← All posts

The little things: ad blocking, per-link ping, and pairing without a clipboard

After a fortnight of heavy plumbing, this week was deliberately smaller: the quality-of-life things you actually notice day to day. Ads gone from the built-in browser and VPN, a ping on every mesh link, and a way to pair a device that has no clipboard.

A shield blocking ads on the mesh, with a per-link ping badge

After a couple of weeks of heavy plumbing — storage, then the whole VPN stack — this week was deliberately smaller. Quality-of-life stuff: the little things you actually notice day to day. None of them is a headline feature on its own; together they make the thing nicer to live with.

Ads, gone

The built-in tunnel browser — and the exit-VPN's DNS — now block ads. It's a domain blocklist (StevenBlack plus HaGeZi Pro) with a bit of cosmetic CSS to hide the leftover holes, wired into both the in-app browser and the VPN's DNS sinkhole, with live status on each blocklist source. I'll be honest about the ceiling: this is a domain-and-cosmetic filter, not a full uBlock-style engine, so a determined in-video ad or an anti-adblock loader riding the same connection can still get through. But the ordinary web got a lot quieter.

You can finally see your mesh

Every link in the mesh now measures its own round-trip. The handshake times itself for free, and a tiny handshake-free UDP poll keeps it fresh — so click a connection in the topology graph and you see which carrier it's using and its ping in milliseconds. The same measurement feeds smarter behaviour underneath: bootstrap now dials the closest candidates first, and a node waking from sleep polls a couple of nearby peers for what changed instead of redialling the entire mesh — which your battery appreciates.

Pairing a device that can't paste

Some devices are a pain to onboard: a TV, a fresh headless box, anything without a clipboard you can paste a key into. So now a device like that shows a meshhold://give QR code; you scan it with your phone, pick the key, and the phone pushes it straight over the local network to the waiting device — encrypted end to end, off the mesh entirely, because you're not on the mesh yet. There's a meshhold key-receive on the CLI for the same trick.

Better disguises

Small but satisfying: the obfs-ssh transport now greets a connection exactly like a stock Ubuntu OpenSSH server — right banner, right host-key ordering — and turns away anyone who isn't a member with a normal-looking SSH error. To a port scanner it's just another boring sshd. The plain carrier's handshake also stopped looking like libp2p on the wire. Blending in is a feature.

That's the week: nothing you'd put on a billboard, all things you'd miss if they went away.


Since last week

  • Ad blocking: a domain blocklist (StevenBlack + HaGeZi Pro) plus cosmetic CSS, in the tunnel browser and the exit-VPN DNS sinkhole, with live per-source status
  • Per-link ping: round-trip measured on every connect (handshake + a handshake-free UDP poll), surfaced per-edge with carrier + latency in the topology; bootstrap now dials the RTT-closest candidates first
  • Low-power poll: a node waking from sleep polls a few holders for chat tips and vault roots in one round-trip instead of redialling everyone
  • QR remote key paste: pair a clipboard-less device by scanning its meshhold://give QR with your phone, which pushes the key over the LAN, encrypted; plus meshhold key-receive and web send/receive buttons
  • Obfuscation realism: obfs-ssh mimics a stock Ubuntu sshd (banner + host-key order, an SSH-error rejection for non-members); the plain carrier's handshake no longer looks like libp2p
  • Tunnel browser: an in-page right-click menu (copy text / image / link, view source) with find-in-page in the source viewer
  • Reliability: resume-after-long-pause fixes on desktop and Android, Android deep-sleep-but-resident with playback-401 self-heal, and on-demand fetch of missing blocks / chat media instead of failing with a 503