What's new

split tunnel netflix

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

LevesqueOnline

Occasional Visitor
Good Day,

I am in canada, and have a VPN setup to route traffic through for certain devices but netflix wont let me watch when connected.

I would like to build a rule to route netflix traffic out over the WAN versus VPN but cant seem to find the IP addresses I would need to set for destination.

any gurus out there figured this out?
 
Wow will look into this, seems pretty advanced. is there anyway merlin can allow *.netflix.com as my route ?:p
Have you looked at the RMerlin Wiki on Policy Routing?
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

That explains what you want to do. The ginormous problem is that Netflix has a huge bunch of destination IPs that change often, depending on many factors, so it becomes totally impossible to use simple policy routing. That is why Xentrk developed his solution, it is an elegant solution to a gigantic problem of policy routing.
 
Wow will look into this, seems pretty advanced. is there anyway merlin can allow *.netflix.com as my route ?:p
The ability is in the OpenVPN client screen to specify IP addresses. Unfortunately, there are too IP addresses to specify individually in the screen. There is a limit to how many can be entered in the screen.

I have a more user friendly version coming very, very soon and I can let you know when it is ready.. but the basic ability to use the Linux command line is required.

All scripts require the ability to use an SSH session to install the scripts and make edits. Both versions require that entware be installed. The primary reason is the /opt/tmp/ directory is used as the ipset list save and restore location. This will allow the list to be restored after a reboot. So even with the more user friendly versions, some familiarity of basic Linux commands are required. Google is your friend.

The IPSET_Netflix.sh script uses the entware package jq to process the IP address for Amazon. IPSET_Netflix_Domains.sh does not require any additional packages.

Both scripts are already set up to route Netflix and Amazon Prime to the WAN iface. So no need to worry about editing the script. You will need to create /jffs/scripts/nat-start and call the script from there so the ipset list gets created at system boot.
 
Amazon doesn't do any good BTW, for eg., if I have Amazon Canada, I cannot watch Amazon US with my Canadian Account on VPN - I can view the content on the webpage but it doesnt play it, however if it does work if I have Amazon US account with VPN. This is well documented with Amazon policy for travelling public, they will let some content to be viewed if u call their customer service
 
The ability is in the OpenVPN client screen to specify IP addresses. Unfortunately, there are too IP addresses to specify individually in the screen. There is a limit to how many can be entered in the screen.

I have a more user friendly version coming very, very soon and I can let you know when it is ready.. but the basic ability to use the Linux command line is required.

All scripts require the ability to use an SSH session to install the scripts and make edits. Both versions require that entware be installed. The primary reason is the /opt/tmp/ directory is used as the ipset list save and restore location. This will allow the list to be restored after a reboot. So even with the more user friendly versions, some familiarity of basic Linux commands are required. Google is your friend.

The IPSET_Netflix.sh script uses the entware package jq to process the IP address for Amazon. IPSET_Netflix_Domains.sh does not require any additional packages.

Both scripts are already set up to route Netflix and Amazon Prime to the WAN iface. So no need to worry about editing the script. You will need to create /jffs/scripts/nat-start and call the script from there so the ipset list gets created at system boot.

Greatly appreciate all of the help. I put my big boy pants on and gave it a go. Almost complete but this command is not working

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/master/IPSET_Netflix.sh" -o /jffs/scripts/IPSET_Netflix.sh && chmod 755 /jffs/scripts/IPSET_Netflix.sh

comes back saying warning transient problem and curl couldnt resolve the host.

any thoughts? when i do an nslookyp it goes come back and resolve the ip using 127.0.0.1 which is obviously the router itself which does dns fine.

appreciate any help
 
Greatly appreciate all of the help. I put my big boy pants on and gave it a go. Almost complete but this command is not working

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/master/IPSET_Netflix.sh" -o /jffs/scripts/IPSET_Netflix.sh && chmod 755 /jffs/scripts/IPSET_Netflix.sh

comes back saying warning transient problem and curl couldnt resolve the host.

any thoughts? when i do an nslookyp it goes come back and resolve the ip using 127.0.0.1 which is obviously the router itself which does dns fine.

appreciate any help
I copy and pasted the command you posted and it worked okay for me:
Code:
/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/maste
r/IPSET_Netflix.sh" -o /jffs/scripts/IPSET_Netflix.sh && chmod 755 /jffs/scripts/IPSET_Netflix.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  8703  100  8703    0     0  10311      0 --:--:-- --:--:-- --:--:-- 11938

Can you ping github.com?
 
