VPN + Amazon Prime - add some routes

[Tech Junky]

So, I finally got the urge to dig into how to setup my DIY router / VPN to split tunnel off crap like Prime to make it work through the streamer box and all devices to avoid the infamous....

Anyway... I got it working on the streamer by adding some routes after messing around with trying to do it the what I thought would be the easier way through iptables.

sudo route add -host amazonvideo.com gw 192.168.12.1 dev bo0
sudo route add -host  api.us-east-1.aiv-delivery.net gw 192.168.12.1 dev bo0
sudo route add -host  na.api.amazonvideo.com gw 192.168.12.1 dev bo0
sudo route add -host cloudfront.xp-assets.aiv-cdn.net gw 192.168.12.1 dev bo0
sudo route add -host assets.aiv-cdn.net gw 192.168.12.1 dev bo0


Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.12.1    0.0.0.0         UG    0      0        0 bo0
ec2-3-95-89-5.c 192.168.12.1    255.255.255.255 UGH   0      0        0 bo0
ec2-3-138-205-1 192.168.12.1    255.255.255.255 UGH   0      0        0 bo0
ec2-34-216-88-7 192.168.12.1    255.255.255.255 UGH   0      0        0 bo0
s3-website-us-e 192.168.12.1    255.255.255.255 UGH   0      0        0 bo0
server-108-156- 192.168.12.1    255.255.255.255 UGH   0      0        0 bo0
server-108-156- 192.168.12.1    255.255.255.255 UGH   0      0        0 bo0
server-108-157- 192.168.12.1    255.255.255.255 UGH   0      0        0 bo0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 lo
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.12.0    0.0.0.0         255.255.255.0   U     0      0        0 bo0

Of course this could be a real PITA since there's so many hostnames and reapplying the commands generates the new DNS names each time.

I decoded some of the info from - https://askubuntu.com/questions/26870/exempt-programs-or-domain-from-vpn-connection

So, with playing around with things a bit and noticing the "fix" being a bit spotty I came across a list of Amazon IP / CIDR for hopefully making life easier.

https://ip-ranges.amazonaws.com/ip-ranges.json

Went over to https://bgp.he.net/ to figure out the CIDR based off the "ip route" output to just add them enmasse instead of running the commands each time it spazzes out due to VPN.

sudo ip route add 3.16.0.0/14 via 192.168.12.1 dev bo0
 sudo ip route add 3.80.0.0/12 via 192.168.12.1 dev bo0
 sudo ip route add 3.136.0.0/13 via 192.168.12.1 dev bo0
 sudo ip route add 18.189.0.0/16 via 192.168.12.1 dev bo0
 sudo ip route add 34.208.0.0/12 via 192.168.12.1 dev bo0
 sudo ip route add 44.224.0.0/11 via 192.168.12.1 dev bo0
 sudo ip route add 52.10.0.0/15 via 192.168.12.1 dev bo0
 sudo ip route add 54.160.0.0/14 via 192.168.12.1 dev bo0
 sudo ip route add 54.231.128.0/19 via 192.168.12.1 dev bo0
 sudo ip route add 108.156.208.0/21 via 192.168.12.1 dev bo0
 sudo ip route add 108.156.240.0/21 via 192.168.12.1 dev bo0
 sudo ip route add 108.157.136.0/21 via 192.168.12.1 dev bo0
 sudo ip route add 108.157.152.0/21 via 192.168.12.1 dev bo0


Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.12.1    0.0.0.0         UG    0      0        0 bo0
3.16.0.0        192.168.12.1    255.252.0.0     UG    0      0        0 bo0
3.80.0.0        192.168.12.1    255.240.0.0     UG    0      0        0 bo0
3.136.0.0       192.168.12.1    255.248.0.0     UG    0      0        0 bo0
13.224.0.0      192.168.12.1    255.252.0.0     UG    0      0        0 bo0
18.189.0.0      192.168.12.1    255.255.0.0     UG    0      0        0 bo0
34.208.0.0      192.168.12.1    255.240.0.0     UG    0      0        0 bo0
44.224.0.0      192.168.12.1    255.224.0.0     UG    0      0        0 bo0
52.10.0.0       192.168.12.1    255.254.0.0     UG    0      0        0 bo0
54.160.0.0      192.168.12.1    255.252.0.0     UG    0      0        0 bo0
54.231.128.0    192.168.12.1    255.255.224.0   UG    0      0        0 bo0
65.8.0.0        192.168.12.1    255.255.0.0     UG    0      0        0 bo0
108.156.0.0     192.168.12.1    255.252.0.0     UG    0      0        0 bo0
108.156.208.0   192.168.12.1    255.255.248.0   UG    0      0        0 bo0
108.156.240.0   192.168.12.1    255.255.248.0   UG    0      0        0 bo0
108.157.136.0   192.168.12.1    255.255.248.0   UG    0      0        0 bo0
108.157.152.0   192.168.12.1    255.255.248.0   UG    0      0        0 bo0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 lo
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.12.0    0.0.0.0         255.255.255.0   U     0      0        0 bo0

Seems to be working on all platforms from phone / browser / app / etc. Everything for Telemetry is still blocked through PIHOLE though so, I get the goods w/o the sale of my use history. The same could be done for any stupid GEO blocked crap like netflix / hulu / etc.

Now to make them permanent / persistent across reboots.

How to add a static route permanently on Linux

Took a few attempts to get the routes to load from /etc/network/interfaces based on the various syntax from doing it by hand to adding them to the file to do it automatically.

up route add -net 3.16.0.0/14 gw 192.168.12.1 dev bo0
up route add -net 3.80.0.0/12 gw 192.168.12.1 dev bo0
up route add -net 3.136.0.0/13 gw 192.168.12.1 dev bo0
up route add -net 18.189.0.0/16 gw 192.168.12.1 dev bo0
up route add -net 34.208.0.0/12 gw 192.168.12.1 dev bo0
up route add -net 44.224.0.0/11 gw 192.168.12.1 dev bo0
up route add -net 52.10.0.0/15 gw 192.168.12.1 dev bo0
up route add -net 54.160.0.0/14 gw 192.168.12.1 dev bo0
up route add -net 54.231.128.0/19 gw 192.168.12.1 dev bo0
up route add -net 108.156.208.0/21 gw 192.168.12.1 dev bo0
up route add -net 108.156.240.0/21 gw 192.168.12.1 dev bo0
up route add -net 108.157.136.0/21 gw 192.168.12.1 dev bo0
up route add -net 108.157.152.0/21 gw 192.168.12.1 dev bo0

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.12.1    0.0.0.0         UG    0      0        0 bo0
3.16.0.0        192.168.12.1    255.252.0.0     UG    0      0        0 bo0
3.80.0.0        192.168.12.1    255.240.0.0     UG    0      0        0 bo0
3.136.0.0       192.168.12.1    255.248.0.0     UG    0      0        0 bo0
18.189.0.0      192.168.12.1    255.255.0.0     UG    0      0        0 bo0
34.208.0.0      192.168.12.1    255.240.0.0     UG    0      0        0 bo0
44.224.0.0      192.168.12.1    255.224.0.0     UG    0      0        0 bo0
52.10.0.0       192.168.12.1    255.254.0.0     UG    0      0        0 bo0
54.160.0.0      192.168.12.1    255.252.0.0     UG    0      0        0 bo0
54.231.128.0    192.168.12.1    255.255.224.0   UG    0      0        0 bo0
108.156.208.0   192.168.12.1    255.255.248.0   UG    0      0        0 bo0
108.156.240.0   192.168.12.1    255.255.248.0   UG    0      0        0 bo0
108.157.136.0   192.168.12.1    255.255.248.0   UG    0      0        0 bo0
108.157.152.0   192.168.12.1    255.255.248.0   UG    0      0        0 bo0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 lo
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.12.0    0.0.0.0         255.255.255.0   U     0      0        0 bo0

 

[Tech Junky]

found this thread which grabs specific IP CIDR info from https://ip-ranges.amazonaws.com/ip-ranges.json and narrows it down to Cloudfront only subnets / CIDR which should narrow down outbound exceptions considerably from my approach and be a bit more comprehensive than my limited subnets I discovered from DNS snooping from Pihole hits.

curl -s -X GET https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service=="CLOUDFRONT") | .ip_prefix'

Need some further testing but, had some instances with Prime being finicky and after a few refreshes working just fine. Still sorting it out to refine it rather than just permitting everything within the subnets obtained from BGP lookups. I've also narrowed down some additional bypassed subnets for other uses. Putting them into the /etc/netwwork/interfaces file though applies them on boot and also doing a networking.service restart applies them in a batch format vs applying them by hand. Easier to manage in notepad++ using some regex you can take the batch of CIDR's and prepend/append quickly with find/replace.

Output from the com mand is:

52.78.247.128/26
13.233.177.192/26
15.207.13.128/25
15.207.213.128/25
52.66.194.128/26
13.228.69.0/24
52.220.191.0/26
13.210.67.128/26
13.54.63.128/26
99.79.169.0/24
18.192.142.0/23
35.158.136.0/24
52.57.254.0/24
13.48.32.0/24
18.200.212.0/23
52.212.248.0/26
3.10.17.128/25
3.11.53.0/24
52.56.127.0/25
15.188.184.0/24
52.47.139.0/24
18.229.220.192/26
54.233.255.128/26
3.231.2.0/25
3.234.232.224/27
3.236.169.192/26
3.236.48.0/23
34.195.252.0/24
34.226.14.0/24
13.59.250.0/26
18.216.170.128/25
3.128.93.0/24
3.134.215.0/24
52.15.127.128/26
3.101.158.0/23
52.52.191.128/26
34.216.51.0/25
34.223.12.224/27
34.223.80.192/26
35.162.63.192/26
35.167.191.128/26
44.227.178.0/24
44.234.108.128/25
44.234.90.252/30

Sorted / route commands n interfaces file:

up route add -net 3.10.17.128/25 gw 192.168.12.1 dev bo0
up route add -net 3.11.53.0/24 gw 192.168.12.1 dev bo0
up route add -net 3.101.158.0/23 gw 192.168.12.1 dev bo0
up route add -net 3.128.93.0/24 gw 192.168.12.1 dev bo0
up route add -net 3.134.215.0/24 gw 192.168.12.1 dev bo0
up route add -net 3.231.2.0/25 gw 192.168.12.1 dev bo0
up route add -net 3.234.232.224/27 gw 192.168.12.1 dev bo0
up route add -net 3.236.48.0/23 gw 192.168.12.1 dev bo0
up route add -net 3.236.169.192/26 gw 192.168.12.1 dev bo0
up route add -net 13.48.32.0/24 gw 192.168.12.1 dev bo0
up route add -net 13.54.63.128/26 gw 192.168.12.1 dev bo0
up route add -net 13.59.250.0/26 gw 192.168.12.1 dev bo0
up route add -net 13.210.67.128/26 gw 192.168.12.1 dev bo0
up route add -net 13.228.69.0/24 gw 192.168.12.1 dev bo0
up route add -net 13.233.177.192/26 gw 192.168.12.1 dev bo0
up route add -net 15.188.184.0/24 gw 192.168.12.1 dev bo0
up route add -net 15.207.13.128/25 gw 192.168.12.1 dev bo0
up route add -net 15.207.213.128/25 gw 192.168.12.1 dev bo0
up route add -net 18.192.142.0/23 gw 192.168.12.1 dev bo0
up route add -net 18.200.212.0/23 gw 192.168.12.1 dev bo0
up route add -net 18.216.170.128/25 gw 192.168.12.1 dev bo0
up route add -net 18.229.220.192/26 gw 192.168.12.1 dev bo0
up route add -net 34.195.252.0/24 gw 192.168.12.1 dev bo0
up route add -net 34.216.51.0/25 gw 192.168.12.1 dev bo0
up route add -net 34.223.12.224/27 gw 192.168.12.1 dev bo0
up route add -net 34.223.80.192/26 gw 192.168.12.1 dev bo0
up route add -net 34.226.14.0/24 gw 192.168.12.1 dev bo0
up route add -net 35.158.136.0/24 gw 192.168.12.1 dev bo0
up route add -net 35.162.63.192/26 gw 192.168.12.1 dev bo0
up route add -net 35.167.191.128/26 gw 192.168.12.1 dev bo0
up route add -net 44.227.178.0/24 gw 192.168.12.1 dev bo0
up route add -net 44.234.90.252/30 gw 192.168.12.1 dev bo0
up route add -net 44.234.108.128/25 gw 192.168.12.1 dev bo0
up route add -net 52.15.127.128/26 gw 192.168.12.1 dev bo0
up route add -net 52.47.139.0/24 gw 192.168.12.1 dev bo0
up route add -net 52.52.191.128/26 gw 192.168.12.1 dev bo0
up route add -net 52.56.127.0/25 gw 192.168.12.1 dev bo0
up route add -net 52.57.254.0/24 gw 192.168.12.1 dev bo0
up route add -net 52.66.194.128/26 gw 192.168.12.1 dev bo0
up route add -net 52.78.247.128/26 gw 192.168.12.1 dev bo0
up route add -net 52.212.248.0/26 gw 192.168.12.1 dev bo0
up route add -net 52.220.191.0/26 gw 192.168.12.1 dev bo0
up route add -net 54.233.255.128/26 gw 192.168.12.1 dev bo0
up route add -net 99.79.169.0/24 gw 192.168.12.1 dev bo0

Now, after having done this by hand and watching pihole logs I know there's more subnets in use than just Cloudfront.

akamaihd
fastly

I also pinpointed the domains to
a2z.com
aiv-delivery.net
amazonvideo.com
aiv-cdn.net

|                                                                                       192.0.0.2                                                                    2      6|
|                                                                                       172.64.153.236                                                             189    198|||
|                                                                                       a23-205-110-199.deploy.static.akamaitechnologies.com                       292    246|
|                                                                                       a23-205-110-197.deploy.static.akamaitechnologies.com                       210    175|
|                                                                                       a23-38-188-48.deploy.static.akamaitechnologies.com                         235    197|
|                                                                                       a23-38-188-11.deploy.static.akamaitechnologies.com                         972    621|

Running a Video is producing traffic from the above. Of course this changes depending on the server the video is stored on and the CEO location you're in as well. But, watching the subnets being hit / bypassing VPN with the slimmed down host set from the script above makes it easier to keep an eye on things for traffic leaks beyond just using prime. When I was using the larger CIDR's from BGP lookups my logs were full of extraneous IP ranges that didn't really fit what I was aiming for ss they opened up bypassing the VPN further to other apps that use those subnet ranges.