VPN and Netflix - how to set up?

[Gunder Sønsteby]

Hi


I am using PIA VPN and have used a Asus RT-AC87U router with Asuswrt-Merlin sw. I have a static IP address from my ISP.

Now I have trouble accessing Netflix while using VPN. To solve this I tried to setup another Asus RT-AC87U (with stock firmware) sharing the internet connection using a switch. The new Asus router was set up without VPN, with another IP-subadress and another SID so the devices could choose WiFi network whether they wanted VPN connection or not. This was not stable, I frequently got “No internet connection” for after some seconds to get it back. I accept not to use VPN on Netflix if I have to, I use VPN for security not to get access to other countries Netflix catalogues.

I have tried static routing using only one router, but that Netflix will not accept. So my question is how to set up my router(s) so that I can acess both VPN and Netflix (if necessarily on different WiFi networks)?

Thanks in advance!

 

[Deleted member 22229]

On June 1st Netflix started blocking all traffic that is through VPN because to many people were using VPN to bypass country regulations. A quick Google search will get you plenty of information about this recent change.

 

[yorgi]

Hi


I am using PIA VPN and have used a Asus RT-AC87U router with Asuswrt-Merlin sw. I have a static IP address from my ISP.

Now I have trouble accessing Netflix while using VPN. To solve this I tried to setup another Asus RT-AC87U (with stock firmware) sharing the internet connection using a switch. The new Asus router was set up without VPN, with another IP-subadress and another SID so the devices could choose WiFi network whether they wanted VPN connection or not. This was not stable, I frequently got “No internet connection” for after some seconds to get it back. I accept not to use VPN on Netflix if I have to, I use VPN for security not to get access to other countries Netflix catalogues.

I have tried static routing using only one router, but that Netflix will not accept. So my question is how to set up my router(s) so that I can acess both VPN and Netflix (if necessarily on different WiFi networks)?

Thanks in advance!

From what I know Netflix is blocking VPN because of geometric reasons. So maybe this is why you cannot use VPN with Netflix.
You should use Policy rules for your VPN client and reserve specific IP address to go through VPN and create a rule that when any VPN computer uses netflix it will go through the local ISP
Here is what it should look like

Source IP 192.168.1.80/28 Destination IP 0.0.0.0 lface VPN this reserves IP range 192.168.1.80-192.168.1.95 for VPN only

These IP address's are all for netflix. So when the routers sees a VPN computer that tries to access Netflix it will automatically redirect netflixs traffic to Local ISP thus bypassing the VPN and netflix will work properly again.
Source IP 0.0.0.0 Destination IP 23.21.160.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 54.204.43.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 107.20.154.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 54.243.253.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 50.19.210.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 23.23.191.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 107.20.151.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 54.204.2.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 107.20.177.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 54.225.192.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 174.129.2.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 75.101.139.0/24 lface WAN

All other IP address's that are not reserved for the VPN will use Local ISP and Netflix will work fine for them as well.
So basically when you are on a VPN you can watch netflix but it will be local and if you are not on a VPN netflix will work lcoal as well.
Unfortunately VPN and unblock-US don't work anymore which is sad because the best TV is from the US and UK which give tons of movies unlike Canada or elsewhere you get crap.
I would get rid of netflix and download your movies instead since you have a VPN

 

[Gunder Sønsteby]

From what I know Netflix is blocking VPN because of geometric reasons. So maybe this is why you cannot use VPN with Netflix.
You should use Policy rules for your VPN client and reserve specific IP address to go through VPN and create a rule that when any VPN computer uses netflix it will go through the local ISP
Here is what it should look like

Source IP 192.168.1.80/28 Destination IP 0.0.0.0 lface VPN this reserves IP range 192.168.1.80-192.168.1.95 for VPN only

These IP address's are all for netflix. So when the routers sees a VPN computer that tries to access Netflix it will automatically redirect netflixs traffic to Local ISP thus bypassing the VPN and netflix will work properly again.
Source IP 0.0.0.0 Destination IP 23.21.160.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 54.204.43.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 107.20.154.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 54.243.253.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 50.19.210.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 23.23.191.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 107.20.151.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 54.204.2.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 107.20.177.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 54.225.192.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 174.129.2.0/24 lface WAN
Source IP 0.0.0.0 Destination IP 75.101.139.0/24 lface WAN

All other IP address's that are not reserved for the VPN will use Local ISP and Netflix will work fine for them as well.
So basically when you are on a VPN you can watch netflix but it will be local and if you are not on a VPN netflix will work lcoal as well.
Unfortunately VPN and unblock-US don't work anymore which is sad because the best TV is from the US and UK which give tons of movies unlike Canada or elsewhere you get crap.
I would get rid of netflix and download your movies instead since you have a VPN

Thanks!

Your description of the problem and the functionality of the solution is spot on to my needs! My challenge is that I do not really understand the technical part of the solution...

I tried to put your input into the Policy rulles of the Open VPN Client section in the VPN Tab. See the attached file. The problem is that now is the pc I am sitting at reporting my ISP IP-address and not my VPN IP-adress, even when I am not accessing Netflix. When I try to access Netflix it works, but it is slow to show me trhe welcome page.

What have I done wrong?

Thanks in advance!

 

[yorgi]

Thanks!

Your description of the problem and the functionality of the solution is spot on to my needs! My challenge is that I do not really understand the technical part of the solution...

I tried to put your input into the Policy rulles of the Open VPN Client section in the VPN Tab. See the attached file. The problem is that now is the pc I am sitting at reporting my ISP IP-address and not my VPN IP-adress, even when I am not accessing Netflix. When I try to access Netflix it works, but it is slow to show me trhe welcome page.

What have I done wrong?

Thanks in advance!

Hi its simple at this point.
Now that you created the IP range which you entered in policy rules 192.168.1.80/28 for VPN you have to make sure that you give any device you want to be on VPN a static IP from the range of this IP range. 192.168.1.80-192.168.1.95
So in other words if you put 192.168.1.80 on your laptop you will be in the VPN range. All address's from 80-95 are VPN only any other address DHCP or STATIC that doesn't fall into this range will use your Local ISP IP address.

Also make sure that you enable Block routed clients if tunnel goes down.
Another thing that is important is in LAN IP Pool Starting Address starts at 192.168.1.100 and IP Pool Ending Address 192.168.1.254
this will keep static IP address away from DHCP address's

Use this article as a guide
http://www.snbforums.com/threads/ho...ng-policy-rules-for-ver-380-59-updated.30851/

 

[Gunder Sønsteby]

Hi its simple at this point.
Now that you created the IP range which you entered in policy rules 192.168.1.80/28 for VPN you have to make sure that you give any device you want to be on VPN a static IP from the range of this IP range. 192.168.1.80-192.168.1.95
So in other words if you put 192.168.1.80 on your laptop you will be in the VPN range. All address's from 80-95 are VPN only any other address DHCP or STATIC that doesn't fall into this range will use your Local ISP IP address.

Also make sure that you enable Block routed clients if tunnel goes down.
Another thing that is important is in LAN IP Pool Starting Address starts at 192.168.1.100 and IP Pool Ending Address 192.168.1.254
this will keep static IP address away from DHCP address's

Use this article as a guide
http://www.snbforums.com/threads/ho...ng-policy-rules-for-ver-380-59-updated.30851/

Thanks again! It seems to work like you described! Marvelous!

If I understand correctly when setting the DHCP server range to 192.168.1.100 – 192.168.1.254, it gives default no access to VPN, but you can run Netflix. I rather have VPN as default. Can I just change the 192.168.1.80/28 to 192.168.1.1/28 and the DHCP range to 192.168.1.1 – 192.168.1.99?

What does the “/28” mean? Does that give 16 IP-addresses (80 to 95)? I would like to have at least a 100 VPN IP addresses. What do I put there to have the hole range from 192.168.1.1 to 192.168.1.99 as VPN IP addresses?

A third main (and hopefully last question): The different Netflix ip-addresses that are in the routing table do they change over time and if so how will I know when they do and what they change to?

Thanks in advance!

 

[yorgi]

Thanks again! It seems to work like you described! Marvelous!

If I understand correctly when setting the DHCP server range to 192.168.1.100 – 192.168.1.254, it gives default no access to VPN, but you can run Netflix. I rather have VPN as default. Can I just change the 192.168.1.80/28 to 192.168.1.1/28 and the DHCP range to 192.168.1.1 – 192.168.1.99?

What does the “/28” mean? Does that give 16 IP-addresses (80 to 95)? I would like to have at least a 100 VPN IP addresses. What do I put there to have the hole range from 192.168.1.1 to 192.168.1.99 as VPN IP addresses?

A third main (and hopefully last question): The different Netflix ip-addresses that are in the routing table do they change over time and if so how will I know when they do and what they change to?

Thanks in advance!

The only reason I told you to do the DHCP range from 100-254 is so that you have static IP address that are not in the same range as the dhcp.
By default its set to 192.168.1.2-192.168.2.254 the entire range is DHCP so if you want to have static IP address then there would be conflicts.

192.168.1.80/28 is CIDR its a quick way to put a range of IP address instead of putting 15 address's
Imagine if you had to put every address of a subnet for each of those address's I gave you for netflix there wouldn't be enough room.

Unfortunately it its not as easy as that to add a CIDR range, they are pretty much predefined. if you wanted 192.168.1.1-.99 you would do
192.168.1.0/25 it would be a range of 192.168.1.1 to 192.168.1.126 for 126 VPN addresses which you would then have to fix the DHCP pool to start at 127 and finish at 254 in order not to have any conflicts
or 192.168.1.0/26 192.168.1.1 to 192.168.1.62 for 62 IP addresses
do you need more then 62 IP addresses for VPN?
use that and reserve the rest for computers that you want to be on static IP but no need for VPN.

here is an IP or CIDR calculator.
http://networkcalculator.ca/ip-calculator.php

Netflix address may change over time so its a good idea to check once in a while or if your netflix stops working you know its time to check
Easiest way to go on your router to; network tool/network analysis/method nslookup/ and target put netflix.com
or use a command prompt in windows and type nslookup netflix.com

you will get all the IP address's and you need to put a CIDR range for each of those new address.
so if you see an address like 54.204.43.21 just do 54.204.43.0/24 and that will do the entire range of IP address for that subnet

hope that helps you out

 

[Gunder Sønsteby]

The only reason I told you to do the DHCP range from 100-254 is so that you have static IP address that are not in the same range as the dhcp.
By default its set to 192.168.1.2-192.168.2.254 the entire range is DHCP so if you want to have static IP address then there would be conflicts.

192.168.1.80/28 is CIDR its a quick way to put a range of IP address instead of putting 15 address's
Imagine if you had to put every address of a subnet for each of those address's I gave you for netflix there wouldn't be enough room.

Unfortunately it its not as easy as that to add a CIDR range, they are pretty much predefined. if you wanted 192.168.1.1-.99 you would do
192.168.1.0/25 it would be a range of 192.168.1.1 to 192.168.1.126 for 126 VPN addresses which you would then have to fix the DHCP pool to start at 127 and finish at 254 in order not to have any conflicts
or 192.168.1.0/26 192.168.1.1 to 192.168.1.62 for 62 IP addresses
do you need more then 62 IP addresses for VPN?
use that and reserve the rest for computers that you want to be on static IP but no need for VPN.

here is an IP or CIDR calculator.
http://networkcalculator.ca/ip-calculator.php

Netflix address may change over time so its a good idea to check once in a while or if your netflix stops working you know its time to check
Easiest way to go on your router to; network tool/network analysis/method nslookup/ and target put netflix.com
or use a command prompt in windows and type nslookup netflix.com

you will get all the IP address's and you need to put a CIDR range for each of those new address.
so if you see an address like 54.204.43.21 just do 54.204.43.0/24 and that will do the entire range of IP address for that subnet

hope that helps you out

THANKS again!

Now I have changed it so the VPN uses the 192.168.1.0/25 range. DCHP is setup to use 192.168.1.1 to 192.168.1.126. Now I get VPN connection and I still get Netflix! This is without changing the ip-adress of the client, as I understood it that should not be possible, but it works currently anyway and that is great!

I also can set the IP adress of the client higher than 192.168.1.126 and then I run without VPN. I like this setup!

I hope it continue to work this way!

Thank you so much!

 

[yorgi]

Thanks again! It seems to work like you described! Marvelous!

What does the “/28” mean? Does that give 16 IP-addresses (80 to 95)? I would like to have at least a 100 VPN IP addresses. What do I put there to have the hole range from 192.168.1.1 to 192.168.1.99 as VPN IP addresses?

THANKS again!

Now I have changed it so the VPN uses the 192.168.1.0/25 range. DCHP is setup to use 192.168.1.1 to 192.168.1.126. Now I get VPN connection and I still get Netflix! This is without changing the ip-adress of the client, as I understood it that should not be possible, but it works currently anyway and that is great!

I also can set the IP adress of the client higher than 192.168.1.126 and then I run without VPN. I like this setup!

I hope it continue to work this way!

Thank you so much!

No...DHCP should be set to 192.168.1.129-192.168.1.254
It may work but it will conflict if you have many devices that try to connect to DHCP. Please make sure that DHCP is out of the range of your static IP addresses.
One final thing VPN is the Static range 192.168.1.80/28 which is 192.168.1.0-192.168.1.126
Please add one more rule
Source IP 192.168.1.1 destination IP 0.0.0.0 lface WAN
with the CIDR rule you created the router will be part of the VPN, I am not sure if this is what you want.
Do you really need 100 IP addresses for VPN? Do you have that many devices?
How many Devices do you have that will eventually go to VPN?
If you don't have 100 and its more like 10 devices then you should not use this configuration.

Use this instead Source IP 192.168.1.80/28 Destination IP 0.0.0.0 lface VPN this reserves IP range 192.168.1.80-192.168.1.95 for VPN only
and set your pool to 192.168.1.100-192.168.1.254

This is the best way if you have less then 15 devices that will use VPN
The reason I would not use the 192.168.1.80/28 is because you don't want the router to be in the VPN range.
You can have the router in VPN range for specific purposes like, doing torrents with the router,
if that is not your case you should leave the router out of the VPN range.

Make this final adjustment and you are in the money

Good luck now that you know more about how things work.