VPN - Selective routing for Netflix, Pandora and Hulu

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2, 3, 4  Next
Author Message
woodomat
DD-WRT Novice


Joined: 28 Aug 2012
Posts: 13

PostPosted: Sun Sep 02, 2012 20:02    Post subject: VPN - Selective routing for Netflix, Pandora and Hulu Reply with quote
Hi all,

I'd like to share my VPN configuration with selective routing for getting access to US-only services such as Netflix, Pandora and Hulu. I hope you find it helpful.

0. Initial thoughts

When I started setting up DD-WRT I initially thought about configuring a virtual WLAN that routes EVERYTHING through a (configured) VPN connection that terminates somewhere in the US so that I don't have to deal with advanced routing and identifying miscellaneous IP ranges that the above mentioned services use to stream their content.

I found that rather difficult and besides, it would still have required me to switch WLANs depending whether I want full speed (without VPN) or access US-only services (with VPN, but slower).

Therefore I finally decided to go with a "mixed" configuration, meaning that all connections that require an US-based IP address are being routed through the VPN tunnel and the others not.

1. OpenVPN vs. PPTP

For the VPN connection itself I chose OpenVPN over PPTP as PPTP has some great security issues and usually is slower than OpenVPN. Usually in that case that this is true for all kind of software clients I've tried so far with providers who offer both OpenVPN and PPTP.

Unfortunately the DD-WRT firmware versions I've been using so far (namely 18024 and 18777) are kind of slowing down the whole OpenVPN connection: When using OpenVPN with DD-WRT I get a download rate of around 3-4 Mbit, when using OpenVPN with Tunnelblick that rate improves to around 10 Mbit. No idea why that is the case. Perhaps my routers (a Cisco E4200) CPU is to weak to get better download rates - or there is a bug in DD-WRT. Note that it also doesn't matter if you have an UDP or a TCP connection in DD-WRT. Both are slower than normal.

Concerning bugs: At the time of writing all builds greater than 18777 (latest is 19519) have an OpenVPN bug that renders the usage of the OpenVPN client service unusable. If you want to use OpenVPN you need to stick with any version up to 18777.

2. The actual configuration

In "Services" / "VPN" enable the OpenVPN client and configure the main connection itself according to the instructions of your VPN provider.

I have used both BlackVPN, StrongVPN and Hide My Ass - I personally liked Hide My Ass best as out of these three it had the most servers on the US east side (which is the preferred location if you're in Europe as it is geographically the closest and therefore - in theory - the fastest). All three offer quite good guides specifically for DD-WRT - and all three work fine. Note though that the configurations have been written for older builds of DD-WRT and that sometimes google will point you to antique setup guides that don't make use of the DD-WRT OpenVPN GUI.

You DON'T want to use those!

Find a setup guide for recent versions of DD-WRT - and use the GUI as this is the easiest way by far to get OpenVPN up and running.

Once your connection is up and running - which you want to double check before proceeding - you can configure selective routing.

Here is my routing table, which you can copy-and-paste into the "Additional Config" section of the OpenVPN client configuration in DD-WRT (build 18777):


Code:
###
### OpenVPN common configuration
###
route-nopull
route XXX.XXX.XXX.XXX 255.255.255.255 net_gateway

###
### OpenVPN routes
###

# whatismyip.org
route 98.207.0.0 255.255.0.0 vpn_gateway

# pandora.com
route 208.85.40.0 255.255.248.0 vpn_gateway

# amazon ec2 (us)
# https://forums.aws.amazon.com/ann.jspa?annID=1528 & extended via whois
route 23.20.0.0 255.252.0.0 vpn_gateway
route 50.16.0.0 255.252.0.0 vpn_gateway
route 50.112.0.0 255.255.0.0 vpn_gateway
route 54.224.0.0 255.240.0.0 vpn_gateway
route 54.240.0.0 255.240.0.0 vpn_gateway
route 67.202.0.0 255.255.192.0 vpn_gateway
route 72.44.32.0 255.255.224.0 vpn_gateway
route 75.101.128.0 255.255.128.0 vpn_gateway
route 107.20.0.0 255.252.0.0 vpn_gateway
route 174.129.0.0 255.255.0.0 vpn_gateway
route 184.72.0.0 255.254.0.0 vpn_gateway
route 184.169.128.0 255.255.128.0 vpn_gateway
route 204.236.128.0 255.255.128.0 vpn_gateway

# amazon ec2 (eu)
# https://forums.aws.amazon.com/ann.jspa?annID=1528 & extended via whois
route 46.51.128.0 255.255.192.0 vpn_gateway
route 46.51.192.0 255.255.240.0 vpn_gateway
route 46.137.0.0 255.255.128.0 vpn_gateway
route 46.137.128.0 255.255.192.0 vpn_gateway
route 79.125.0.0 255.255.128.0 vpn_gateway
route 176.34.64.0 255.255.192.0 vpn_gateway
route 176.34.128.0 255.255.128.0 vpn_gateway

# netflix
route 108.175.32.0 255.255.240.0 vpn_gateway
route 208.75.76.0 255.255.252.0 vpn_gateway
route 64.212.0.0 255.252.0.0 vpn_gateway
route 199.92.0.0 255.252.0.0 vpn_gateway
route 206.32.0.0 255.252.0.0 vpn_gateway
route 209.244.0.0 255.252.0.0 vpn_gateway
route 68.142.64.0 255.255.192.0 vpn_gateway
route 69.28.128.0 255.255.192.0 vpn_gateway
route 69.164.0.0 255.255.192.0 vpn_gateway
route 208.111.128.0 255.255.192.0 vpn_gateway
route 128.242.0.0 255.255.0.0 vpn_gateway
route 204.0.0.0 255.252.0.0 vpn_gateway
route 204.141.0.0 255.255.0.0 vpn_gateway
route 204.200.0.0 255.252.0.0 vpn_gateway
route 208.44.0.0 255.252.0.0 vpn_gateway

# hulu
route 23.32.0.0 255.224.0.0 vpn_gateway
route 23.64.0.0 255.252.0.0 vpn_gateway
route 64.221.0.0 255.255.128.0 vpn_gateway
route 64.221.128.0 255.255.192.0 vpn_gateway
route 64.221.192.0 255.255.224.0 vpn_gateway
route 77.109.170.0 255.255.255.0 vpn_gateway
route 80.239.221.0 255.255.255.0 vpn_gateway
route 92.122.0.0 255.254.0.0 vpn_gateway
route 195.27.0.0 255.255.0.0 vpn_gateway
route 199.127.192.0 255.255.252.0 vpn_gateway
route 208.91.156.0 255.255.252.0 vpn_gateway
route 217.156.128.0 255.255.128.0 vpn_gateway

# mysqueezebox
route 192.221.0.0 255.255.0.0 vpn_gateway
route 204.160.0.0 255.252.0.0 vpn_gateway
route 205.128.0.0 255.252.0.0 vpn_gateway
route 207.120.0.0 255.252.0.0 vpn_gateway
route 209.84.0.0 255.255.0.0 vpn_gateway


A few remarks:

    You MUST change the XXX.XXX.XXX.XXX IP address in line 2 of the above config to the IP address of the configured VPN server you're establishing the tunnel to (= the same address that you've entered in "Server IP") in order to get this thing working

    Netflix mainly uses Amazon EC2 for serving content, that is why all currently active EC2 ip ranges need to be listed. I found no better way of tracking down the exact IP addresses Netflix uses. I found that you also need to redirect the european-based EC2 IP ranges as public DNS servers (which you need to use, also see the following remark) seem to ask the Amazon servers geographically closest.

    Keep in mind that you need to use public DNS servers and NOT the ones of your local DSL/cable provider, as those are usually only accessible from the IP addresses your local provider assigns. Your IP address be a different one (a US-based) if you use VPN, therefore your local providers DNS services will (usually) NOT work. Instead use Google DNS (8.8.8.8, 8.8.4.4) or DNS advantage (156.154.70.1, 156.154.71.1) or any other - just make sure that the IP addresses of your favorite public DNS provider do NOT match any of the routing rules above as it will slow down ALL DNS requests and will break DNS if the VPN tunnel is down (for whatever reason).

    I found Netflix and Pandora work rock solid - the Hulu IP ranges are work in progress (and will probably remain like this, as I don't use Hulu a lot). Whatismyip.org is redirected through VPN so that I can check the VPNs IP address. There should be a way of doing so in the DD-WRT status page but that feature seems to be broken in all the builds I've used.


Have fun! Smile
Sponsor
kk5000
DD-WRT Novice


Joined: 25 Jun 2012
Posts: 20

PostPosted: Tue Sep 04, 2012 1:25    Post subject: Reply with quote
Thank you for this VERY informative & useful post. The observation about OpenVPN being broken above 18777 is on the mark. Of course no one has any way of knowing this outside of trial and error. I've been pulling my hair out since yesterday trying to figure out why this was not working until I saw your post, downgraded to 18777 and BANG, worked instantly. If somebody posts asking about all this he will likely be told to RTFM. What good is the stupid manual if the software is broken???? Anyway, I'll stop ranting now.

So thanks for that VERY important piece of info.

I had a couple other questions though. You said you're using HMA but then you also say enable openvpn client. The HMA people specifically tell you not to do that and ask to simply enable "OpenVPN server". If I threw your config into the additional config area of the OpenVPN server will it work?

Secondly, what IP would I substitute into the XXX. area? The VPN IP? That's unique everytime though.

Thank you so much for this post BTW. Exceptional stuff.
woodomat
DD-WRT Novice


Joined: 28 Aug 2012
Posts: 13

PostPosted: Tue Sep 04, 2012 7:49    Post subject: Reply with quote
I have been using HMA for a long time but finally moved on to setting up my own OpenVPN server on a virtual machine (on the US east coast)

I'm not quite sure what HMA guide told you to enable the OpenVPN server - please paste the link - but to me that wouldn't make any sense since you don't want to connect to your own DD-WRT router via VPN but rather connect your DD-WRT router to a VPN server (in the US), meaning that the DD-WRT unit is, by definition, the client.

Of course there are scenarios where you'd like to have your DD-WRT router act as a server (i.e. if you'd like to connect to your home network from the road) but the use case I've described in this thread is not one.

Therefore, when it comes to connecting DD-WRT to one of HMA's VPN servers you need to enable OpenVPN Client in the Services tab.

And you need to substitute the XXX.XXX.XXX.XXX IP address with the address of the VPN server you're connecting to (and not the one you're being assigned afterwards as this changes every time as you've pointed out correctly).
kk5000
DD-WRT Novice


Joined: 25 Jun 2012
Posts: 20

PostPosted: Tue Sep 04, 2012 10:39    Post subject: Reply with quote
Hi,

Here's the HMA guide I'm talking about :

https://vpn.hidemyass.com/vpncontrol/myaccounts/wrtgen

This is pretty much their default guide. You see this when you login, click "DD-WRT routers", and then generate code under the automated installer after selecting the servers.

It says :

"In the "OpenVPN Daemon" section select "Enable".
Then click "Save".

Note! Do not enable OpenVPN Client."

If I follow all that step by step it does work perfectly as in my outgoing IP changes. Just don't know how to setup your stuff with this Smile
woodomat
DD-WRT Novice


Joined: 28 Aug 2012
Posts: 13

PostPosted: Tue Sep 04, 2012 14:23    Post subject: Reply with quote
Thanks for the link.

If you follow these instructions provided by HMA what happens is that your DD-WRT router is being (automagically) setup as an OpenVPN client.

While I haven't taken a closer look at what happens in the script in detail, I'd highly recommend to AVOID using any sort of "automated" setup at all times. Even if that means that you need to take a little more effort in understanding how basic OpenVPN configuration works (but it's not *that* complicated anyway Wink ).

Call me paranoid, but the automated installer doesn't provide any security measure against the script being modified to do bad things (i.e. by someone who has hijacked HMA's webserver) - there are no security measures such as SHA/MD5 checksums whatsoever.

And apart from that you're bound to live with HMA's out-of-the-box configuration, meaning it's impossible for you to change the VPN server you want to connect to (i.e. the one that geographically closest to you) or use features such as additional config (which is necessary for selective routing).

Therefore, do it THIS way:
http://forum.hidemyass.com/index.php/topic/1927-tutorial-configure-hma-openvpn-on-a-dd-wrt-router/

Following that guide will also allow you to use selective routing as I've described above.

