS-Filter will bypass "dnsmasq" Diversion and DNSCrypt would not work with that client since both makes use of dnsmasq
DNS-Filter global mode = Router (should be fine)
What is the best way to test that DNScrypt is working?
Code:
pidof dnscrypt-proxy
The above will return a number if the DNSCrypt-proxy works.
And in router syslog you will also have a confirm of chosen servers,
[quad9-dnscrypt-ip4-filter-alt] OK (DNSCrypt) - rtt: 49ms
[quad9-doh-ip4-filter-pri] OK (DoH) - rtt: 39ms
[quad9-dnscrypt-ip4-filter-pri] OK (DNSCrypt) - rtt: 38ms
[quad9-doh-ip4-filter-alt] OK (DoH) - rtt: 39ms
https://www.dnsleaktest.com/ is good to check so you get selected dns servers (Remember that dns server like cloudflare and quad9 are cdn`s they have servers all over and connect you to the closest one so you can get other ip adresses with this test but you can confirm that it belongs to the correct cdn)
This is the guide i followed when i first installed these awesome scripts ;) (the part with creating a usb drive for the router can now be done in amtm)
edit:
(How to make it work with VPN)
https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/
 
Last edited:
Ok good news ... re-installed and ran config and POW! .. No more ads on https://ads-blocker.com/testing/#ad-blocker-test-steps but I do have some questions.

I need to import the cert on every device and every browser I use? I didn't import the cert into Chrome on my desktop but ads were still being blocked, so once again I got confused.

I wanted to have my IoT devices also use this, not sure if I need to or not but since I have them on a guest network they cannot see my Pi running Pi-Hole. The entire point of me doing this was so the devices on my guest networks and friends who use it will also get ads blocked but if they need to import a cert first I guess there isn't much point.

I think if I am understanding it without the cert it will block http ads but not https

I was messing up by putting my Pixelserv-tls IP in as my DNS server in my router WebGUI.
 
Even on my phone without loading any certs I am getting no ads even on isolated guest network. So this is great, I guess I just don't understand what the cert does and why I need it.

If I am correct and it is to block https ads, how can I test this to see if it is also working?

Since Diversion seems to be working and it is likely me not understanding I will move on and try DNSCrypt.

Thanks again for any help!
 
Welcome to the forum :)

Thanks! So glad this place is here!

Make sure you get each script working before going to the next one.
Diversion, Skynet and DNSCrypt works really well together!

I think I got them working now! I did have DNSCrypt installed and it returned a number but I decided just to use Merlin DoH.
I will just go with Merlin and use Skynet and Diversion from amtm for now just to keep it simpler for me.

Only issue I have now is when I connect to OpenVPN server with my phone I can't access any local resources and my ads aren't blocked even though it shows I am successfully connected. Not sure why but I will need to figure that out. Might have to disable Skynet and see if that is the issue.

I wanted to use my Pi-Hole as primary DNS for devices that are on the same LAN and then have my quest wi-fi networks isolated using 9.9.9.9. I have the WAN setting using the Quad9 servers I want and it warns me not to use the DNS setting with my Pi-Hole IP already populated in DNS Settings.

You said I have 3 DoT options, DNSCrypt, Merlin DoT and sorry what is the 3rd? my pi-hole? If so I didn't have that working using DoT yet, I guess I should if I want to keep using it, so I guess I won't for now.

Last question is to do with the Diversion-Pixelserv cert. What exactly is that used for cause I seem to have all ads blocks with only importing it to one device but all devices have no ads.

Not really sure what it does and what about my devices that can't import certs like Google Home and others.
 
Last edited:
Welcome to the forum!

.pch.net = Quad9.

Dns filter set to router, & dns fields blank is good.

IMHO, it might be a good idea to get your Diversion-Pixelserv set up happy & working well, before jumping into the DNScrypt scenario.

Deal with one issue at a time?:)

I think I got it all working minus my OpenVPN server and my question above about the cert. Just not cure what it does or why it is needed as all my ads are blocked that I can tell.

If it does make a difference can I test that it is working cause I did load the cert on my desktop Firefox and Windows.

So close to having the setup I want, all devices on LAN and guest networks have ad blocks and using DoH. Now I just want to be able to access my router from OpenVPN and have ads blocked too.

Soooooo close well and understanding what the cert does and why it is needed and thanks again for your help!
 
I think I got it all working minus my OpenVPN server and my question above about the cert. Just not cure what it does or why it is needed as all my ads are blocked that I can tell.

If it does make a difference can I test that it is working cause I did load the cert on my desktop Firefox and Windows.

So close to having the setup I want, all devices on LAN and guest networks have ad blocks and using DoH. Now I just want to be able to access my router from OpenVPN and have ads blocked too.

Soooooo close well and understanding what the cert does and why it is needed and thanks again for your help!

Importing a certificate into each & every device you can, gets Pixelserv up & running on that device.
Some devices also require you to “trust” the certificate after importing. (Apple ‘idevices’ for example).
Why do I want Pixelserv working? From what I read, it makes the whole adblocking process faster.
Adblocking does work minus Pixelserv, only not as fast.
(There are gurus on this forum that will be able to explain that better than I can).:)
 
You said I have 3 DoT options, DNSCrypt, Merlin DoT and sorry what is the 3rd?
DNSCrypt-proxy v2 supports 2 protocols (DoH & DNSCrypt)
In firmware DNS Privacy Protocol (DoT)
So you have the option for 3 encrypted protocols (Different servers, But some servers have anycast like cloudflare/quad9 they support several protocols)

Last question is to do with the Diversion-Pixelserv cert.
I only import pixelserv certs on my main devices (Computers/phones that is on my main network, Not guest clients or chromcasts and so on)
The certs is for HTTPS ads, You can check with your pixelserv ip and see in your browser(https://192.168.1.2/servstats) clients with cert will generate less errors in this page(make things faster/smother) (Mentioned as the Nerd stats generator ;))

This page is very detailed with vpn-client, Selective routing and how to make it work with DNS like DoT and it is the same for DoH & DNSCrypt, It explains the “Accept DNS configuration” in vpn-client, It also have a link at the bottom for vpn-server.

(I did a lot of reading in the different script threads before i installed them and still have a lot to learn/understand about this ;))
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top