1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

split tunnel netflix

Discussion in 'Asuswrt-Merlin' started by LevesqueOnline, Apr 25, 2019.

  1. LevesqueOnline

    LevesqueOnline Occasional Visitor

    Joined:
    Jan 24, 2017
    Messages:
    22
    Good Day,

    I am in canada, and have a VPN setup to route traffic through for certain devices but netflix wont let me watch when connected.

    I would like to build a rule to route netflix traffic out over the WAN versus VPN but cant seem to find the IP addresses I would need to set for destination.

    any gurus out there figured this out?
     
  2. Butterfly Bones

    Butterfly Bones Very Senior Member

    Joined:
    Apr 10, 2017
    Messages:
    763
    Location:
    California central coast
    See if this is what you seek.
    https://www.snbforums.com/threads/selective-routing-for-netflix.42661/
     
  3. LevesqueOnline

    LevesqueOnline Occasional Visitor

    Joined:
    Jan 24, 2017
    Messages:
    22
  4. Butterfly Bones

    Butterfly Bones Very Senior Member

    Joined:
    Apr 10, 2017
    Messages:
    763
    Location:
    California central coast
    Have you looked at the RMerlin Wiki on Policy Routing?
    https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

    That explains what you want to do. The ginormous problem is that Netflix has a huge bunch of destination IPs that change often, depending on many factors, so it becomes totally impossible to use simple policy routing. That is why Xentrk developed his solution, it is an elegant solution to a gigantic problem of policy routing.
     
  5. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,149
    Location:
    The Land of Smiles
    The ability is in the OpenVPN client screen to specify IP addresses. Unfortunately, there are too IP addresses to specify individually in the screen. There is a limit to how many can be entered in the screen.

    I have a more user friendly version coming very, very soon and I can let you know when it is ready.. but the basic ability to use the Linux command line is required.

    All scripts require the ability to use an SSH session to install the scripts and make edits. Both versions require that entware be installed. The primary reason is the /opt/tmp/ directory is used as the ipset list save and restore location. This will allow the list to be restored after a reboot. So even with the more user friendly versions, some familiarity of basic Linux commands are required. Google is your friend.

    The IPSET_Netflix.sh script uses the entware package jq to process the IP address for Amazon. IPSET_Netflix_Domains.sh does not require any additional packages.

    Both scripts are already set up to route Netflix and Amazon Prime to the WAN iface. So no need to worry about editing the script. You will need to create /jffs/scripts/nat-start and call the script from there so the ipset list gets created at system boot.
     
    HuskyHerder and L&LD like this.
  6. wizin

    wizin Regular Contributor

    Joined:
    Aug 18, 2013
    Messages:
    69
    Amazon doesn't do any good BTW, for eg., if I have Amazon Canada, I cannot watch Amazon US with my Canadian Account on VPN - I can view the content on the webpage but it doesnt play it, however if it does work if I have Amazon US account with VPN. This is well documented with Amazon policy for travelling public, they will let some content to be viewed if u call their customer service
     
    Xentrk likes this.
  7. royarcher

    royarcher New Around Here

    Joined:
    Apr 25, 2019
    Messages:
    9
    I h stream amazon in Australia with a VPN and I have noticed that if I try and watch anything on my phone at work without the VPN it restricts my opinions with a note,viewing while abroad, and it really is heavily doctored
     
  8. LevesqueOnline

    LevesqueOnline Occasional Visitor

    Joined:
    Jan 24, 2017
    Messages:
    22
    Greatly appreciate all of the help. I put my big boy pants on and gave it a go. Almost complete but this command is not working

    /usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/master/IPSET_Netflix.sh" -o /jffs/scripts/IPSET_Netflix.sh && chmod 755 /jffs/scripts/IPSET_Netflix.sh

    comes back saying warning transient problem and curl couldnt resolve the host.

    any thoughts? when i do an nslookyp it goes come back and resolve the ip using 127.0.0.1 which is obviously the router itself which does dns fine.

    appreciate any help
     
  9. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,149
    Location:
    The Land of Smiles
    I copy and pasted the command you posted and it worked okay for me:
    Code:
    /usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/maste
    r/IPSET_Netflix.sh" -o /jffs/scripts/IPSET_Netflix.sh && chmod 755 /jffs/scripts/IPSET_Netflix.sh
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  8703  100  8703    0     0  10311      0 --:--:-- --:--:-- --:--:-- 11938
    
    Can you ping github.com?
     
  10. wizin

    wizin Regular Contributor

    Joined:
    Aug 18, 2013
    Messages:
    69
    Adding to this, if one really wants US Amazon - actually pretty good for B movies content ( there is a fanbase ), buy a student account on Ebay( .edu ) for like 5 bucks and you can sign up for Amazon Prime Student account which has free six months prime. You need to have VPN ( a good one like I do with Torguard dedicated ) and use the Route VPN in rmelin to a device like say Roku, or any android device
     
  11. LevesqueOnline

    LevesqueOnline Occasional Visitor

    Joined:
    Jan 24, 2017
    Messages:
    22
    cannot i think it times out, nslookup seems to take a while from the shell, windows goes fine. the nslookup takes around 15-30 seconds to resolve, safe to say timing out maybe?

    ASUSWRT-Merlin RT-AC86U 384.10-2 Wed Apr 3 22:32:15 UTC 2019
    [email protected]:/tmp/home/root# ping github.com
    ping: bad address 'github.com'
    [email protected]:/tmp/home/root# nslookup github.com
    Server: 127.0.0.1
    Address 1: 127.0.0.1 localhost.localdomain

    Name: github.com
    Address 1: 192.30.253.113 lb-192-30-253-113-iad.github.com
    Address 2: 192.30.253.112 lb-192-30-253-112-iad.github.com
    [email protected]:/tmp/home/root#
     
  12. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,149
    Location:
    The Land of Smiles
    I tried to ping github.com from a windows cmd session and it failed. I suspect they block pings. nslookup works though.

    Do you have any of the add-on scripts installed like amtm, diversion, or skynet? Do you have entware installed? The reason I mention diversion is it will setup dnsmasq for you which the program needs. It will also assist you in enabling entware. First, install amtm. It will give you the options to install the rest. The program uses the entware directory /opt/tmp as the ipset save/restore file location. So entware is needed at a minimum.
     
  13. LevesqueOnline

    LevesqueOnline Occasional Visitor

    Joined:
    Jan 24, 2017
    Messages:
    22
    fixed it, I set WAN DNS from auto to 1.1.1.1 and 8.8.8.8 way faster lookups directly on the router
     
  14. LevesqueOnline

    LevesqueOnline Occasional Visitor

    Joined:
    Jan 24, 2017
    Messages:
    22
    So I have run through the setup. ran that last script everything looks present so i assume im done, went in on my firestick and tried a netflix show and still seems to be routing through VPN as it busted me on it again? is my normal rules to route traffic from tv devices superseding this script or?

    appreciate all of the help!

    upload_2019-4-27_9-0-49.png
     
  15. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,149
    Location:
    The Land of Smiles
    Yes, the TG Dedicated IP is also my go to recommendation for streaming services that block known VPNs.

    Here is a preview of the selective routing project I have been working on...
    Code:
    Usage:
    
    load_AMAZON_ipset_iface.sh 1
    
    load_ASN_ipset_iface.sh 1 NETFLIX AS2906
    First script creates ipset list of AMAZON US ip addresses (prime) and routes to OpenVPN Client 1.

    Second script creates ipset list NETFLIX using AS2906 as the source and routes to OpenVPN Client 1.

    Similarly, one could also use the ipset method inside of dnsmasq to collect and populate the IPSET list by passing the top level domain names:

    Code:
    load_DNSMASQ_ipset_iface.sh 1 NETLFIX netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net
     
    Last edited: Apr 27, 2019
  16. LevesqueOnline

    LevesqueOnline Occasional Visitor

    Joined:
    Jan 24, 2017
    Messages:
    22
    you may have just fixed my issue, im setup on openvpn client 4, should i configure 1 if its bound to that? might be my issue
     
  17. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,149
    Location:
    The Land of Smiles
    Please post the out of these two commands:

    iptables -nvL PREROUTING -t mangle --line

    ip rule

    Check to see if the ipset list is populated correctly:

    ipset -L x3mRouting_NETFLIX
     
  18. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,149
    Location:
    The Land of Smiles
    The client number shouldn't matter. But I have had issues with Policy Routing in the past if I don't also include the Router's IP address in the list and route it to the WAN iface, especially when using more than one OpenVPN Client e.g.

    upload_2019-4-27_19-10-6.png
     
  19. LevesqueOnline

    LevesqueOnline Occasional Visitor

    Joined:
    Jan 24, 2017
    Messages:
    22
    ipset shows a ton of ip subnets, so assuming that is working. I removed and disabled other vpns, OVPN1 is now setup only and turned on.

    ip rule details here

    [email protected]:/jffs/scripts# ip rule
    0: from all lookup local
    9990: from all fwmark 0x8000/0x8000 lookup main
    9991: from all fwmark 0x3000/0x3000 lookup ovpnc5
    9992: from all fwmark 0x7000/0x7000 lookup ovpnc4
    9993: from all fwmark 0x4000/0x4000 lookup ovpnc3
    9994: from all fwmark 0x2000/0x2000 lookup ovpnc2
    9995: from all fwmark 0x1000/0x1000 lookup ovpnc1
    10101: from 192.168.50.11 lookup ovpnc1
    10102: from 192.168.50.10 lookup ovpnc1
    32766: from all lookup main
    32767: from all lookup default
    the

    details from iptables:

    Chain PREROUTING (policy ACCEPT 960K packets, 761M bytes)
    num pkts bytes target prot opt in out source destination
    1 12007 1317K MARK all -- * * 192.168.50.0/24 192.168.50.1 MARK set 0x9
    2 12007 1317K RETURN all -- * * 192.168.50.0/24 192.168.50.1
    3 6252 808K MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC D4:E6:B7:C2:8A:0B MARK set 0x1e
    4 6252 808K RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC D4:E6:B7:C2:8A:0B
    5 144K 12M MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.150-192.168.50.225 MARK set 0x1f
    6 144K 12M RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.150-192.168.50.225
    7 1999 476K MARK all -- * * 192.168.50.10 !192.168.50.0/24 MARK set 0x20
    8 1999 476K RETURN all -- * * 192.168.50.10 !192.168.50.0/24
    9 3950 1319K MARK all -- * * 192.168.50.11 !192.168.50.0/24 MARK set 0x21
    10 3950 1319K RETURN all -- * * 192.168.50.11 !192.168.50.0/24
    11 772 87760 MARK all -- * * 192.168.50.12 !192.168.50.0/24 MARK set 0x22
    12 772 87760 RETURN all -- * * 192.168.50.12 !192.168.50.0/24
    13 158 40591 MARK all -- * * 192.168.50.14 !192.168.50.0/24 MARK set 0x23
    14 158 40591 RETURN all -- * * 192.168.50.14 !192.168.50.0/24
    15 0 0 MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.60-192.168.50.65 MARK set 0x24
    16 0 0 RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.60-192.168.50.65
    17 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_NETFLIX dst MARK or 0x8000
    18 781 191K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_AMAZONAWS dst MARK or 0x8000
     
  20. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,149
    Location:
    The Land of Smiles
    Everything looks okay to me. I see packets traversing the iptables chain for Amazon but not for Netflix.
    Code:
    17 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_NETFLIX dst MARK or 0x8000
    18 781 191K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_AMAZONAWS dst MARK or 0x8000 
    Try to surf NF in a browser and again on your streaming device and see if the packet count goes up. Do you get the proxy error when try to stream on NF?

    Also try adding the router IP to the Policy Rules and route to the WAN per the post above.