VPN Bypass fails ONLY on certain Netflix show

john.chartkoff · February 21, 2022, 4:26am

Greetings,

I am using OpenWrt 21.02.0 on an RPi4B running Wireguard with VPN bypass, and it works perfectly except for one show: "Wentworth," which displays the dreaded VPN screen of death.

Does anyone have any guidance as to how Netflix does these checks, and if there is any kind of workaround?

I am in Columbus, Ohio, and the VPN PoP is in New York.

My config files are below.

Thanks for you assistance!

John

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd09:c84f:a20f::/48'

config device
	option name 'wan'
	list ports 'eth0.10'
	option ipv6 '0'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0.10'
	option metric '0'

config device
	option name 'maint'
	list ports 'eth0.56'
	option ipv6 '0'

config interface 'maint'
	option device 'eth0.56'
	option proto 'static'
	option ipaddr '192.168.56.30'
	option netmask '255.255.255.0'
	option defaultroute '0'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'tun0'
	option ipv6 '0'

config device
	option name 'eth0.56'
	option type '8021q'
	option ifname 'eth0'
	option vid '56'
	option ipv6 '0'

config device
	option name 'eth0.10'
	option type '8021q'
	option ifname 'eth0'
	option vid '10'
	option ipv6 '0'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '51820'
	option peerdns '0'
	option private_key '4IXtJ'
	list addresses '10.13.98.205/24'
	list dns '104.223.91.210'
	list dns '104.223.91.194'

config wireguard_wg0
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_port '1443'
	list allowed_ips '128.0.0.0/1'
	list allowed_ips '0.0.0.0/1'
	option description 'TorGuard - New York'
	option public_key 'bQh'
	option endpoint_host '67.213.221.19'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '52'
	option name 'eth0.52'
	option ipv6 '0'

config interface 'SSCILAN'
	option proto 'static'
	option device 'eth0.52'
	option ipaddr '192.168.52.1'
	option netmask '255.255.255.0'
	option type 'bridge'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option drop_invalid '1'
	option forward 'REJECT'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'lan'
	list network 'lan'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'sscilan'
	list network 'SSCILAN'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option family 'ipv4'
	option name 'ovpn'
	list network 'OVPN'

config rule
	option name 'Allow-OpenVPN'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest 'ovpn'

config forwarding
	option src 'lan'
	option dest 'ovpn'

config zone
	option name 'wg'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg0'

config forwarding
	option src 'sscilan'
	option dest 'wg'

config rule
	option name 'Allow-Wireguard'
	list proto 'all'
	option src 'wan'
	option dest 'wg'
	option target 'ACCEPT'

anon50098793 · February 21, 2022, 4:37am

geoip + static list based on number of clients from source ip + static list of vpn provider blocks
(many isp's utilizing cgnat have had users blocked by them... very, very rude)

obviously based on your findings these lists vary between cdn distribution point (media accessed)

fun fact: my daughter also had issues accessing just one show... and we don't/didn't have any vpn's active... so obviously they have some internal bugs regardless...

john.chartkoff · February 21, 2022, 3:27pm

But I can make it work with Netflix by going straight from my router, (which is a UiFi USG) to my DOCIS cable modem. In other words, bypass the VPN all together. That is what I have to do when we want to watch Wentworth.

(Or I can just wait a few weeks until we get done binge watching Wentworth and the whole problem will go away )

A bit more of an explanation:

The OpenWRT instance on the RPi4B is serving as a whole house Wiregard VPN router. I have it connected to a PoE VLAN enabled switch so I don't need to have multiple USB Ethernet dongles.

eth0.10 is the WAN DHCP client that connects to the DOCIIS router
eth0.56 is a static address on a secured network used for maintenance
eth0.52 is the Wireguard/New York/TorGuard NATted client service with DHCP assigned private addresses in the 192.168.52.0/24 domain.

I think the problem is that the VPNBypass package is not working properly, or something is getting around VPNBypass.

There may be something slightly different that this show on Netflix is doing that the other shows do not do. I just do not know enough about how Netflix works to figure it out.

I am guessing that maybe one of the firewall rules may be passing some information around the VPNBypass stack? Not sure though...

Another thought is maybe Netflix does something with this show using IPv6 that other shows do not do? I am wondering if VPNBypass does not work on IPv6? And if this is the case, is it possible to lock out IPv6 in OpenWRT?

anon50098793 · February 21, 2022, 3:59pm

yes, ipv6 could be playing a role...

as could client dns going to WAN or DoH (opposing link to routing rules)

why would you use a vpn from the same country for netflix?

john.chartkoff · February 23, 2022, 3:40am

I'm not actually using the VPN for Netflix. The Netflix problem is just a side effect.

Can you give some details as to how I might block the client dns from going to WAN or DoH? Could you explain a bit more?

anon50098793 · February 23, 2022, 3:48am

have you contacted their customer support to let them know a show is not working?

john.chartkoff · February 23, 2022, 4:32am

Haven't tried that yet. It works fine if I don't try to use the OpenWRT VPN and plug my router into the modem like a normal, compliant person, so I don't think the problem is on their end.

anon50098793 · February 23, 2022, 4:37am

so you need to compare the dns hosts and selected routes to them with;

working as above
just the vpn
vpn + bypass running

as it's working when connected 'directly' then 'something' is not running over the wan... two biggest suspects are;

you are not bypassing the vpn for all netflix traffic ( not all netflix traffic comes from the netflix domain )
you are not obtaining dns results for netflix (and it's related affiliate hosts) over the wan connection

john.chartkoff · February 23, 2022, 5:41am

I just got off the phone with Netflix. They were real nice. Turns out that some shows feed in IPv6.

So now I just need to see if VPNBypass is able to bypass IPv6, and if so, enable the interfaces in the RPi4B to do the same.