Asuswrt-Merlin Netflix through VPN settings

[frustin]

How did you get on?

Spoiler

Yes, luckily there are providers who can get around the blocks. For those that can't change providers, there is hope!

@Martineau has done a great job helping others do this on the forum. The selective routing ipset examples @Martineau posted in the selective routing thread where ipset mines the ip addresses is the best way I have seen it done in my opinion:

Spoiler: Links to bypass Netflix using IPSET

https://www.snbforums.com/threads/a...through-vpn-settings.41047/page-2#post-348425

Use domain names to lookup the IP addresses, then place the IP address in an IPSET and route that traffic to the WAN. nslookup is one of several methods available to populate the IPSET list. There are a few others as well. Find the domain names being called by looking at dnsmasq.log file when starting up Netflix. It may vary by geo location. For my example, I got them from an old forum posting and have not validated them.

Please note I threw this together in about 20 minutes and have not fully tested it. It needs to be improved to handle IPv6 ip address. But my traffic to whatsmyip.org is going to the WAN.

Create the ipset list for NETFLIX

ipset create NETFLIX hash:net family inet hashsize 1024 maxelem 65536

Script

#!/bin/sh
# Uncomment the line below for debugging
set -xo

# list domains for selective routing
for domain in \
"netflix.com" \
"ichnaea.netflix.com" \
"movies.netflix.com" \
"www.netflix.com" \
"nflxext.com" \
"cdn1.nflxext.com" \
"nflximg.com" \
"nflxvideo.net" \
"ipv4_1.cxl0.c145.sjc002.ix.nflxvideo.net" \
"amazonaws.com" \
"whatsmyip.org"
do
  # extract ip addresses
    for ip in $(nslookup $domain | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
    # add IP address to ipset list NETFLIX
    ipset add NETFLIX `echo $ip | cut -d . -f 1,2`.0.0/16
  done
done

###########################################################
#Create table to contain items added automatically by wan #
###########################################################
ip rule del prio 9990
ip rule add from 0/0 fwmark 0x7000 table main prio 9990
iptables -D PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark 0x7000/0x7000
iptables -A PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark 0x7000/0x7000

One can add this to a cron job to update the ipset list on a periodic basis.

Spoiler: ipset -L NETFLIX

Name: NETFLIX
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 1884
References: 1
Number of entries: 28
Members:
208.64.0.0/16
52.37.0.0/16
52.32.0.0/16
52.40.0.0/16
207.171.0.0/16
23.215.0.0/16
54.187.0.0/16
52.11.0.0/16
72.21.0.0/16
52.88.0.0/16
52.41.0.0/16
52.27.0.0/16
52.39.0.0/16
52.35.0.0/16
52.26.0.0/16
54.68.0.0/16
207.45.0.0/16
69.53.0.0/16
54.69.0.0/16
52.24.0.0/16
52.34.0.0/16
54.201.0.0/16
52.43.0.0/16
52.89.0.0/16
52.42.0.0/16
52.10.0.0/16
54.148.0.0/16

I mined dnsmasq to see what domains are being called. This is what I got (Caveat - this may vary depending on your geo location)

Spoiler: grep | awk | sort dnsmasq file for netflix

netflix.com
www.us-west-2.prodaa.netflix.com
secure.netflix.com
push.prod.netflix.com
push.prod.us-west-2.prodaa.netflix.com
api-global.netflix.com
customerevents.netflix.com
oca-api.netflix.com
anycast.ftl.netflix.com

 

[Rickyrsx]

How did you get on?

I'm using PrivateVPN now. Honestly, they're the best VPN provider I've used so far. I'm in Toronto and their speeds are top notch and Netflix has not been blocked. I have 150/15 service and I usually get 140+/14+ on a wireless connection. So I'm very happy with them so far!!

 

[New2This]

Going to try PrivateVPN out......
Thanks

 

[Xentrk]

Going to try PrivateVPN out......
Thanks

You can also access Netflix and other sites that block VPNs with TorGuard. Read this post for more information. https://x3mtek.com/why-i-use-torguard-as-my-vpn-provider/

 

[New2This]

Thanks, I'll check them out

 

[st3v3n]

We like TorGuard for all our streaming and other needs; hasn't let us down, never. Cheers.