DD-wrt, everything thru VPN accept Netflix

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2, 3, 4  Next
Author Message
spider85
DD-WRT Novice


Joined: 07 Mar 2016
Posts: 21

PostPosted: Mon Mar 07, 2016 17:26    Post subject: DD-wrt, everything thru VPN accept Netflix Reply with quote
Hi, iam using a r7000 dd-wrt with a vpn installed, at this moment i use a firewall rule

"iptables -I FORWARD -s 192.168.0.19 -o $(nvram get wan_iface) -j DROP"

So all the traffic of this IP goes thru the VPN, but with the recent netflix changes id like to let netflix traffic goes directly to the inet, is this possible? if so, how/where must i config this?
Sponsor
spider85
DD-WRT Novice


Joined: 07 Mar 2016
Posts: 21

PostPosted: Tue Mar 08, 2016 12:14    Post subject: Reply with quote
eibgrad,

Thanks for your replay.

The thing is that "192.168.0.19" always need to go thru the vpn, if the vpn is down then it must have no connection to the outside world.
Only when accessing netflix the "192.168.0.19" machine must go to the outside world without the VPN, all others thing must go thru the VPN.

So the script does this thing? for all the machines on the network or only for the "192.168.0.19" machine?

Kind regards!
spider85
DD-WRT Novice


Joined: 07 Mar 2016
Posts: 21

PostPosted: Tue Mar 08, 2016 18:43    Post subject: Reply with quote
Tried it, made the following firewall rules

Code:

iptables -I FORWARD -s 192.168.0.19 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.0.19 -d netflix.com -j ACCEPT


But still got a proxy error on netflix, do you have a idea?


Tnx!
spider85
DD-WRT Novice


Joined: 07 Mar 2016
Posts: 21

PostPosted: Wed Mar 09, 2016 9:47    Post subject: Reply with quote
Yes,

When i delete the folowing:

Services --> VPN --> Policy based Routing -->
192.168.0.19/32

Administration --> commands --> edit -->

iptables -I FORWARD -s 192.168.0.19 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.0.19 -d netflix.com -j ACCEPT



Save firewall

I have my normal Ip, and can access netflix and play something.
When undo the above settings, netflix gives a proxy error
spider85
DD-WRT Novice


Joined: 07 Mar 2016
Posts: 21

PostPosted: Sat Mar 12, 2016 7:42    Post subject: Reply with quote
eibgrad,

Tnx for your answer, but this time i don’t exactly get the instructions.
can you please tell me a little bit more detailed what i need to do?


Kind regards!
Cerebus99
DD-WRT Novice


Joined: 12 Mar 2016
Posts: 3

PostPosted: Sat Mar 12, 2016 21:21    Post subject: Reply with quote
I don't want to hijack the original poster but I have a very similar problem. I tried the original script as posted by eibgrad on March 7 and it did not work.

However, just to test things out I changed netflix.com to whatismyip.com. With the VPN turned on whatsmyip.com shows my ISP provided IP address. Checking several other similar sites show the VPN provided IP address. This suggests to me that the script works great in my setup up without any further work...except Netflix seems to be somehow a different matter.

If I check the routing table the original script adds 12 lines that have the same destination IPs as those that show up if I do an nslookup to netflix.com in a cmd prompt. However, I did notice that nslookup to www.netflix.com results in another eight similar IP addresses. I don't have the know-how to edit the script to get both sets of destination IPs into the routing table and try it. In any case, I have also noticed that doing an nslookup to www.netflix.com yields different results when the VPN is turned on compared to when the VPN is turned off. Perhaps this is all irrelevant but the original script does not work for netflix for me.

I apologize if I have spewed a bunch of garbage here. Following tutorials is more my speed. I am just starting to suspect that the way netflix is set up will preclude this type of routing.

Thanks,
Allan
spider85
DD-WRT Novice


Joined: 07 Mar 2016
Posts: 21

PostPosted: Sun Mar 13, 2016 7:47    Post subject: Reply with quote
Ip used *.22, with vpn

route -n

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         77.172.*.*      0.0.0.0         UG    0      0        0 vlan2
10.120.1.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun1
77.172.0.0      0.0.0.0         255.255.128.0   U     0      0        0 vlan2
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0