Oh and: The only reason why in the instructions on the link you've pasted you're being told to enable the OpenVPN server is to get "OpenVPN" appear in the Status tab, in order to check the assigned IP address. Since you don't configure the server, it really does nothing else at all.
woodomat
DD-WRT Novice


Joined: 28 Aug 2012
Posts: 13

PostPosted: Tue Sep 04, 2012 14:43    Post subject: Reply with quote
Also, you might need to reset your DD-WRT router before
manual configuration, since chances are high that it'll interfere
with the automated setup.
kk5000
DD-WRT Novice


Joined: 25 Jun 2012
Posts: 20

PostPosted: Tue Sep 04, 2012 20:54    Post subject: Reply with quote
woodomat wrote:

And apart from that you're bound to live with HMA's out-of-the-box configuration, meaning it's impossible for you to change the VPN server you want to connect to (i.e. the one that geographically closest to you)


While I agree with the general sentiment of what you said they do let you choose what server you want to use before generating the script Smile

Quote:
Therefore, do it THIS way:
http://forum.hidemyass.com/index.php/topic/1927-tutorial-configure-hma-openvpn-on-a-dd-wrt-router


Will give this a shot and get back to ya Smile

Thanks for everything!
kk5000
DD-WRT Novice


Joined: 25 Jun 2012
Posts: 20

PostPosted: Wed Sep 05, 2012 10:27    Post subject: Reply with quote
It works it works! The whole thing works Smile

Now all we have to do is keep up with the IP assignments for these people or perhaps come up with some way that we can just plug in a FQDN like movies.netflix.com for the routing.

That works with one of our corporate Sonicwall routers but that's a whole other story.
kk5000
DD-WRT Novice


Joined: 25 Jun 2012
Posts: 20

PostPosted: Wed Sep 05, 2012 11:16    Post subject: Reply with quote
Also, how does one go about putting a list together for a particular site? If there an app that can detect all IPs we're connecting to I would volunteer to report all Hulu IPs for instance.

I also wanted to reroute Disney.go.com for the kids so I looked up their IP assignment which is apparently 68.71.208.0 - 68.71.223.255 :

http://whois.arin.net/rest/net/NET-68-71-208-0-1/pft

route 68.71.208.0 255.255.240.0 vpn_gateway

did very nicely.

If only all the rest of them were that easy Smile

Also, Viacom is a big media company and the only reason to watch their sites (as far as I can think) is video content they happen to block so I did this too:

129.228.0.0 255.255.128.0 vpn_gateway
166.77.0.0 255.255.0.0 vpn_gateway
206.220.40.0 255.255.252.0 vpn_gateway

However that STILL didn't seem to give me :

http://www.nick.com/videos/clip/ygst-107-full-episode.html

They very nicely show me the ads and then lock me out. I will debug that later especially if I can find an app that detects the IP in a reliable fashion. 5:30 AM. Going to bed.
woodomat
DD-WRT Novice


Joined: 28 Aug 2012
Posts: 13

PostPosted: Wed Sep 05, 2012 19:00    Post subject: Reply with quote
Glad to hear that everything works as intended Smile

I'm absolutely with you - we should try to collect ip-ranges for US-based services somewhere... Perhaps the dd-wrt wiki would be a good place for this?

Regarding the collection itself: I found Wireshark being a very useful tool as it can capture all ip connections that are being made to the outside world. I then ran "whois (IP address)" in my terminal and that returned all entire range.

Btw. thanks for the Nick IPs - have already added them to my config! Smile
kk5000
DD-WRT Novice


Joined: 25 Jun 2012
Posts: 20

PostPosted: Thu Sep 06, 2012 9:55    Post subject: Reply with quote
OK so I got this so far :

# disney.go.com - WORKS
route 68.71.208.0 255.255.240.0 vpn_gateway

# Viacom i.e. nick.com and all that crap - WORKS
route 129.228.0.0 255.255.128.0 vpn_gateway
route 166.77.0.0 255.255.0.0 vpn_gateway
route 206.220.40.0 255.255.252.0 vpn_gateway
route 69.31.132.0 255.255.254.0 vpn_gateway
route 72.246.0.0 255.254.0.0 vpn_gateway

# CBS - WORKS
route 198.99.118.0 255.255.254.0 vpn_gateway
route 198.99.120.0 255.255.254.0 vpn_gateway
route 198.99.122.0 255.255.255.0 vpn_gateway

# NBC WORKS
route 66.77.124.0 255.255.255.0 vpn_gateway

# ABC & general Disney range works
route 199.181.129.0 255.255.255.0 vpn_gateway
route 199.181.130.0 255.255.254.0 vpn_gateway
route 199.181.132.0 255.255.252.0 vpn_gateway

# Disney (ESPN) STILL NOT WORKING!!
route 68.71.208.0 255.255.240.0 vpn_gateway
route 192.147.170.0 255.255.255.0 vpn_gateway
route 198.105.192.0 255.255.248.0 vpn_gateway
route 69.31.132.0 255.255.254.0 vpn_gateway
route 107.8.0.0 255.248.0.0 vpn_gateway

# FOX NOT WORKING YET!
route 88.221.94.0 255.255.254.0 vpn_gateway
route 192.204.0.0 255.255.0.0 vpn_gateway

#COMCAST Just got this off the ESPN connection so far
route 207.223.0.0 255.255.240.0 vpn_gateway

BTW when I say not working it just means more ranges need to be added Sad
woodomat
DD-WRT Novice


Joined: 28 Aug 2012
Posts: 13

PostPosted: Mon Sep 10, 2012 10:33    Post subject: Reply with quote
thanks again! for some reason disney doesn't work for me yet, but I will try to add some ranges using wireshark!
jimmyk
DD-WRT Novice


Joined: 31 Aug 2012
Posts: 4

PostPosted: Tue Sep 11, 2012 3:46    Post subject: Reply with quote
Thank you, Woodomat.

The route command in openvpn option is very useful. I can integrate the route command here other than have another vpn-up.sh script.

But I have another question off the topic. I cannot have clients to access through the OpenVPN tunnel unless I execute this command:
Quote:
iptables -A POSTROUTING -t nat -o tun1 -j MASQUERADE


If I add it to OpenVPN option like this:
Quote:
up 'iptables -A POSTROUTING -t nat -o tun1 -j MASQUERADE'

OpenVPN will fail and tell me 'tun1' is bad argument. I can confirm that tun1 is the correct OpenVPN interface.

I am thinking how I can have DD-WRT to run this command automatically after OpenVPN is connected.
goli
DD-WRT Novice


Joined: 01 Sep 2012
Posts: 12

PostPosted: Tue Sep 11, 2012 22:02    Post subject: Reply with quote
Hey there.

I started using privoxy as a transparent proxy on my dd-wrt box. And I use another HTTP proxy on the OpenVPN entpoint side. For me this is no problem because the remote endpoint is a VPS completely managed by myselfe.

This allows me to filter HTTP requests by very fine grained rules on my local side that aren't based on current IP addresses.

Especially when you start doing youtube through such a proxy, this becomes very importent because it's the only managable way to avoid doing all google traffic throug an oversea VPN.

Here's my current local privoxy configuration on my dd-wrt box. It's a useractions file.
Code:
{ \
+forward-override{forward vpn.interface.of.my.remote.host:8080} \
}

## hulu
.hulu.com/gc
.hulu.com/select
.hulu.com/v3/session


## CBS
.theplatform.com

## Youtube
.youtube.*/watch.*
.youtube.*/videoplayback.*

## Wieistmeineip
.wieistmeineip.de


This completely works without the iptables stuff targeting remote content providers. Instead, I pass all my HTTP traffic through my local privoxy instance that runs on my dd-wrt:
Code:
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -s 192.168.0.128/255.255.255.224 -j DNAT --to 192.168.0.1:8118


As you can see, adding VPN proxied routes is very simple and less painfull then adding thousands of iptables rules.

Regards,
Stephan.
kk5000
DD-WRT Novice


Joined: 25 Jun 2012
Posts: 20

PostPosted: Mon Sep 24, 2012 5:07    Post subject: Reply with quote
goli wrote:
the remote endpoint is a VPS completely managed by myselfe.


Due to this, configuring it your way is realistically not a solution for most of us who are using HMA or some other service for VPN.

However, I managed to crash my router due to flooding of NVRAM when I configured Qos on it. I didn't realize I am at capacity with just these few routing rules + VPN. That's terrible because Qos is really a very useful feature and I am sure others have other features they would like to setup.

I can't think of any solution right now. Any suggestions are very welcome.
Goto page 1, 2, 3, 4  Next Display posts from previous:    Page 1 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum