What's new

Selective Routing for Netflix

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

IPSET_Netflix_Domains.sh

Minor typo - function always (needlessly) creates the schedule?
Code:
# If cronjob to back up the NETFLIX ipset list every 24 hours @ 2:00 AM does not exist, then create it
check_cron_job () {
    cru l | grep x3mRouting_NETFLIX_DNSMASQ_ipset_list
    if [ "$?" = "1" ]; then  # no cronjob entry found, create it
        cru a x3mRouting_NETFLIX_DNSMASQ "0 2 * * * ipset save x3mRouting_NETFLIX_DNSMASQ > /opt/tmp/x3mRouting_NETFLIX_DNSMASQ"
    fi
}
 
Minor typo - function always (needlessly) creates the schedule?
Code:
# If cronjob to back up the NETFLIX ipset list every 24 hours @ 2:00 AM does not exist, then create it
check_cron_job () {
    cru l | grep x3mRouting_NETFLIX_DNSMASQ_ipset_list
    if [ "$?" = "1" ]; then  # no cronjob entry found, create it
        cru a x3mRouting_NETFLIX_DNSMASQ "0 2 * * * ipset save x3mRouting_NETFLIX_DNSMASQ > /opt/tmp/x3mRouting_NETFLIX_DNSMASQ"
    fi
}
Thank you. I will look into it!
 
This is new to me and I'm totally noob about it. What does it do actually in simple plain words? What does selective routing would do?
 
This is new to me and I'm totally noob about it. What does it do actually in simple plain words? What does selective routing would do?
In the OpenVPN page, you can define the devices or clients that you want to use the OpenVPN tunnel. This is selective routing at a device or client level.

You can also define selective routing by domain name or IP address. This is what the script does. It gives one the option to route Netflix traffic to the WAN or OpenVPN interface.

Streaming services like BBC, Hulu, Netflix and Amazon Prime will block you if they detect you are using a VPN server. You can read more about the issue here and how to get around it using a private or dedicated VPN IP address. The other method is to use this script to bypass the OpenVPN tunnel and route Netflix traffic to the WAN interface.
 
Thanks, so is it something similar to the split tunneling features that VPN has? I already have PureVPN Dedicated IP with split tunneling, but wouldn't Netflix detect that IP and block? It's working up until though.
 
Thanks, so is it something similar to the split tunneling features that VPN has? I already have PureVPN Dedicated IP with split tunneling, but wouldn't Netflix detect that IP and block? It's working up until though.
Very similar. The methods are slightly different in approach.

Appears with the windows and android PureVPN clients, you have the ability to select what apps will bypass the vpn tunnel. But do you have the option to route traffic over more than one VPN tunnel?

On the router, I have a wan and three vpn client interfaces. Some clients are defined to use the WAN and others one of the VPN clients. No matter the interface a client is defined to, the rules are configured to always route SlingTV to shared server in LA, Hulu, Amazon Prime and Netflix to dedicated server in US and BBC to dedicated IP in The U.K. No intervention is required by the user. Dedicated servers are not blocked by the streaming media services.
 
I'll be honest, this is too much for me :(

Fiddling with codes isn't my strongest suit. I barely started on the Merlin FW and just learning how to opreate 2 VPNs at the same time was a miracle :cool:

After enabling JFFS custom scripts and configs, do I use PuTTY and put the code? That's all ? Reboot or not ? Are these scripts saved somewhere ? Do I need to plug a harddrive in USB port in the router or not ?

So many questions...o_O

Is there like a dummy guide to scripting on Merlin ?
 
I'll be honest, this is too much for me :(

Fiddling with codes isn't my strongest suit. I barely started on the Merlin FW and just learning how to opreate 2 VPNs at the same time was a miracle :cool:

After enabling JFFS custom scripts and configs, do I use PuTTY and put the code? That's all ? Reboot or not ? Are these scripts saved somewhere ? Do I need to plug a harddrive in USB port in the router or not ?

So many questions...o_O

Is there like a dummy guide to scripting on Merlin ?

There are good articles using the routers SSH console (needs Xshell5/MobaXterm or PuTTY etc.) together with the firmware's nano editor see Wiki/documentation for Asuswrt-merlin which may get you started.

However, if you are using Windows, then WinSCP is recommended if you want to play with scripting or simply view the firmware environment/files etc.

I created a dummy's guide.... Mini WinSCP tutorial to copy/modify/execute script which should get you started.

The scripts are saved on the router, so you don't need a USB drive, although it is convenient to use an attached USB drive to backup your scripts etc.
 
Last edited:
There are good articles using the routers SSH console (needs Xshell5/MobaXterm or PuTTY etc.) together with the firmware's nano editor see Wiki/documentation for Asuswrt-merlin which may get you started.

However, if you are using Windows, then WinSCP is recommended if you want to play with scripting or simply view the firmware environment/files etc.

I created a dummy's guide.... Mini WinSCP tutorial to copy/modify/execute script which should get you started.

The scripts are saved on the router, so you don't need a USB drive, although it is convenient to use an attached USB drive to backup your scripts etc.


Thanks Martineau and thank you Xentrk.

I gave it a go today and downloaded WinSCP and started exploring and seeing what's going inside my RT-AC86U.

After 2 hours I managed to have a USB thumb drive formatted as EXT2 and managed to install Entware. Then I moved to the next step which is installing the scripts and following the instructions.

Still not sure if I'm doing things correctly because the usual Netflix error now is gone but the devices are not streaming anything.

I must be doing something correct because the error is gone and it seems like the Netflix app on the iPad is trying to stream but nothing happens.
 
Last edited:
Xentrk you are a legend !!!

After spending 5 hours trying to understand this thing I was about to give up, so I decided to unplug the USB thumb drive and rebooted the router. Then thought to myself why not plug the USB and try again. I found the scripts still under the /jffs/scripts and just executed it and viola it worked.

I'll be honest, no idea how I did it :D Thanks to Martineau and his easy guide linked above.

Now help me, how do I make it stick so any reboot doesn't change anything.

Do I need to have the USB thumb drive plugged all the time ?
 
Xentrk you are a legend !!!

After spending 5 hours trying to understand this thing I was about to give up, so I decided to unplug the USB thumb drive and rebooted the router. Then thought to myself why not plug the USB and try again. I found the scripts still under the /jffs/scripts and just executed it and viola it worked.

I'll be honest, no idea how I did it :D Thanks to Martineau and his easy guide linked above.

Now help me, how do I make it stick so any reboot doesn't change anything.

Do I need to have the USB thumb drive plugged all the time ?
What script did you install? IPSET_Neflix.sh or IPSET_Netflix_Domains.sh?

See the Troubleshooting and Installation sections at
https://github.com/Xentrk/netflix-vpn-bypass

Paste the output of the commands in your reply. Thank you.
 
Last edited:
What script did you install? IPSET_Neflix.sh or IPSET_Netflix_Domains.sh?

I think I installed both ? check the attachment.

I swear I kept dabbling, executing commands and getting errors but for some reason it worked.

I'm not tech savvy at all, so for it to work is a complete surprise.

If you want me to show you any results of my work, you may need to tell me a command and where to execute it and explain it like I'm 5 :D
 

Attachments

  • jeff.png
    jeff.png
    22.3 KB · Views: 416
I think I installed both ? check the attachment.

I swear I kept dabbling, executing commands and getting errors but for some reason it worked.

I'm not tech savvy at all, so for it to work is a complete surprise.

If you want me to show you any results of my work, you may need to tell me a command and where to execute it and explain it like I'm 5 :D
This link will take you to the commands:
https://github.com/Xentrk/netflix-vpn-bypass#troubleshooting

You also need to add this to the list of commands if you installed both:
ipset -L x3mRouting_NETFLIX_Domains
 
On the router, I have a wan and three vpn client interfaces. Some clients are defined to use the WAN and others one of the VPN clients. No matter the interface a client is defined to, the rules are configured to always route SlingTV to shared server in LA, Hulu, Amazon Prime and Netflix to dedicated server in US and BBC to dedicated IP in The U.K. No intervention is required by the user. Dedicated servers are not blocked by the streaming media services.

In my layman terms, I would have more than 1 tunnels to spread my traffic. Like having tunnels split into 3? :rolleyes: It's too complicated but I'm trying to understand my best! :)
 
Trying to install IPSET_Netflix.sh....was able install the json parson file and verified that I have the ipset version 6. The script also installed well. While I am still trying to learn and understand the scripting lingo :)....somehow I am not able to fully translate what I am seeing after I try to have the script execute at system start up:

"....
/root# --2018-11-17 19:28:14-- https://ip-ranges.amazonaws.com/ip-ranges.json
Resolving ip-ranges.amazonaws.com... 143.204.181.128, 143.204.181.98, 143.204.181.60, ...
Connecting to ip-ranges.amazonaws.com|143.204.181.128|:443... connected.
ERROR: cannot verify ip-ranges.amazonaws.com's certificate, issued by 'CN=Amazon,OU=Server CA 1B,O=Amazon,C=US':
Unable to locally verify the issuer's authority.
To connect to ip-ranges.amazonaws.com insecurely, use `--no-check-certificate'.


Does the ERROR line mean that I didn't use the right command or that something is not set up right? Or is everything ok?

Is there a command that verifies that installation of this script went well?

Thank you!
 
Trying to install IPSET_Netflix.sh....was able install the json parson file and verified that I have the ipset version 6. The script also installed well. While I am still trying to learn and understand the scripting lingo :)....somehow I am not able to fully translate what I am seeing after I try to have the script execute at system start up:

"....
/root# --2018-11-17 19:28:14-- https://ip-ranges.amazonaws.com/ip-ranges.json
Resolving ip-ranges.amazonaws.com... 143.204.181.128, 143.204.181.98, 143.204.181.60, ...
Connecting to ip-ranges.amazonaws.com|143.204.181.128|:443... connected.
ERROR: cannot verify ip-ranges.amazonaws.com's certificate, issued by 'CN=Amazon,OU=Server CA 1B,O=Amazon,C=US':
Unable to locally verify the issuer's authority.
To connect to ip-ranges.amazonaws.com insecurely, use `--no-check-certificate'.


Does the ERROR line mean that I didn't use the right command or that something is not set up right? Or is everything ok?

Is there a command that verifies that installation of this script went well?

Thank you!
Remove the # (comment) from the line set -x to enter debug mode. This will display the script as it runs and you can see the variable substitution and errors in real time.

If you still see certificate errors, try turning off pixelserv-tls temporarily.
 
In my layman terms, I would have more than 1 tunnels to spread my traffic. Like having tunnels split into 3? :rolleyes: It's too complicated but I'm trying to understand my best! :)
You can selectively route by client dhcp ip, destination IP address or host name. Start with the guide written by @yorgi
 
Remove the # (comment) from the line set -x to enter debug mode. This will display the script as it runs and you can see the variable substitution and errors in real time.

If you still see certificate errors, try turning off pixelserv-tls temporarily.

Thank you @Xentrk. Do I need to install both IPSET_Netflix.sh and IPSET_Netflix_Domains.sh in order to make this work? Also, could please describe the statement below into a simpler way :):

"...If the script runs successfully, you can have the script execute at system start-up by calling it from /jffs/scripts/nat-start by including the line sh /jffs/scripts/IPSET_Netflix.sh in the file. Make sure nat-start has a she-bang as the first line in the file #!/bin/sh and is executable e.g. chmod 755 /jffs/scripts/nat-start."

Would would these commands look like?

#!/bin/sh jffs/scripts/nat-start sh /jffs/scripts/IPSET_Netflix.sh && chmod 755 /jffs/scripts/nat-start

Thanks a lot!
 
Thank you @Xentrk. Do I need to install both IPSET_Netflix.sh and IPSET_Netflix_Domains.sh in order to make this work? Also, could please describe the statement below into a simpler way :):

"...If the script runs successfully, you can have the script execute at system start-up by calling it from /jffs/scripts/nat-start by including the line sh /jffs/scripts/IPSET_Netflix.sh in the file. Make sure nat-start has a she-bang as the first line in the file #!/bin/sh and is executable e.g. chmod 755 /jffs/scripts/nat-start."

Would would these commands look like?

#!/bin/sh jffs/scripts/nat-start sh /jffs/scripts/IPSET_Netflix.sh && chmod 755 /jffs/scripts/nat-start

Thanks a lot!
You will have to test to see what works for your environment. Perhaps try IPSET_Netflix.sh first. If you still have issues, install IPSET_Netflix_Domains.sh. The two scripts can coexist. The first script works great for some, others need to install both. The second script may also work on its own without the need for the first script. Seems to depend on the geo region one is from.

In much of my selective routing programs, the approach in the first script works great when streaming from streaming media devices. But for two services, I needed to combine the approach of both scripts when streaming from a Windows 10 device.

Once you have tested that it is working, add it to /jffs/scripts/nat-start as follows:
Code:
#!/bin/sh
sh /jffs/scripts/IPSET_Netflix.sh
And if necessary, add the second script to nat-start.

At the command prompt, type
Code:
chmod 755 /jffs/scripts/nat-start
To set the nat-start file as executable.
 
Similar threads
Thread starter Title Forum Replies Date
H Routing wireguard VPN 0
dougm [solved] PFSense+OpenVPN: Problems Routing Specific VLAN traffic out VPN VPN 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top