iptables -vnL FORWARD

Code:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 8274  732K ACCEPT     0    --  *      tun1    0.0.0.0/0            0.0.0.0/0   
 7944 7903K ACCEPT     0    --  tun1   *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     0    --  *      *       192.168.0.22         54.204.43.31
    0     0 ACCEPT     0    --  *      *       192.168.0.22         54.225.192.83
    0     0 ACCEPT     0    --  *      *       192.168.0.22         54.243.253.96
    0     0 ACCEPT     0    --  *      *       192.168.0.22         75.101.139.66
    0     0 ACCEPT     0    --  *      *       192.168.0.22         174.129.2.58
    0     0 ACCEPT     0    --  *      *       192.168.0.22         23.23.191.68
    0     0 ACCEPT     0    --  *      *       192.168.0.22         107.20.154.246
    0     0 ACCEPT     0    --  *      *       192.168.0.22         107.20.151.133
    0     0 ACCEPT     0    --  *      *       192.168.0.22         23.21.190.124
    0     0 ACCEPT     0    --  *      *       192.168.0.22         107.20.177.34
    0     0 ACCEPT     0    --  *      *       192.168.0.22         54.204.2.219
    0     0 ACCEPT     0    --  *      *       192.168.0.22         50.19.210.42
    0     0 DROP       0    --  *      vlan2   192.168.0.22         0.0.0.0/0   
    0     0 DROP       0    --  *      vlan2   192.168.0.20         0.0.0.0/0   
    0     0 DROP       0    --  *      vlan2   192.168.0.19         0.0.0.0/0   
 1447  901K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     47   --  *      vlan2   192.168.0.0/24       0.0.0.0/0   
    0     0 ACCEPT     tcp  --  *      vlan2   192.168.0.0/24       0.0.0.0/0           tcp dpt:1723
   75  6428 lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0   
    0     0 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
   75  6428 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
   41  4948 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
   34  1480 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0 






Ip used *.22, without vpn



root@DD-WRT:~# route -n

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         77.172.*.*  0.0.0.0         UG    0      0        0 vlan2
10.176.1.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun1
77.172.0.0      0.0.0.0         255.255.128.0   U     0      0        0 vlan2
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0





root@DD-WRT:~# iptables -vnL FORWARD

Code:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1294  355K ACCEPT     0    --  *      tun1    0.0.0.0/0            0.0.0.0/0   
 1132  539K ACCEPT     0    --  tun1   *       0.0.0.0/0            0.0.0.0/0   
    0     0 DROP       0    --  *      vlan2   192.168.0.20         0.0.0.0/0   
    2    80 DROP       0    --  *      vlan2   192.168.0.19         0.0.0.0/0   
  383  117K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     47   --  *      vlan2   192.168.0.0/24       0.0.0.0/0   
    0     0 ACCEPT     tcp  --  *      vlan2   192.168.0.0/24       0.0.0.0/0           tcp dpt:1723
   24  4268 lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0   
    0     0 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
   24  4268 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
   24  4268 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0 
jakesgt2
DD-WRT Novice


Joined: 14 Mar 2016
Posts: 1

PostPosted: Mon Mar 14, 2016 4:42    Post subject: Reply with quote
Code:
SCRIPT_DIR="/tmp/etc/config"
SCRIPT="$SCRIPT_DIR/add-routes.wanup"
mkdir -p $SCRIPT_DIR
cat << "EOF" > $SCRIPT
#!/bin/sh
WAN_GW="$(nvram get wan_gateway)"
for ip in $(nslookup netflix.com | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
ip route add $ip via $WAN_GW
done
ip route flush cache
EOF
chmod +x $SCRIPT


I love the idea of this script, but where should it go in my startup script? I am running a startup script to run my IPVanish Vpn. At the end or after vpn cert.
spider85
DD-WRT Novice


Joined: 07 Mar 2016
Posts: 21

PostPosted: Mon Mar 14, 2016 8:16    Post subject: Reply with quote
eibgrad,

Its indeed a commercial OpenVPN (PIA) and i have 3 machines on the network that i like to go thru the VPN. Only when accessing a netflix movie/serie i'd like to get them to go thru the WAN.

The Ip's are *.19/*.20/*.22 (manual assigned)

At this moment i have two settings set in the router;
one under "Policy based Routing"

Quote:
192.168.0.19/32
192.168.0.20/32
192.168.0.22/32


and one in the firewall setting

Quote:
iptables -I FORWARD -s 192.168.0.19 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.0.20 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.0.22 -o $(nvram get wan_iface) -j DROP


Thats all, is this enough info or do you need something else?