Amazon doesn't do any good BTW, for eg., if I have Amazon Canada, I cannot watch Amazon US with my Canadian Account on VPN - I can view the content on the webpage but it doesnt play it, however if it does work if I have Amazon US account with VPN. This is well documented with Amazon policy for travelling public, they will let some content to be viewed if u call their customer service

Adding to this, if one really wants US Amazon - actually pretty good for B movies content ( there is a fanbase ), buy a student account on Ebay( .edu ) for like 5 bucks and you can sign up for Amazon Prime Student account which has free six months prime. You need to have VPN ( a good one like I do with Torguard dedicated ) and use the Route VPN in rmelin to a device like say Roku, or any android device
 
I copy and pasted the command you posted and it worked okay for me:
Code:
/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/maste
r/IPSET_Netflix.sh" -o /jffs/scripts/IPSET_Netflix.sh && chmod 755 /jffs/scripts/IPSET_Netflix.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  8703  100  8703    0     0  10311      0 --:--:-- --:--:-- --:--:-- 11938

Can you ping github.com?

cannot i think it times out, nslookup seems to take a while from the shell, windows goes fine. the nslookup takes around 15-30 seconds to resolve, safe to say timing out maybe?

ASUSWRT-Merlin RT-AC86U 384.10-2 Wed Apr 3 22:32:15 UTC 2019
admin@RT-AC86U-6D00:/tmp/home/root# ping github.com
ping: bad address 'github.com'
admin@RT-AC86U-6D00:/tmp/home/root# nslookup github.com
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name: github.com
Address 1: 192.30.253.113 lb-192-30-253-113-iad.github.com
Address 2: 192.30.253.112 lb-192-30-253-112-iad.github.com
admin@RT-AC86U-6D00:/tmp/home/root#
 
cannot i think it times out, nslookup seems to take a while from the shell, windows goes fine. the nslookup takes around 15-30 seconds to resolve, safe to say timing out maybe?

ASUSWRT-Merlin RT-AC86U 384.10-2 Wed Apr 3 22:32:15 UTC 2019
admin@RT-AC86U-6D00:/tmp/home/root# ping github.com
ping: bad address 'github.com'
admin@RT-AC86U-6D00:/tmp/home/root# nslookup github.com
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name: github.com
Address 1: 192.30.253.113 lb-192-30-253-113-iad.github.com
Address 2: 192.30.253.112 lb-192-30-253-112-iad.github.com
admin@RT-AC86U-6D00:/tmp/home/root#
I tried to ping github.com from a windows cmd session and it failed. I suspect they block pings. nslookup works though.

Do you have any of the add-on scripts installed like amtm, diversion, or skynet? Do you have entware installed? The reason I mention diversion is it will setup dnsmasq for you which the program needs. It will also assist you in enabling entware. First, install amtm. It will give you the options to install the rest. The program uses the entware directory /opt/tmp as the ipset save/restore file location. So entware is needed at a minimum.
 
cannot i think it times out, nslookup seems to take a while from the shell, windows goes fine. the nslookup takes around 15-30 seconds to resolve, safe to say timing out maybe?

ASUSWRT-Merlin RT-AC86U 384.10-2 Wed Apr 3 22:32:15 UTC 2019
admin@RT-AC86U-6D00:/tmp/home/root# ping github.com
ping: bad address 'github.com'
admin@RT-AC86U-6D00:/tmp/home/root# nslookup github.com
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name: github.com
Address 1: 192.30.253.113 lb-192-30-253-113-iad.github.com
Address 2: 192.30.253.112 lb-192-30-253-112-iad.github.com
admin@RT-AC86U-6D00:/tmp/home/root#
fixed it, I set WAN DNS from auto to 1.1.1.1 and 8.8.8.8 way faster lookups directly on the router
 
fixed it, I set WAN DNS from auto to 1.1.1.1 and 8.8.8.8 way faster lookups directly on the router

So I have run through the setup. ran that last script everything looks present so i assume im done, went in on my firestick and tried a netflix show and still seems to be routing through VPN as it busted me on it again? is my normal rules to route traffic from tv devices superseding this script or?

appreciate all of the help!

upload_2019-4-27_9-0-49.png
 
Adding to this, if one really wants US Amazon - actually pretty good for B movies content ( there is a fanbase ), buy a student account on Ebay( .edu ) for like 5 bucks and you can sign up for Amazon Prime Student account which has free six months prime. You need to have VPN ( a good one like I do with Torguard dedicated ) and use the Route VPN in rmelin to a device like say Roku, or any android device
Yes, the TG Dedicated IP is also my go to recommendation for streaming services that block known VPNs.

Here is a preview of the selective routing project I have been working on...
Code:
Usage:

load_AMAZON_ipset_iface.sh 1

load_ASN_ipset_iface.sh 1 NETFLIX AS2906

First script creates ipset list of AMAZON US ip addresses (prime) and routes to OpenVPN Client 1.

Second script creates ipset list NETFLIX using AS2906 as the source and routes to OpenVPN Client 1.

Similarly, one could also use the ipset method inside of dnsmasq to collect and populate the IPSET list by passing the top level domain names:

Code:
load_DNSMASQ_ipset_iface.sh 1 NETLFIX netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net
 
Last edited:
Yes, the TG Dedicated IP is also my go to recommendation for streaming services that block known VPNs.

Here is a preview of the selective routing project I have been working on...
Code:
Usage:

load_AMAZON_ipset_list.sh 1

load_ASN_ipset_list_iface.sh 1 NETFLIX AS2906

First script creates ipset list of AMAZON US ip addresses (prime) and routes to OpenVPN Client 1
Second script creates ipset list NETFLIX using AS2906 as the source and routes to OpenVPN Client 1.

Similarly, one could also use the ipset method inside of dnsmasq to collect and populate the IPSET list by passing the top level domain names:

Code:
load_DNSMASQ_ipset_iface.sh 1 NETLFIX netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

you may have just fixed my issue, im setup on openvpn client 4, should i configure 1 if its bound to that? might be my issue
 
So I have run through the setup. ran that last script everything looks present so i assume im done, went in on my firestick and tried a netflix show and still seems to be routing through VPN as it busted me on it again? is my normal rules to route traffic from tv devices superseding this script or?

appreciate all of the help!

View attachment 17234
Please post the out of these two commands:

iptables -nvL PREROUTING -t mangle --line

ip rule

Check to see if the ipset list is populated correctly:

ipset -L x3mRouting_NETFLIX
 
you may have just fixed my issue, im setup on openvpn client 4, should i configure 1 if its bound to that? might be my issue
The client number shouldn't matter. But I have had issues with Policy Routing in the past if I don't also include the Router's IP address in the list and route it to the WAN iface, especially when using more than one OpenVPN Client e.g.

upload_2019-4-27_19-10-6.png
 
Please post the out of these two commands:

iptables -nvL PREROUTING -t mangle --line

ip rule

Check to see if the ipset list is populated correctly:

ipset -L x3mRouting_NETFLIX

ipset shows a ton of ip subnets, so assuming that is working. I removed and disabled other vpns, OVPN1 is now setup only and turned on.

ip rule details here

admin@RT-AC86U-6D00:/jffs/scripts# ip rule
0: from all lookup local
9990: from all fwmark 0x8000/0x8000 lookup main
9991: from all fwmark 0x3000/0x3000 lookup ovpnc5
9992: from all fwmark 0x7000/0x7000 lookup ovpnc4
9993: from all fwmark 0x4000/0x4000 lookup ovpnc3
9994: from all fwmark 0x2000/0x2000 lookup ovpnc2
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1
10101: from 192.168.50.11 lookup ovpnc1
10102: from 192.168.50.10 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default
the

details from iptables:

Chain PREROUTING (policy ACCEPT 960K packets, 761M bytes)
num pkts bytes target prot opt in out source destination
1 12007 1317K MARK all -- * * 192.168.50.0/24 192.168.50.1 MARK set 0x9
2 12007 1317K RETURN all -- * * 192.168.50.0/24 192.168.50.1
3 6252 808K MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC D4:E6:B7:C2:8A:0B MARK set 0x1e
4 6252 808K RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC D4:E6:B7:C2:8A:0B
5 144K 12M MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.150-192.168.50.225 MARK set 0x1f
6 144K 12M RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.150-192.168.50.225
7 1999 476K MARK all -- * * 192.168.50.10 !192.168.50.0/24 MARK set 0x20
8 1999 476K RETURN all -- * * 192.168.50.10 !192.168.50.0/24
9 3950 1319K MARK all -- * * 192.168.50.11 !192.168.50.0/24 MARK set 0x21
10 3950 1319K RETURN all -- * * 192.168.50.11 !192.168.50.0/24
11 772 87760 MARK all -- * * 192.168.50.12 !192.168.50.0/24 MARK set 0x22
12 772 87760 RETURN all -- * * 192.168.50.12 !192.168.50.0/24
13 158 40591 MARK all -- * * 192.168.50.14 !192.168.50.0/24 MARK set 0x23
14 158 40591 RETURN all -- * * 192.168.50.14 !192.168.50.0/24
15 0 0 MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.60-192.168.50.65 MARK set 0x24
16 0 0 RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.60-192.168.50.65
17 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_NETFLIX dst MARK or 0x8000
18 781 191K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_AMAZONAWS dst MARK or 0x8000
 
ipset shows a ton of ip subnets, so assuming that is working. I removed and disabled other vpns, OVPN1 is now setup only and turned on.

Everything looks okay to me. I see packets traversing the iptables chain for Amazon but not for Netflix.
Code:
17 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_NETFLIX dst MARK or 0x8000
18 781 191K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_AMAZONAWS dst MARK or 0x8000

Try to surf NF in a browser and again on your streaming device and see if the packet count goes up. Do you get the proxy error when try to stream on NF?

Also try adding the router IP to the Policy Rules and route to the WAN per the post above.
 
Here is my output. I am routing the traffic to OpenVPN Client 1 and not the WAN though. Note the pkts and bytes columns. Non zero values show you that traffic is traversing thru the chain.
Code:
# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 11068 packets, 12M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  tun15  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2        0     0 MARK       all  --  tun14  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3        0     0 MARK       all  --  tun13  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
4     2244 2453K MARK       all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
5     4127 5339K MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
6        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
7     1205  107K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set x3mRouting_NETFLIX dst MARK or 0x1000
8      197  162K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set x3mRouting_AMAZONAWS dst MARK or 0x1000
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top