I read a lot of messages about bypass a VPN. I need only to get regional netflix again. I read about vpn bypass, VPN Policy-Based Routing, Static Routes and so on. I'm confused what is the simplest way to got my netflix working. Please, coul you help me in do a more easy way to do that? My openVPN is working very nice.
Thank you so much!
Thank you so much!
I have been installed vpn-policy-routing
and all dependencies. All are working fine.
I only edited the config file /etc/config/vpn-policy-routing
, but, it is not routing netflix. I have a Test section to test it. Not work too.
This config is the minimal necessary to get netflix
working? I don't do any things in others files.
[UPDATE]
I will update the post with recommendations found here.
- content of
/etc/config/dhcp
config dnsmasq
option domainneeded 1
option boguspriv 1
option filterwin2k 0 # enable for dial on demand
option localise_queries 1
option rebind_protection 1 # disable if upstream must serve RFC1918 addresses
option rebind_localhost 1 # enable for RBL checking and similar services
#list rebind_domain example.lan # whitelist RFC1918 responses for domains
option local '/lan/'
option domain 'lan'
option expandhosts 1
option nonegcache 0
option authoritative 1
option readethers 1
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
#list server '/mycompany.local/1.2.3.4'
option nonwildcard 1 # bind to & keep track of interfaces
#list interface br-lan
#list notinterface lo
#list bogusnxdomain '64.94.110.11'
option localservice 1 # disable to allow DNS requests from non-local subnets
config dhcp lan
option interface lan
option start 100
option limit 150
option leasetime 12h
config dhcp wan
option interface wan
option ignore 1
- content of
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option mtu_fix '1'
option masq '0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'expressvpn'
option network 'openvpn'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option dest 'expressvpn'
option src 'lan'
- content of
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd50:47ca:da83::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
# list dns '8.8.8.8'
# list dns '8.8.4.4'
option peerdns '1'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
# list dns '2001:4860:4860::8888'
# list dns '2001:4860:4860::8844'
option peerdns '1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'openvpn'
option ifname 'tun0'
option proto 'none'
- content of
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option webui_protocol_column '1'
option webui_chain_column '1'
option enabled '1'
list supported_interface 'wan'
list supported_interface 'openvpn'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option name 'Netflix Domains'
option interface 'wan'
option src_addr '192.168.1.1/26'
option dest_addr 'amazonaws.com netflix.com nflxext.com nflxvideo.net dvd.netflix.com nflximg.com nflxsearch.net'
config policy
option interface 'wan'
option src_addr '192.168.1.1/26'
option name 'Test'
option dest_addr 'myip.com'
- the output of
/etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.3. WAN (IPv4): wan/dev/192.168.0.254.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 10.169.0.113 128.0.0.0 UG 0 0 0 tun0
default 192.168.0.254 0.0.0.0 UG 0 0 0 eth1.2
IPv4 Table 201: default via 192.168.0.254 dev eth1.2
IPv4 Table 201 Rules:
32727: from all fwmark 0x10000/0xff0000 lookup 201
IPv4 Table 202: default via 10.169.0.114 dev tun0
IPv4 Table 202 Rules:
32726: from all fwmark 0x20000/0xff0000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.1.0/26 -d 104.31.66.68/32 -m comment --comment Test -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 104.31.67.68/32 -m comment --comment Test -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 172.67.208.45/32 -m comment --comment Test -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 50.17.247.9/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 204.236.236.127/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 107.20.175.192/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 52.31.48.193/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 34.252.74.1/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 46.137.171.215/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 18.236.7.30/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 44.226.113.145/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 34.218.19.240/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 207.45.72.215/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 207.45.72.201/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 52.87.87.3/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 54.174.34.188/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 107.21.49.97/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 34.198.43.9/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 107.23.174.29/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 54.209.108.109/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 54.210.65.253/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 54.156.193.108/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 72.21.206.80/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 207.171.166.22/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 72.21.210.29/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set openvpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m set --match-set openvpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_FORWARD -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -m set --match-set openvpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_INPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set openvpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create openvpn hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
- the output of
/etc/init.d/vpn-policy-routing reload
with verbosity setting set to 2
Creating table 'wan/eth1.2/192.168.0.254' [✓]
Creating table 'openvpn/tun0/10.169.0.114' [✓]
Routing 'Netflix Domains' via wan [✓]
Routing 'Test' via wan [✓]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth1.2/192.168.0.254
openvpn/tun0/10.169.0.114 [✓]
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan openvpn .
1 Like
uci set vpn-policy-routing.@include[0].enabled="1"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart
ipset list wan | head