If there is another way, please tell me i have no problem changing it all.
the thing i want is to get those 3 machine always thru the VPN (configured in the router) but only when accessing a netflix movie or serie they can go thru the WAN.
Other machines in the network get their IP thru DHCP and are going to the WAN directly (no vpn for those needed)


Regards,
dahosepipe
DD-WRT Novice


Joined: 24 Mar 2015
Posts: 33

PostPosted: Tue Mar 15, 2016 5:07    Post subject: Reply with quote
My use case is that I'm running DD-WRT v3 with OpenVPN for all traffic in my network and Netflix is blocking me even though I'm a US user and connecting to Netflix through US vpn gateways. So I needed a solution to selectively route Netflix traffic over my regular ISP cable modem network (non-vpn), while still sending all other traffic over the vpn tunnel.

Thanks so much @eibgrad for your instruction and script. This has worked out beautifully for me. I have modified your script so it can be used for...

---- Multiple Netflix (and other) server domains
---- Class C routes ... to catch a wider net of IPs
---- With a startup delay at boot time to allow network connections to complete

As noted by before, it is absolutely necessary to remove any 'Policy Based Routing' commands (including comments!) from the VPN setup page in DD-WRT.

I have put the below script in my DD-WRT Startup Commands. You can also download the attached .txt file for your use. I hope it helps! Very Happy

Code:

SCRIPT_DIR="/tmp/etc/config"
SCRIPT="$SCRIPT_DIR/add-routes.wanup"
mkdir -p $SCRIPT_DIR

cat << "EOF" > $SCRIPT
#!/bin/sh

# dd-wrt selective domain routing
WAN_GW="$(nvram get wan_gateway)"

# list domains for selective routing
for domain in \
"netflix.com" \
"ichnaea.netflix.com" \
"movies.netflix.com" \
"www.netflix.com" \
"nflxext.com" \
"cdn1.nflxext.com" \
"nflximg.com" \
"nflxvideo.net" \
"ipv4_1.cxl0.c145.sjc002.ix.nflxvideo.net" \
"amazonaws.com" \
"whatsmyip.org"
do
  # extract ip addresses
  for ip in $(nslookup $domain | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
    # add class c route for each ip address to wan gateway
    ip route add `echo $ip | cut -d . -f 1,2`.0.0/16 via $WAN_GW
  done
done

# flush cache
ip route flush cache
EOF

chmod +x $SCRIPT
sleep 60
$SCRIPT
spider85
DD-WRT Novice


Joined: 07 Mar 2016
Posts: 21

PostPosted: Tue Mar 15, 2016 13:31    Post subject: Reply with quote
@eibgrad @dahosepipe

is there a way to make this script so that its only for "some" intern ip's? ( exemple: only for 192.168.0.19)

Regards
dahosepipe
DD-WRT Novice


Joined: 24 Mar 2015
Posts: 33

PostPosted: Tue Mar 15, 2016 15:52    Post subject: Reply with quote
spider85 wrote:
@eibgrad @dahosepipe

is there a way to make this script so that its only for "some" intern ip's? ( exemple: only for 192.168.0.19)

Regards


If you are looking to redirect your own internal network IPs (i.e. 192.168.xxx.xxx) I would suggest using the Policy Based Routing box in the VPN setup screen. Just add the IP(s) in the box, no script needed. Although, this will filter ALL traffic not just Netflix...
spider85
DD-WRT Novice


Joined: 07 Mar 2016
Posts: 21

PostPosted: Tue Mar 15, 2016 18:30    Post subject: Reply with quote
That’s the whole point, some internal ip's always needs to go thru the VPN, accept when connecting to netflix.
dahosepipe
DD-WRT Novice


Joined: 24 Mar 2015
Posts: 33

PostPosted: Tue Mar 15, 2016 18:37    Post subject: Reply with quote
spider85 wrote:
That’s the whole point, some internal ip's always needs to go thru the VPN, accept when connecting to netflix.


This script does exactly that. It reroutes all Netflix traffic off of your VPN to your ISP.
Cerebus99
DD-WRT Novice


Joined: 12 Mar 2016
Posts: 3

PostPosted: Tue Mar 15, 2016 20:12    Post subject: Reply with quote
*Many* thanks to eibgrad for the original script and dahosepipe for the modifications! It worked for me (using dd-wrt on Netgear R7000 via a Canadian ISP and IPVanish). This is true of streaming on my PC and wireless connections to the router from a PS3 and Smart TV. For some reason though my mobile phone still gets the proxy error.

In general I am not happy that Netflix has prompted me to reduce my overall internet security but I am very happy to have found this work around.

Again, many thanks!
Allan
Goto page 1, 2, 3, 4  Next Display posts from previous:    Page 1 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum