Bypass for Netflix sub domains not working

network-stack-4451 · May 22, 2021, 5:30am

Hi,

I have

Nano Pi R4S, OpenWrt 19.07.5 r11257-5090152ae3 / LuCI

Service Status [vpn-policy-routing 0.3.2-20]

Resolver IPset is set to DNSMASQ

Netflix complains about being in VPN, also I can confirm that tcpdump on the tun0 interface shows traffic to subdomain slipping through tun0

Please enlighten me how to fix it

Thankyou and appreciate all the help and input

vgaetera · May 22, 2021, 11:40am

Post the output:

uci show vpn-policy-routing

cesarvog · May 22, 2021, 3:41pm

Probable DNS leak. Set your DHCP server to provide 1.1.1.1 and 1.0.0.1 DNS servers to your DHCP clients and report back. If it works for Netflix, AND you also have some sort of AdBlock in the router, AdBlock may stop working because you're now bypassing the local DNS server.
I solved this problem with two separate LAN segments, (say 192.168.1.0/24 for normal, 192.168.2.0/24 for VPN). In my scenario the first segment is used by clients requiring normal internet access (going through the normal local DNS server on the router) and se second is only used for VPN access (going directly to outside DNS servers). YMMV.

stangri · May 22, 2021, 9:59pm

network-stack-4451 · May 23, 2021, 1:18am

root@FriendlyWrt:~# uci show vpn-policy-routing
vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].interface='wan'
vpn-policy-routing.@policy[0].dest_addr='google.com googleusercontent.com'
vpn-policy-routing.@policy[1]=policy
vpn-policy-routing.@policy[1].interface='wan'
vpn-policy-routing.@policy[1].dest_addr='dns.google'
vpn-policy-routing.@policy[2]=policy
vpn-policy-routing.@policy[2].interface='wan'
vpn-policy-routing.@policy[2].dest_addr='netflix.net netflix.com nflxvideo.net nflxext.com nflxvideo.net fast.com'
vpn-policy-routing.@policy[3]=policy
vpn-policy-routing.@policy[3].interface='wan'
vpn-policy-routing.@policy[3].dest_addr='amazonaws.com'
vpn-policy-routing.@policy[4]=policy
vpn-policy-routing.@policy[4].interface='wan'
vpn-policy-routing.@policy[4].dest_addr='108.175.32.0/20 185.2.220.0/22 185.9.188.0/22 192.173.64.0/18 192.173.65.0/24 192.173.67.0/24 192.173.68.0/24 192.173.70.0/24 192.173.72.0/24 192.173.73.0/24 192.173.74.0/24 192.173.75.0/24 192.173.76.0/24 192.173.77.0/24 192.173.78.0/24 192.173.79.0/24 192.173.80.0/24 192.173.82.0/24 192.173.83.0/24 192.173.84.0/24 192.173.86.0/24 192.173.87.0/24 192.173.88.0/24 192.173.89.0/24 192.173.92.0/24 192.173.94.0/24 192.173.96.0/24 198.38.100.0/24 198.38.108.0/24 198.38.109.0/24 198.38.110.0/24 198.38.111.0/24 198.38.112.0/24 198.38.113.0/24 198.38.114.0/24 198.38.115.0/24 198.38.120.0/24 198.38.121.0/24 198.38.122.0/24 198.38.96.0/19 198.38.98.0/24 198.38.99.0/24 198.45.48.0/20 198.45.48.0/24 198.45.49.0/24 198.45.50.0/24 198.45.56.0/24 208.75.76.0/22 3.246.0.0/18 23.246.10.0/24 23.246.11.0/24 23.246.12.0/24 23.246.13.0/24 23.246.14.0/24 23.246.15.0/24 23.246.16.0/24 23.246.17.0/24 23.246.20.0/24 23.246.2.0/24 23.246.21.0/24 23.246.26.0/24 23.246.27.0/24 23.246.30.0/24 23.246.3.0/24 23.246.31.0/24 23.246.36.0/24 223.246.41.0/24 23.246.42.0/24 23.246.44.0/24 23.246.45.0/24 23.246.46.0/24 23.246.47.0/24 23.246.48.0/24 23.246.49.0/24 23.246.50.0/24 23.246.51.0/24 23.246.52.0/24 23.246.54.0/24 23.246.55.0/24 23.246.56.0/24 23.246.57.0/24 23.246.58.0/24 23.246.59.0/24 23.246.6.0/24 23.246.7.0/24 37.77.184.0/21 37.77.184.0/24 37.77.186.0/24 37.77.187.0/24 37.77.188.0/24 37.77.189.0/24 45.57.0.0/17 45.57.0.0/24 45.57.100.0/24 45.57.10.0/24 45.57.101.0/24 45.57.102.0/24 45.57.1.0/24 45.57.103.0/24 45.57.104.0/24'
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.resolver_ipset='dnsmasq.ipset'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.ignored_interface='vpnserver wgserver'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.procd_reload_delay='1'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.config.dest_ipset='1'
vpn-policy-routing.config.src_ipset='1'
vpn-policy-routing.config.webui_enable_column='1'
vpn-policy-routing.config.webui_protocol_column='1'
vpn-policy-routing.config.webui_chain_column='1'
vpn-policy-routing.config.webui_show_ignore_target='1'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.config.boot_timeout='90'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[1].enabled='0'
root@FriendlyWrt:~#

network-stack-4451 · May 23, 2021, 1:25am

The policy with a lot of Dest IPs was put, to catch all and route IPs to WAN; this was workaround as sub-domains were Not getting caught by the VPR

R2000 · May 23, 2021, 1:29am

This can test for that, and improve security a lot. Gibbs does know his stuff on this.

https://www.grc.com/dns/dns.htm

Be amazed by the results from this.

network-stack-4451 · May 23, 2021, 1:58am

WHAT WAS

I followed your suggestion and here is the output;

network-stack-4451 · May 23, 2021, 1:59am

TCPDUMP shows DNS traffic exiting the WAN

root@FriendlyWrt:~#
root@FriendlyWrt:~# tcpdump -i eth0 | grep -i "one"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:57:58.532170 STP 802.1d, Config, Flags [none], bridge-id 0000.40:2b:50:5b:24:d2.8001, length 43
20:57:59.532155 STP 802.1d, Config, Flags [none], bridge-id 0000.40:2b:50:5b:24:d2.8001, length 43
20:58:00.532061 STP 802.1d, Config, Flags [none], bridge-id 0000.40:2b:50:5b:24:d2.8001, length 43
20:58:01.532137 STP 802.1d, Config, Flags [none], bridge-id 0000.40:2b:50:5b:24:d2.8001, length 43
20:58:02.532056 STP 802.1d, Config, Flags [none], bridge-id 0000.40:2b:50:5b:24:d2.8001, length 43
20:58:03.532128 STP 802.1d, Config, Flags [none], bridge-id 0000.40:2b:50:5b:24:d2.8001, length 43
**20:58:04.021018 IP 192.168.1.108.56388 > one.one.one.one.53: 46886+ A? one.one.one.one. (33)**
**20:58:04.021302 IP 192.168.1.108.50099 > one.one.one.one.53: 62257+ AAAA? one.one.one.one. (33)**
**20:58:04.027212 IP one.one.one.one.53 > 192.168.1.108.56388: 46886 2/0/0 A 1.0.0.1, A 1.1.1.1 (65)**
**20:58:04.029045 IP one.one.one.one.53 > 192.168.1.108.50099: 62257 2/0/0 AAAA 2606:4700:4700::1001, AAAA 2606:4700:4700::1111 (89)**
20:58:04.532236 STP 802.1d, Config, Flags [none], bridge-id 0000.40:2b:50:5b:24:d2.8001, length 43
20:58:05.041327 IP 192.168.1.108.30143 > one.one.one.one.53: 5989+ PTR? 1.1.1.1.in-addr.arpa. (38)
20:58:05.049098 IP one.one.one.one.53 > 192.168.1.108.30143: 5989 1/0/0 PTR one.one.one.one. (67)
20:58:05.532174 STP 802.1d, Config, Flags [none], bridge-id 0000.40:2b:50:5b:24:d2.8001, length 43
20:58:06.532362 STP 802.1d, Config, Flags [none], bridge-id 0000.40:2b:50:5b:24:d2.8001, length 43
20:58:07.532319 STP 802.1d, Config, Flags [none], bridge-id 0000.40:2b:50:5b:24:d2.8001, length 43
20:58:08.532228 STP 802.1d, Config, Flags [none], bridge-id 0000.40:2b:50:5b:24:d2.8001, length 43
20:58:09.532352 STP 802.1d, Config, Flags [none], bridge-id 0000.40:2b:50:5b:24:d2.8001, length 43
20:58:10.532185 STP 802.1d, Config, Flags [none], bridge-id 0000.40:2b:50:5b:24:d2.8001, length 43
20:58:10.927227 IP 192.168.1.108.16608 > one.one.one.one.53: 46961+ PTR? 1.0.0.1.in-addr.arpa. (38)
20:58:10.927374 IP 192.168.1.108.16608 > one.one.one.one.53: 46961+ PTR? 1.0.0.1.in-addr.arpa. (38)
20:58:10.933125 IP one.one.one.one.53 > 192.168.1.108.16608: 46961 1/0/0 PTR one.one.one.one. (67)
20:58:10.933125 IP one.one.one.one.53 > 192.168.1.108.16608: 46961 1/0/0 PTR one.one.one.one. (67)
20:58:10.934585 IP 192.168.1.108.38078 > one.one.one.one.53: 54008+ PTR? 1.1.1.1.in-addr.arpa. (38)
20:58:10.940615 IP one.one.one.one.53 > 192.168.1.108.38078: 54008 1/0/0 PTR one.one.one.one. (67)
20:58:10.945552 IP 192.168.1.254.53 > 192.168.1.108.16608: 46961 1/0/0 PTR one.one.one.one. (67)
20:58:11.532343 STP 802.1d, Config, Flags [none], bridge-id 0000.40:2b:50:5b:24:d2.8001, length 43
^C186 packets captured
186 packets received by filter
0 packets dropped by kernel

network-stack-4451 · May 23, 2021, 2:19am

Hi,
Really appreciate all the help

So I looked at the https://docs.openwrt.melmac.net/vpn-policy-routing/#a-word-about-routing-netflixamazon-primehulu-traffic

I am in US and Not trying to circumvent any geo-restrictions, just want to watch the regular US content
Sorry I cannot make a source based VPR, because I sometimes watch from Phone, IPad, PC etc
So I have a requirement to make VPR to work destination based
My friend is running some vpr 2.x version, on Nano PI R2S and I know his VPR works fine
I cannot get the old version of VPR anymore
The below tcpdump shows subdomain SOMETHING.nflxvideo.net routing through tun0
whereas nflxvideo.net is already listed in the VPR rules
uci show vpn-policy-routing at the end

root@FriendlyWrt:~#
root@FriendlyWrt:~# tcpdump -i tun0 | grep -i nflx
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
21:00:29.991751 IP **pv4-c334-nyc001-ix.1.oca.nflxvideo.net**.443 > 10.119.190.117.61562: Flags [.], ack 3524057984, win 79, length 0
21:00:29.995595 IP 10.119.190.117.61562 > **ipv4-c334-nyc001-ix.1.oca.nflxvideo.net**.443: Flags [.], ack 1, win 1024, length 0
21:00:31.986051 IP ipv4-c340-nyc001-ix.1.oca.nflxvideo.net.443 > 10.119.190.117.61561: Flags [.], ack 2417640730, win 73, length 0
21:00:31.989886 IP 10.119.190.117.61561 > ipv4-c340-nyc001-ix.1.oca.nflxvideo.net.443: Flags [.], ack 1, win 1024, length 0
21:00:32.074537 IP ipv4-c354-nyc001-ix.1.oca.nflxvideo.net.443 > 10.119.190.117.61556: Flags [.], ack 2275872982, win 169, length 0
21:00:32.074909 IP ipv4-c354-nyc001-ix.1.oca.nflxvideo.net.443 > 10.119.190.117.61555: Flags [.], ack 1318357475, win 163, length 0
21:00:32.075119 IP ipv4-c354-nyc001-ix.1.oca.nflxvideo.net.443 > 10.119.190.117.61552: Flags [.], ack 1878774991, win 172, length 0
21:00:32.075410 IP ipv4-c354-nyc001-ix.1.oca.nflxvideo.net.443 > 10.119.190.117.61554: Flags [.], ack 1432532245, win 178, length 0
21:00:32.078520 IP 10.119.190.117.61555 > ipv4-c354-nyc001-ix.1.oca.nflxvideo.net.443: Flags [.], ack 1, win 1019, length 0
21:00:32.078599 IP 10.119.190.117.61556 > ipv4-c354-nyc001-ix.1.oca.nflxvideo.net.443: Flags [.], ack 1, win 1024, length 0
21:00:32.078635 IP 10.119.190.117.61552 > ipv4-c354-nyc001-ix.1.oca.nflxvideo.net.443: Flags [.], ack 1, win 1024, length 0
21:00:32.078712 IP 10.119.190.117.61554 > ipv4-c354-nyc001-ix.1.oca.nflxvideo.net.443: Flags [.], ack 1, win 1024, length 0
^C43 packets captured
57 packets received by filter
0 packets dropped by kernel

root@FriendlyWrt:~# uci show vpn-policy-routing
vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].interface='wan'
vpn-policy-routing.@policy[0].dest_addr='1.1.1.1'
vpn-policy-routing.@policy[1]=policy
vpn-policy-routing.@policy[1].interface='wan'
vpn-policy-routing.@policy[1].dest_addr='1.0.0.1'
vpn-policy-routing.@policy[1].chain='OUTPUT'
vpn-policy-routing.@policy[2]=policy
vpn-policy-routing.@policy[2].interface='wan'
vpn-policy-routing.@policy[2].dest_addr='one.one.one.one'
vpn-policy-routing.@policy[2].chain='OUTPUT'
vpn-policy-routing.@policy[3]=policy
vpn-policy-routing.@policy[3].interface='wan'
vpn-policy-routing.@policy[3].dest_addr='google.com googleusercontent.com'
vpn-policy-routing.@policy[4]=policy
vpn-policy-routing.@policy[4].interface='wan'
vpn-policy-routing.@policy[4].dest_addr='dns.google'
vpn-policy-routing.@policy[5]=policy
vpn-policy-routing.@policy[5].interface='wan'
vpn-policy-routing.@policy[5].dest_addr='netflix.net netflix.com nflxvideo.net nflxext.com nflxvideo.net fast.com'
vpn-policy-routing.@policy[6]=policy
vpn-policy-routing.@policy[6].interface='wan'
vpn-policy-routing.@policy[6].dest_addr='amazonaws.com'
vpn-policy-routing.@policy[7]=policy
vpn-policy-routing.@policy[7].interface='wan'
vpn-policy-routing.@policy[7].dest_addr='108.175.32.0/20 185.2.220.0/22 185.9.188.0/22 192.173.64.0/18 192.173.65.0/24 192.173.67.0/24 192.173.68.0/24 192.173.70.0/24 192.173.72.0/24 192.173.73.0/24 192.173.74.0/24 192.173.75.0/24 192.173.76.0/24 192.173.77.0/24 192.173.78.0/24 192.173.79.0/24 192.173.80.0/24 192.173.82.0/24 192.173.83.0/24 192.173.84.0/24 192.173.86.0/24 192.173.87.0/24 192.173.88.0/24 192.173.89.0/24 192.173.92.0/24 192.173.94.0/24 192.173.96.0/24 198.38.100.0/24 198.38.108.0/24 198.38.109.0/24 198.38.110.0/24 198.38.111.0/24 198.38.112.0/24 198.38.113.0/24 198.38.114.0/24 198.38.115.0/24 198.38.120.0/24 198.38.121.0/24 198.38.122.0/24 198.38.96.0/19 198.38.98.0/24 198.38.99.0/24 198.45.48.0/20 198.45.48.0/24 198.45.49.0/24 198.45.50.0/24 198.45.56.0/24 208.75.76.0/22 3.246.0.0/18 23.246.10.0/24 23.246.11.0/24 23.246.12.0/24 23.246.13.0/24 23.246.14.0/24 23.246.15.0/24 23.246.16.0/24 23.246.17.0/24 23.246.20.0/24 23.246.2.0/24 23.246.21.0/24 23.246.26.0/24 23.246.27.0/24 23.246.30.0/24 23.246.3.0/24 23.246.31.0/24 23.246.36.0/24 223.246.41.0/24 23.246.42.0/24 23.246.44.0/24 23.246.45.0/24 23.246.46.0/24 23.246.47.0/24 23.246.48.0/24 23.246.49.0/24 23.246.50.0/24 23.246.51.0/24 23.246.52.0/24 23.246.54.0/24 23.246.55.0/24 23.246.56.0/24 23.246.57.0/24 23.246.58.0/24 23.246.59.0/24 23.246.6.0/24 23.246.7.0/24 37.77.184.0/21 37.77.184.0/24 37.77.186.0/24 37.77.187.0/24 37.77.188.0/24 37.77.189.0/24 45.57.0.0/17 45.57.0.0/24 45.57.100.0/24 45.57.10.0/24 45.57.101.0/24 45.57.102.0/24 45.57.1.0/24 45.57.103.0/24 45.57.104.0/24'
vpn-policy-routing.@policy[7].enabled='0'
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.resolver_ipset='dnsmasq.ipset'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.ignored_interface='vpnserver wgserver'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.procd_reload_delay='1'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.config.dest_ipset='1'
vpn-policy-routing.config.src_ipset='1'
vpn-policy-routing.config.webui_enable_column='1'
vpn-policy-routing.config.webui_protocol_column='1'
vpn-policy-routing.config.webui_chain_column='1'
vpn-policy-routing.config.webui_show_ignore_target='1'
vpn-policy-routing.config.boot_timeout='90'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[1].enabled='0'
root@FriendlyWrt:~#

network-stack-4451 · May 26, 2021, 7:08am

Thankyou everyone and Stangri, specific nflx domain policies and the Netflix custom user files did it, its all good now

system · June 5, 2021, 7:08am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.