DDWRT + PIA: How to bypass PIA for Netflix?
Unlike many, I'm a US resident using PIA. Like many, I'm also a Netflix subscriber.
With Netflix's recent VPN IP blacklisting, I'd like to figure out how to configure my OpenVPN/DDWRT setup to bypass PIA for Netflix, but use it for all other traffic.
I suspect I need to use an iptables command. At present, I use this one:
iptables -I FORWARD -i br0 -s 192.168.1.2 -o $(nvram get wan_iface) -j DROP
This trick disables all Internet access on my main machine if my PIA connection goes down. I believe I could use similar iptables commands to bypass PIA when accessing Netflix. The trouble is that Netflix uses a CDN with many possible IPs, so I'm not sure offhand if there's a nice trick here.
Any ideas?
With Netflix's recent VPN IP blacklisting, I'd like to figure out how to configure my OpenVPN/DDWRT setup to bypass PIA for Netflix, but use it for all other traffic.
I suspect I need to use an iptables command. At present, I use this one:
iptables -I FORWARD -i br0 -s 192.168.1.2 -o $(nvram get wan_iface) -j DROP
This trick disables all Internet access on my main machine if my PIA connection goes down. I believe I could use similar iptables commands to bypass PIA when accessing Netflix. The trouble is that Netflix uses a CDN with many possible IPs, so I'm not sure offhand if there's a nice trick here.
Any ideas?
Comments
***** Scratch that - only works sometimes - must be missing some of netflix's streaming addresses. ********
Adding the following to the "Additional Config" section of the OpenVPN client settings in DD-WRT worked for me:
# netflix
route 108.175.32.0 255.255.240.0 net_gateway
route 208.75.76.0 255.255.252.0 net_gateway
route 64.212.0.0 255.252.0.0 net_gateway
route 199.92.0.0 255.252.0.0 net_gateway
route 206.32.0.0 255.252.0.0 net_gateway
route 209.244.0.0 255.252.0.0 net_gateway
route 68.142.64.0 255.255.192.0 net_gateway
route 69.28.128.0 255.255.192.0 net_gateway
route 69.164.0.0 255.255.192.0 net_gateway
route 208.111.128.0 255.255.192.0 net_gateway
route 128.242.0.0 255.255.0.0 net_gateway
route 204.0.0.0 255.252.0.0 net_gateway
route 204.141.0.0 255.255.0.0 net_gateway
route 204.200.0.0 255.252.0.0 net_gateway
route 208.44.0.0 255.252.0.0 net_gateway
***** Scratch that - only works sometimes - must be missing some of netflix's streaming addresses. ********
But I get blocked using a geolocation in my own region. Pair that with a router on DD-WRT firmware that's configured to OpenVPN using PIA, and well...I'm pissed.
Netflix is openly assaulting lawful subscribers who use another legal security/privacy service. How the hell is that okay?
I wanted to grow up, finish college, get a job and pay for media instead of torrenting. Now we're all being actively blocked for using legal means to help protect ourselves on the internet?
Torrents are an inconvenient method to get content, but wtf are people supposed to do? Let "content creators" strongarm companies into this kind of crap?
Kids, this is why we can't have nice things.
# amazon ec2 (us)
# https://forums.aws.amazon.com/ann.jspa?annID=1528 & extended via whois
route 23.20.0.0 255.252.0.0 vpn_gateway
route 50.16.0.0 255.252.0.0 vpn_gateway
route 50.112.0.0 255.255.0.0 vpn_gateway
route 54.224.0.0 255.240.0.0 vpn_gateway
route 54.240.0.0 255.240.0.0 vpn_gateway
route 67.202.0.0 255.255.192.0 vpn_gateway
route 72.44.32.0 255.255.224.0 vpn_gateway
route 75.101.128.0 255.255.128.0 vpn_gateway
route 107.20.0.0 255.252.0.0 vpn_gateway
route 174.129.0.0 255.255.0.0 vpn_gateway
route 184.72.0.0 255.254.0.0 vpn_gateway
route 184.169.128.0 255.255.128.0 vpn_gateway
route 204.236.128.0 255.255.128.0 vpn_gateway
# amazon ec2 (eu)
# https://forums.aws.amazon.com/ann.jspa?annID=1528 & extended via whois
route 46.51.128.0 255.255.192.0 vpn_gateway
route 46.51.192.0 255.255.240.0 vpn_gateway
route 46.137.0.0 255.255.128.0 vpn_gateway
route 46.137.128.0 255.255.192.0 vpn_gateway
route 79.125.0.0 255.255.128.0 vpn_gateway
route 176.34.64.0 255.255.192.0 vpn_gateway
route 176.34.128.0 255.255.128.0 vpn_gateway
# netflix
route 108.175.32.0 255.255.240.0 vpn_gateway
route 208.75.76.0 255.255.252.0 vpn_gateway
route 64.212.0.0 255.252.0.0 vpn_gateway
route 199.92.0.0 255.252.0.0 vpn_gateway
route 206.32.0.0 255.252.0.0 vpn_gateway
route 209.244.0.0 255.252.0.0 vpn_gateway
route 68.142.64.0 255.255.192.0 vpn_gateway
route 69.28.128.0 255.255.192.0 vpn_gateway
route 69.164.0.0 255.255.192.0 vpn_gateway
route 208.111.128.0 255.255.192.0 vpn_gateway
route 128.242.0.0 255.255.0.0 vpn_gateway
route 204.0.0.0 255.252.0.0 vpn_gateway
route 204.141.0.0 255.255.0.0 vpn_gateway
route 204.200.0.0 255.252.0.0 vpn_gateway
route 208.44.0.0 255.252.0.0 vpn_gateway
# hulu
route 23.32.0.0 255.224.0.0 vpn_gateway
route 23.64.0.0 255.252.0.0 vpn_gateway
route 64.221.0.0 255.255.128.0 vpn_gateway
route 64.221.128.0 255.255.192.0 vpn_gateway
route 64.221.192.0 255.255.224.0 vpn_gateway
route 77.109.170.0 255.255.255.0 vpn_gateway
route 80.239.221.0 255.255.255.0 vpn_gateway
route 92.122.0.0 255.254.0.0 vpn_gateway
route 195.27.0.0 255.255.0.0 vpn_gateway
route 199.127.192.0 255.255.252.0 vpn_gateway
route 208.91.156.0 255.255.252.0 vpn_gateway
route 217.156.128.0 255.255.128.0 vpn_gateway
# mysqueezebox
route 192.221.0.0 255.255.0.0 vpn_gateway
route 204.160.0.0 255.252.0.0 vpn_gateway
route 205.128.0.0 255.252.0.0 vpn_gateway
route 207.120.0.0 255.252.0.0 vpn_gateway
route 209.84.0.0 255.255.0.0 vpn_gateway
ip route add default via $(nvram get wan_gateway) dev $(nvram get wan_iface) table 10
ip rule add from 192.168.3.91 table 10
ip rule add from 192.168.3.92 table 10
ip rule add from 192.168.3.93 table 10
ip rule add from 192.168.3.94 table 10
Which worked great for all 4 devices (2 sony blu ray players, Wii and streaming stick)
About a month ago the sony blu rays started getting network is down when I tried to start a show but the other 2 devices still worked. I thought it must be sony servers. I connected a blu ray to a hot spot from phone and netflix worked. So back to the router. I tried the solution above with this in firewall script:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -F PREROUTING
ip route add default table 200 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 200
ip route flush cache
iptables -t mangle -I PREROUTING -i br0 -s 192.168.3.91 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -i br0 -s 192.168.3.92 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -i br0 -s 192.168.3.93 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -i br0 -s 192.168.3.94 -j MARK --set-mark 1
This has the same effect and is just more complicated then my original solution. I tried tcpdump on tun1(vpn) and see no packets from the blu rays going over the tunnel. I do not know what else to do for troubleshooting this. Two out of 4 devices work so it must be something the sony blu rays are doing different.
Please help
Brian
A better way is to use ipset module to automatically add IPs to a filter, which is then applied to the iptables rule(s):
iptables -A PREROUTING -i ${if} -p tcp -m tcp -m set --match-set domain-filter-ipv4 dst -j MARK --set-xmark 0x1
ip6tables -A PREROUTING -i ${if} -p tcp -m tcp -m set --match-set domain-filter-ipv6 dst -j MARK --set-xmark 0x1
This approach also requires a dnsmasq instance running on the router, with another iptables rule to re-write all DNS requests to the local DNS server (e.g. dnsmasq.conf):
ipset=/netflix.com/domain-filter-ipv4,domain-filter-ipv6
If direct to IP method is used by providers, then IP subnet(s) should also be added to the ipset filter statically using ASN RADB lookup(s).
There is a Raspberry Pi appliance that does all of this called black.box unzoner (http://unzoner.com).
Disclaimer - I wrote it.
-- ab1
I added those lines to my routers firewall script box and saved it but I am still experiencing netflix blocks.
This last line: ipset=/netflix.com/domain-filter-ipv4,domain-filter-ipv6
Does it go in the Firewall script field or in the DNSMasq additional config field?
Thanks
I finished setting up a flashed router last night after following the information on here: http://vpnpick.com/best-vpn-netflix-2017/ There's a section that explains that VPN router setups should theoretically not be detected unless using the app version of the service, so I was at a loss.
Finally a few hours ago, a good friend who's a bit more techie than me said he knew how to get around blocks - and it finally worked! It turns out that Netflix, Twitch, and all these other websites are doing much more than blocking IP lists. They seem to be using cookie data that can be publicly read when you visit their websites.
Cookies such as gmail account, so say you login to your gmail without VPN connected, and connect VPN with gmail still logged in, Netflix can tell that your gmail location does not match. I literally had to logout of gmail, ensure my browser was no tracking my location, clearing cache and cookies and that was it.
Log out of all google accounts -> Disable location services on browser and device (including windows 10 location services) -> Clear all browser cache and cookies -> Connect to VPN and try again - it should work now - at least for me on PIA it's up and finally resolved.
The ultimate solution is voting out politicians who chose not to protect our privacy.
If you must use DD-WRT, there is an app under development with basic policy based routing, which runs under the DD-WRT's MyPage mechanism and takes care of some of this (http://unzoner.com/#dd-wrt). You could try using the "bypass" device filter to nominate entire devices to bypass VPN. Not ideal, but it's a start. PBR function is going to be developed further, so it might become more sophisticated in the future.
-- ab1
Netflix has a block of IP address and it should be simple enough to reroute IP request to Netflix. You can add these lines to your route table one at a time.
route add 108.175.32.0 mask 255.255.240.0 192.168.1.1
route add 108.175.33.0 mask 255.255.255.0 192.168.1.1
route add 108.175.34.0 mask 255.255.255.0 192.168.1.1
route add 108.175.35.0 mask 255.255.255.0 192.168.1.1
route add 108.175.42.0 mask 255.255.255.0 192.168.1.1
route add 108.175.43.0 mask 255.255.255.0 192.168.1.1
There are other IP addresses associated with Netflix but they are UK based. https://ipinfo.io/AS2906
Note: the 192.168.1.1 is a generic gateway address used by most routers. Check your router first before adding those lines. Replace the 192.168.1.1 address with the address that is in your router.
Caveat - I cannot validate if this will work, nor can I guarantee that you will not leak you ISP IP address. This comes with risks but it will not hurt to try.