webrtc leak and adblock

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message

Joined: 20 Jul 2019
Posts: 99
Location: Finland

PostPosted: Sun Aug 18, 2019 11:52    Post subject: webrtc leak and adblock Reply with quote

Can anyone advise how to get uBlock Orig and adblock software on DD-WRT router? It is important to me that these are directly on the router so that even the smartphone does not leak webRTC.

How can I install these as easily as possible?

Is there any very simple way to install these? For example with PuTTY

Joined: 04 Aug 2018
Posts: 1064
Location: Appalachian mountains, USA

PostPosted: Sun Aug 18, 2019 14:29    Post subject: Reply with quote
[Important edit! I forgot to mention below that if you use my script, dnsmasq has to be told to use the new /tmp/badhosts file! In GUI>Services>Services, in Additional Dnsmasq Options add a line addn-hosts=/tmp/badhosts so that dnsmasq knows what to do.]

I don't know how to block WebRTC at the dd-wrt level, but https://ipleak.net gives instructions on how to block it at the browser level. I use their instructions for Firefox.

You can block ads at the dns level using adguard dns. See https://adguard.com/. It used to be available in dd-wrt through the DNSCrypt interface using the "Encrypt DNS" button in the DNSMasq section, but recent releases have removed the button. See the dns link in my signature for the workaround. Or use it without DNSCrypt by inserting their DNS-server IP addresses on the dd-wrt Basic Setup page.

While ad blocking at the level of the dns service you use is probably a better approach overall, you can actually tweak dnsmasq to block ads at the router level, also using a dns approach, though it is a bit of a kluge. Here is the script I use. I have it in the Startup code that one can install in the GUI>Administration>Commands page. However, you should first try copying it into the CLI using PuTTY. In Windows there may be issues of line endings being in the wrong format. I gather that some get around the line-endings problem using some particular mode of Wordpad? I'm not a Windows person, so perhaps someone else will shed light on this. This code is in the spirit of what's in the old dd-wrt wiki tutorial on adblocking, but it is different in the details.
#hosts to block in dnsmasq (Alozaros 7/8/18 post in
  ( cd /tmp; \
    touch badhosts ; \
    sleep 30 ; \
    ( ERRA=0 ; ERRB=0 ; ERRC=0 ; \
      curl -s http://winhelp2002.mvps.org/hosts.txt \
        2>badhosts.log || ERRA=$? ; \
      curl -s http://sbc.io/hosts/hosts \
        2>>badhosts.log || ERRB=$? ; \
      curl -sk https://someonewhocares.org/hosts/zero/hosts \
        2>>badhosts.log || ERRC=$? ; \
      echo $ERRA $ERRB $ERRC > badhosts.errcodes \
    ) | sed 's/\t/ /g; /^0\.0\.0\.0 /!d; s/ *\#.*$//; s/\r//' \
      | sort -u \
      | sed -E '/\.hulu(|ad)\./d' \
      > badhosts \
    ) && stopservice dnsmasq && startservice dnsmasq &
The sed -E ... line is to make an exception for hulu streaming, as such streaming (at least in the US) fails without the exception. Hulu insists that it's ads be seen, or it won't play at all. You can just omit that one line (and probably should, at least long enough to see whether you need it). This code does filter out any potential malicious lines (note the downloads don't have https security) of the form yourbank.com, in case the source files have been hacked or posted with other than good intentions.

Again, never ever put anything in startup commands that you have not tested in the CLI first, because to do so is to risk accidentally making the router hang with the GUI unreachable.

Here if it goes into the CLI without errors, you should look in /tmp at badhosts.log, which should be empty, and badhosts.errcodes, which should have three zeros. You can do wc -l badhosts to count the number of lines in badhosts. Should be a bit over 42,000. Do head badhosts to look at a few lines of the badhosts file and note the format. There is controversy over this method - assigning IP address to domains - of ad blocking, but I don't have a better plan. (Anyone?) You can ping the forbidden domains in the CLI or from a computer, but if you look carefully, you'll see the returns come from, the loopback address representing dd-wrt itself. You can also, in the CLI or from a linux computer (not sure the Windows equivalent), use nslookup on any of the domains in badhosts and see that the dns system returns Here is how it goes in the CLI:

~# cd /tmp
/tmp# cat badhosts.log
/tmp# cat badhosts.errcodes
0 0 0
/tmp# wc -l badhosts
42211 badhosts
/tmp# head badhosts 0.nextyourcontent.com 0.r.msn.com 000.0x1f4b0.com 000.gaysexe.free.fr 000free.us 000owamail0.000webhostapp.com 000tristanprod.free.fr 001.0x1f4b0.com 002.0x1f4b0.com
/tmp# ping 0.r.msn.com
PING 0.r.msn.com ( 56 data bytes
64 bytes from seq=0 ttl=64 time=0.067 ms
64 bytes from seq=1 ttl=64 time=0.062 ms
--- 0.r.msn.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.062/0.064/0.067 ms
/tmp# nslookup 0.r.msn.com
nslookup: can't resolve '(null)'

Name: 0.r.msn.com
Address 1:

I note in the comment that dd-wrt guy Alozaros provided the basic method in a forum post, so this code is a spin-off of his.

Five WRT1900ACSv2's on 42926, 44048.
VLANs, VAPs, NAS, client-mode travel router, OpenVPN client (AirVPN), DDNS, wireguard servers, wireguard clients (AzireVPN), two DNSCrypt DNS providers (incl Quad9) via OpenVPN/wireguard clients.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT


Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum