DDWRT + PIA: How to bypass PIA for Netflix?

Unlike many, I'm a US resident using PIA.  Like many, I'm also a Netflix subscriber.

With Netflix's recent VPN IP blacklisting, I'd like to figure out how to configure my OpenVPN/DDWRT setup to bypass PIA for Netflix, but use it for all other traffic.

I suspect I need to use an iptables command.  At present, I use this one:
iptables -I FORWARD -i br0 -s 192.168.1.2 -o $(nvram get wan_iface) -j DROP

This trick disables all Internet access on my main machine if my PIA connection goes down.  I believe I could use similar iptables commands to bypass PIA when accessing Netflix.  The trouble is that Netflix uses a CDN with many possible IPs, so I'm not sure offhand if there's a nice trick here.

Any ideas?

Comments

  • Posts: 4,013
    Ask Netflix to provide a range of IPs to use for this. They can blacklist IPs of VPNs, so they clearly want you to use your unprotected ISP IP. Surely they are willing to help you do this without compromising the rest of your Internet traffic?
  • Thus far, Netflix has been unhelpful.  I tried calling them, but as you can imagine, their tier 1 support has no idea.  Has anyone had any success in this endeavor?
  • edited March 2016 Posts: 1

    *****   Scratch that - only works sometimes - must be missing some of netflix's streaming addresses.  ********

    Adding the following to the "Additional Config" section of the OpenVPN client settings in DD-WRT worked for me:

    # netflix
    route 108.175.32.0 255.255.240.0 net_gateway
    route 208.75.76.0 255.255.252.0 net_gateway
    route 64.212.0.0 255.252.0.0 net_gateway
    route 199.92.0.0 255.252.0.0 net_gateway
    route 206.32.0.0 255.252.0.0 net_gateway
    route 209.244.0.0 255.252.0.0 net_gateway
    route 68.142.64.0 255.255.192.0 net_gateway
    route 69.28.128.0 255.255.192.0 net_gateway
    route 69.164.0.0 255.255.192.0 net_gateway
    route 208.111.128.0 255.255.192.0 net_gateway
    route 128.242.0.0 255.255.0.0 net_gateway
    route 204.0.0.0 255.252.0.0 net_gateway
    route 204.141.0.0 255.255.0.0 net_gateway
    route 204.200.0.0 255.252.0.0 net_gateway
    route 208.44.0.0 255.252.0.0 net_gateway

    *****   Scratch that - only works sometimes - must be missing some of netflix's streaming addresses.  ********
    Post edited by sleepguy on
  • This Netflix thing is a huge PITA, PIA! I've contacted Netflix of course, since they're the party in the wrong here.
    But I get blocked using a geolocation in my own region. Pair that with a router on DD-WRT firmware that's configured to OpenVPN using PIA, and well...I'm pissed.
    Netflix is openly assaulting lawful subscribers who use another legal security/privacy service. How the hell is that okay?
    I wanted to grow up, finish college, get a job and pay for media instead of torrenting. Now we're all being actively blocked for using legal means to help protect ourselves on the internet?
    Torrents are an inconvenient method to get content, but wtf are people supposed to do? Let "content creators" strongarm companies into this kind of crap?

    Kids, this is why we can't have nice things.
  • Posts: 3
    Agreed. I am looking at updating my utorrent client and start downloading the stuff I normally watched on Netflix - there is no way I am compromising my privacy for their retarded games.
  • Hi there,

    I am very disappointed to see how Netflix is handling the whole VPN situation, and even more by PIA's reaction, but since I still have a few months left on my subscription, I had to find a solution. Of course, I will switch to another VPN if by this time PIA has not moved to help honest customers to access Netflix content from their own country (*sick* ...).

    I have to add that I find completely stupid the idea that I (a paying and honest customer of both services) have to somehow circumvent this issue. But really this is temporary until I switch to a better VPN service, or ditch Netflix completely, or both.

    For those of us using PIA on DD-WRT, you can exclude some devices from using the VPN. Keep in mind that on those devices, you will not be protected from PIA anymore and that you're traffic will not be encrypted. But at least you'll be able to access the content from your own country.

    Bypass VPN for some IPs

    So first, go to your Administration -> Commands tab in the DD-WRT config.
    In the Firewall section, click Edit and add the following :
    echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter  
    iptables -t mangle -F PREROUTING  
    ip route add default table 200 via $(nvram get wan_gateway)  
    ip rule add fwmark 1 table 200  
    ip route flush cache
    

    This will add a route that you can use to mark packets coming from devices you want to go over the VPN (i.e you want to go through your normal ISP).

    Then for each devices you want to exclude from the VPN, add :
    iptables -t mangle -I PREROUTING -i br0 -s <theip> -j MARK --set-mark 1

    Just replace <theip> by the local ip of your device. I suggest you assign static IPs to the devices you want to exclude, this way you won't end up excluding the wrong devices. If you don't know how, just look up a tutorial on adding static IP on DD-WRT.
    If you want, you can tweak this line a little to only exclude some protocol (TCP or UDP) or even just some ports but this might not be useful for most users ...

    That's it ! Click on Save Firewall, your rooter will reboot, and when reconnecting your device, it should go over the VPN, while the rest of your network will still be protected.


    Bypass kill switch

    The following section only applies to users having a kill switch command. You should not have to play with this otherwise. If you don't know what this is, you probably don't have one.

    If you already have a kill switch command in your firewall, something along the lines of :
    iptables -I FORWARD -i br0 -o vlan2 -j DROP

    This line will refuse and drop any connections not going over the VPN in case the VPN or router somehow disconnects and to prevent sending unencrypted traffic. In this case, of course, traffic coming from excluded devices should not trigger the kill switch, and should be accepted since it is wanted behavior for it to go over the VPN.

    Just add the following line for each device :
    iptables -I FORWARD -i br0 -o vlan2 -s <theip> -j ACCEPT

    Hope it helps a few fellow (temporary) frustrated users like me.

  • @sleepguy - I tried the same approach, which works sporadically...I threw Wireshark on a pc and tried to play a netflix show.  I found a number of amazonaws.com servers in play.  I added the IP that came up, and it worked...momentarily.  The Amazon servers seem very dynamic, a different IP every time I try it.

    Anyone know how to identify the block of IPs Netflix has in use at Amazon?  Is there a better way to have apps bypass VPN?

    I'm using DD-WRT on the router in front of a number of Roku devices.  I wish to have Pandora and some other apps go over VPN, but obviously want Netflix to bypass....any ideas?

    Thanks
  • Posts: 2
    I found this on the web, it may be the rest of the IP's you need


    # amazon ec2 (us)
    # https://forums.aws.amazon.com/ann.jspa?annID=1528 & extended via whois
    route 23.20.0.0 255.252.0.0 vpn_gateway
    route 50.16.0.0 255.252.0.0 vpn_gateway
    route 50.112.0.0 255.255.0.0 vpn_gateway
    route 54.224.0.0 255.240.0.0 vpn_gateway
    route 54.240.0.0 255.240.0.0 vpn_gateway
    route 67.202.0.0 255.255.192.0 vpn_gateway
    route 72.44.32.0 255.255.224.0 vpn_gateway
    route 75.101.128.0 255.255.128.0 vpn_gateway
    route 107.20.0.0 255.252.0.0 vpn_gateway
    route 174.129.0.0 255.255.0.0 vpn_gateway
    route 184.72.0.0 255.254.0.0 vpn_gateway
    route 184.169.128.0 255.255.128.0 vpn_gateway
    route 204.236.128.0 255.255.128.0 vpn_gateway

    # amazon ec2 (eu)
    # https://forums.aws.amazon.com/ann.jspa?annID=1528 & extended via whois
    route 46.51.128.0 255.255.192.0 vpn_gateway
    route 46.51.192.0 255.255.240.0 vpn_gateway
    route 46.137.0.0 255.255.128.0 vpn_gateway
    route 46.137.128.0 255.255.192.0 vpn_gateway
    route 79.125.0.0 255.255.128.0 vpn_gateway
    route 176.34.64.0 255.255.192.0 vpn_gateway
    route 176.34.128.0 255.255.128.0 vpn_gateway

    # netflix
    route 108.175.32.0 255.255.240.0 vpn_gateway
    route 208.75.76.0 255.255.252.0 vpn_gateway
    route 64.212.0.0 255.252.0.0 vpn_gateway
    route 199.92.0.0 255.252.0.0 vpn_gateway
    route 206.32.0.0 255.252.0.0 vpn_gateway
    route 209.244.0.0 255.252.0.0 vpn_gateway
    route 68.142.64.0 255.255.192.0 vpn_gateway
    route 69.28.128.0 255.255.192.0 vpn_gateway
    route 69.164.0.0 255.255.192.0 vpn_gateway
    route 208.111.128.0 255.255.192.0 vpn_gateway
    route 128.242.0.0 255.255.0.0 vpn_gateway
    route 204.0.0.0 255.252.0.0 vpn_gateway
    route 204.141.0.0 255.255.0.0 vpn_gateway
    route 204.200.0.0 255.252.0.0 vpn_gateway
    route 208.44.0.0 255.252.0.0 vpn_gateway

    # hulu
    route 23.32.0.0 255.224.0.0 vpn_gateway
    route 23.64.0.0 255.252.0.0 vpn_gateway
    route 64.221.0.0 255.255.128.0 vpn_gateway
    route 64.221.128.0 255.255.192.0 vpn_gateway
    route 64.221.192.0 255.255.224.0 vpn_gateway
    route 77.109.170.0 255.255.255.0 vpn_gateway
    route 80.239.221.0 255.255.255.0 vpn_gateway
    route 92.122.0.0 255.254.0.0 vpn_gateway
    route 195.27.0.0 255.255.0.0 vpn_gateway
    route 199.127.192.0 255.255.252.0 vpn_gateway
    route 208.91.156.0 255.255.252.0 vpn_gateway
    route 217.156.128.0 255.255.128.0 vpn_gateway

    # mysqueezebox
    route 192.221.0.0 255.255.0.0 vpn_gateway
    route 204.160.0.0 255.252.0.0 vpn_gateway
    route 205.128.0.0 255.252.0.0 vpn_gateway
    route 207.120.0.0 255.252.0.0 vpn_gateway
    route 209.84.0.0 255.255.0.0 vpn_gateway   


  • Posts: 2
    I haven't gotten Netflix to work .. yet
  • Posts: 8
    See my post about pia vpn netflix, the difference is I use pfsense as my router, but that should give you an idea how to go about setting up a bypass for Netflix traffic only
  • Posts: 3
    I have dd-wrt with PIA and the following lines in startup.
    ip route add default via $(nvram get wan_gateway) dev $(nvram get wan_iface) table 10
    ip rule add from 192.168.3.91 table 10
    ip rule add from 192.168.3.92 table 10
    ip rule add from 192.168.3.93 table 10
    ip rule add from 192.168.3.94 table 10
    Which worked great for all 4 devices (2 sony blu ray players, Wii and streaming stick)
    About a month ago the sony blu rays started getting network is down when I tried to start a show but the other 2 devices still worked. I thought it must be sony servers. I connected a blu ray to a hot spot from phone and netflix worked. So back to the router. I tried the solution above with this in firewall script:
    echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter 
    iptables -t mangle -F PREROUTING 
    ip route add default table 200 via $(nvram get wan_gateway) 
    ip rule add fwmark 1 table 200 
    ip route flush cache
    iptables -t mangle -I PREROUTING -i br0 -s 192.168.3.91 -j MARK --set-mark 1
    iptables -t mangle -I PREROUTING -i br0 -s 192.168.3.92 -j MARK --set-mark 1
    iptables -t mangle -I PREROUTING -i br0 -s 192.168.3.93 -j MARK --set-mark 1
    iptables -t mangle -I PREROUTING -i br0 -s 192.168.3.94 -j MARK --set-mark 1
    This has the same effect and is just more complicated then my original solution. I tried tcpdump on tun1(vpn) and see no packets from the blu rays going over the tunnel. I do not know what else to do for troubleshooting this. Two out of 4 devices work so it must be something the sony blu rays are doing different.
    Please help
    Brian

  • utbutb
    Posts: 4
    Help please. I seem to be seeing two conflicting methods here. A. Listing Netflix known IPs in the Open VPN set up additional config. B. Commands in the firewall to to route IPs outside the VPN. What's the best advice? Most reliable? Easiest? Safest - for a novice? Netgear R7000 DD-WRT v24-sp2 (08/15/14) kongac - build 24865M Thanks Rob
  • It's more complicated than that.

    1. link to establish IPset support on your router.
    2. link with a script/process to implement
    And I ran across this today on accident, which is basically Netflix new server strategy.  Interesting, the approach in (2) is similar.

    Nothing definite to work with here, but definitely hope.



  • edited September 2016 Posts: 7
    This solution appears to have worked fine for me. I'm only bypassing my roku devices, which doesn't feel like it should be a great security/privacy concern for me really. This should work fine for me until I decide to either ditch netflix or Netflix relaxes on the VPN ban.  Thanks elvadrias for your fix.

    elvadrias said:
    Hi there,

    Bypass VPN for some IPs

    So first, go to your Administration -> Commands tab in the DD-WRT config.
    In the Firewall section, click Edit and add the following :
    echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter  
    iptables -t mangle -F PREROUTING  
    ip route add default table 200 via $(nvram get wan_gateway)  
    ip rule add fwmark 1 table 200  
    ip route flush cache
    

    This will add a route that you can use to mark packets coming from devices you want to go over the VPN (i.e you want to go through your normal ISP).

    Then for each devices you want to exclude from the VPN, add :
    iptables -t mangle -I PREROUTING -i br0 -s <theip> -j MARK --set-mark 1

    Just replace <theip> by the local ip of your device. I suggest you assign static IPs to the devices you want to exclude, this way you won't end up excluding the wrong devices. If you don't know how, just look up a tutorial on adding static IP on DD-WRT.
    If you want, you can tweak this line a little to only exclude some protocol (TCP or UDP) or even just some ports but this might not be useful for most users ...

    That's it ! Click on Save Firewall, your rooter will reboot, and when reconnecting your device, it should go over the VPN, while the rest of your network will still be protected.
    Post edited by emge on
  • ab1ab1
    Posts: 4
    Good idea on policy routing, but doing firewalling by IP will very quickly become very, very boring, especially given all of this is mostly hosted in the gynormous AWS cloud.

    A better way is to use ipset module to automatically add IPs to a filter, which is then applied to the iptables rule(s):
    iptables -A PREROUTING -i ${if} -p tcp -m tcp -m set --match-set domain-filter-ipv4 dst -j MARK --set-xmark 0x1
    ip6tables -A PREROUTING -i ${if} -p tcp -m tcp -m set --match-set domain-filter-ipv6 dst -j MARK --set-xmark 0x1

    This approach also requires a dnsmasq instance running on the router, with another iptables rule to re-write all DNS requests to the local DNS server (e.g. dnsmasq.conf):
    ipset=/netflix.com/domain-filter-ipv4,domain-filter-ipv6

    If direct to IP method is used by providers, then IP subnet(s) should also be added to the ipset filter statically using ASN RADB lookup(s).

    There is a Raspberry Pi appliance that does all of this called black.box unzoner (http://unzoner.com).

    Disclaimer - I wrote it.

    -- ab1
  • Posts: 1
    Hey ab1,

    I added those lines to my routers firewall script box and saved it but I am still experiencing netflix blocks. 

    This last line: ipset=/netflix.com/domain-filter-ipv4,domain-filter-ipv6

    Does it go in the Firewall script field or in the DNSMasq additional config field?

    Thanks
  • Posts: 5
    So, I came here looking for help on unblocking netflix, same situation, I am only trying to use Netflix in my own country, but when connected to PIA, or any other VPN i tried, I get the proxy blocked page.

    I  finished setting up a flashed router last night after following the information on here: http://vpnpick.com/best-vpn-netflix-2017/  There's a section that explains that VPN router setups should theoretically not be detected unless using the app version of the service, so I was at a loss.

    Finally a few hours ago, a good friend who's a bit more techie than me said he knew how to get around blocks - and it finally worked! It turns out that Netflix, Twitch, and all these other websites are doing much more than blocking IP lists. They seem to be using cookie data that can be publicly read when you visit their websites.

    Cookies such as gmail account, so say you login to your gmail without VPN connected, and connect VPN with gmail still logged in, Netflix can tell that your gmail location does not match. I literally had to logout of gmail, ensure my browser was no tracking my location, clearing cache and cookies and that was it.

    Log out of all google accounts -> Disable location services on browser and device (including windows 10 location services) -> Clear all browser cache and cookies -> Connect to VPN and try again - it should work now - at least for me on PIA it's up and finally resolved.

  • Posts: 2
    The frustration I have is the same as others have expressed.  I'm not trying to pirate or cheat anyone out of anything I'm not fully qualified by location and subscription to access.  I just don't want my ISP snooping on and selling my browsing history.  I'm not sure what the solution is.  Contacting Netflix won't help.  But, if I have to chose between reliable Netflix access and VPN privacy, as much as I want to protect my privacy that decision will be a no brainer.  It's also only a matter of time before Amazon and other streaming providers follow suit.

    The ultimate solution is voting out politicians who chose not to protect our privacy.
  • Posts: 2
    cowhow said:
    The frustration I have is the same as others have expressed.  I'm not trying to pirate or cheat anyone out of anything I'm not fully qualified by location and subscription to access.  I just don't want my ISP snooping on and selling my browsing history.  I'm not sure what the solution is.  Contacting Netflix won't help.  But, if I have to chose between reliable Netflix access and VPN privacy, as much as I want to protect my privacy that decision will be a no brainer.  It's also only a matter of time before Amazon and other streaming providers follow suit.

    The ultimate solution is voting out politicians who chose not to protect our privacy.
    Yup
  • Posts: 2
    I am in the same quandry as the rest of us.  I need PIA because our government doesn't care about privacy, but also watch Netflix.  Netflix is now the problem here.  And, they don't care.  If Netflix is so worried about people watching local-only content, they could choose region based on account details.  Anyway, in Windows 10, how do I bypass PIA for Netflix?  PIA support is no help.  They are like any other corporation that has decided that split tunneling is evil.  PIA should work with this, since the only solution now is to turn off PIA to use Netflix.  That is just dumb.
  • ab1ab1
    Posts: 4
    Trmptxn said:
    Hey ab1,

    I added those lines to my routers firewall script box and saved it but I am still experiencing netflix blocks. 

    This last line: ipset=/netflix.com/domain-filter-ipv4,domain-filter-ipv6

    Does it go in the Firewall script field or in the DNSMasq additional config field?

    Thanks
    Sorry, a bit late to the part with the reply. I don't think DD-WRT has ipset module in by default, so you are going to struggle with this.

    If you must use DD-WRT, there is an app under development with basic policy based routing, which runs under the DD-WRT's MyPage mechanism and takes care of some of this (http://unzoner.com/#dd-wrt). You could try using the "bypass" device filter to nominate entire devices to bypass VPN. Not ideal, but it's a start. PBR function is going to be developed further, so it might become more sophisticated in the future.

    -- ab1
  • Posts: 110
    cowhow said: The frustration I have is the same as others have expressed. I'm not trying to pirate or cheat anyone out of anything I'm not fully qualified by location and subscription to access. I just don't want my ISP snooping on and selling my browsing history. I'm not sure what the solution is. Contacting Netflix won't help. But, if I have to chose between reliable Netflix access and VPN privacy, as much as I want to protect my privacy that decision will be a no brainer. It's also only a matter of time before Amazon and other streaming providers follow suit. The ultimate solution is voting out politicians who chose not to protect our privacy.
    I feel your frustration. I too have a legitimate US-based Netflix account that I can't use without disabling PIA. Now that Netflix is banning the known IP-ranges of PIA, the pirates will be jumping ship in search of another un-blocked VPN until that one gets blocked...
  • edited July 30 Posts: 474
    You might want to try re-routing your IP request. Right now everything is being routed via the tunnel. This is done usually through your route table in the local machine (your computer).

    Netflix has a block of IP address and it should be simple enough to reroute IP request to Netflix. You can add these lines to your route table one at a time.

    route add 108.175.32.0 mask 255.255.240.0 192.168.1.1
    route add 108.175.33.0 mask 255.255.255.0 192.168.1.1   
    route add 108.175.34.0 mask 255.255.255.0 192.168.1.1   
    route add 108.175.35.0 mask 255.255.255.0 192.168.1.1
    route add 108.175.42.0 mask 255.255.255.0 192.168.1.1   
    route add 108.175.43.0 mask 255.255.255.0 192.168.1.1

    There are other IP addresses associated with Netflix but they are UK based. https://ipinfo.io/AS2906

    Note: the 192.168.1.1 is a generic gateway address used by most routers. Check your router first before adding those lines. Replace the 192.168.1.1 address with the address that is in your router.

    Caveat - I cannot validate if this will work, nor can I guarantee that you will not leak you ISP IP address. This comes with risks but it will not hurt to try.




    Post edited by Omnibus_IV on
Sign In or Register to comment.