Posted: Sun Sep 02, 2012 20:02 Post subject: VPN - Selective routing for Netflix, Pandora and Hulu
I'd like to share my VPN configuration with selective routing for getting access to US-only services such as Netflix, Pandora and Hulu. I hope you find it helpful.
0. Initial thoughts
When I started setting up DD-WRT I initially thought about configuring a virtual WLAN that routes EVERYTHING through a (configured) VPN connection that terminates somewhere in the US so that I don't have to deal with advanced routing and identifying miscellaneous IP ranges that the above mentioned services use to stream their content.
I found that rather difficult and besides, it would still have required me to switch WLANs depending whether I want full speed (without VPN) or access US-only services (with VPN, but slower).
Therefore I finally decided to go with a "mixed" configuration, meaning that all connections that require an US-based IP address are being routed through the VPN tunnel and the others not.
1. OpenVPN vs. PPTP
For the VPN connection itself I chose OpenVPN over PPTP as PPTP has some great security issues and usually is slower than OpenVPN. Usually in that case that this is true for all kind of software clients I've tried so far with providers who offer both OpenVPN and PPTP.
Unfortunately the DD-WRT firmware versions I've been using so far (namely 18024 and 18777) are kind of slowing down the whole OpenVPN connection: When using OpenVPN with DD-WRT I get a download rate of around 3-4 Mbit, when using OpenVPN with Tunnelblick that rate improves to around 10 Mbit. No idea why that is the case. Perhaps my routers (a Cisco E4200) CPU is to weak to get better download rates - or there is a bug in DD-WRT. Note that it also doesn't matter if you have an UDP or a TCP connection in DD-WRT. Both are slower than normal.
Concerning bugs: At the time of writing all builds greater than 18777 (latest is 19519) have an OpenVPN bug that renders the usage of the OpenVPN client service unusable. If you want to use OpenVPN you need to stick with any version up to 18777.
2. The actual configuration
In "Services" / "VPN" enable the OpenVPN client and configure the main connection itself according to the instructions of your VPN provider.
I have used both BlackVPN, StrongVPN and Hide My Ass - I personally liked Hide My Ass best as out of these three it had the most servers on the US east side (which is the preferred location if you're in Europe as it is geographically the closest and therefore - in theory - the fastest). All three offer quite good guides specifically for DD-WRT - and all three work fine. Note though that the configurations have been written for older builds of DD-WRT and that sometimes google will point you to antique setup guides that don't make use of the DD-WRT OpenVPN GUI.
You DON'T want to use those!
Find a setup guide for recent versions of DD-WRT - and use the GUI as this is the easiest way by far to get OpenVPN up and running.
Once your connection is up and running - which you want to double check before proceeding - you can configure selective routing.
Here is my routing table, which you can copy-and-paste into the "Additional Config" section of the OpenVPN client configuration in DD-WRT (build 18777):
You MUST change the XXX.XXX.XXX.XXX IP address in line 2 of the above config to the IP address of the configured VPN server you're establishing the tunnel to (= the same address that you've entered in "Server IP") in order to get this thing working
Netflix mainly uses Amazon EC2 for serving content, that is why all currently active EC2 ip ranges need to be listed. I found no better way of tracking down the exact IP addresses Netflix uses. I found that you also need to redirect the european-based EC2 IP ranges as public DNS servers (which you need to use, also see the following remark) seem to ask the Amazon servers geographically closest.
Keep in mind that you need to use public DNS servers and NOT the ones of your local DSL/cable provider, as those are usually only accessible from the IP addresses your local provider assigns. Your IP address be a different one (a US-based) if you use VPN, therefore your local providers DNS services will (usually) NOT work. Instead use Google DNS (22.214.171.124, 126.96.36.199) or DNS advantage (188.8.131.52, 184.108.40.206) or any other - just make sure that the IP addresses of your favorite public DNS provider do NOT match any of the routing rules above as it will slow down ALL DNS requests and will break DNS if the VPN tunnel is down (for whatever reason).
I found Netflix and Pandora work rock solid - the Hulu IP ranges are work in progress (and will probably remain like this, as I don't use Hulu a lot). Whatismyip.org is redirected through VPN so that I can check the VPNs IP address. There should be a way of doing so in the DD-WRT status page but that feature seems to be broken in all the builds I've used.
Thank you for this VERY informative & useful post. The observation about OpenVPN being broken above 18777 is on the mark. Of course no one has any way of knowing this outside of trial and error. I've been pulling my hair out since yesterday trying to figure out why this was not working until I saw your post, downgraded to 18777 and BANG, worked instantly. If somebody posts asking about all this he will likely be told to RTFM. What good is the stupid manual if the software is broken???? Anyway, I'll stop ranting now.
So thanks for that VERY important piece of info.
I had a couple other questions though. You said you're using HMA but then you also say enable openvpn client. The HMA people specifically tell you not to do that and ask to simply enable "OpenVPN server". If I threw your config into the additional config area of the OpenVPN server will it work?
Secondly, what IP would I substitute into the XXX. area? The VPN IP? That's unique everytime though.
Thank you so much for this post BTW. Exceptional stuff.
I have been using HMA for a long time but finally moved on to setting up my own OpenVPN server on a virtual machine (on the US east coast)
I'm not quite sure what HMA guide told you to enable the OpenVPN server - please paste the link - but to me that wouldn't make any sense since you don't want to connect to your own DD-WRT router via VPN but rather connect your DD-WRT router to a VPN server (in the US), meaning that the DD-WRT unit is, by definition, the client.
Of course there are scenarios where you'd like to have your DD-WRT router act as a server (i.e. if you'd like to connect to your home network from the road) but the use case I've described in this thread is not one.
Therefore, when it comes to connecting DD-WRT to one of HMA's VPN servers you need to enable OpenVPN Client in the Services tab.
And you need to substitute the XXX.XXX.XXX.XXX IP address with the address of the VPN server you're connecting to (and not the one you're being assigned afterwards as this changes every time as you've pointed out correctly).
If you follow these instructions provided by HMA what happens is that your DD-WRT router is being (automagically) setup as an OpenVPN client.
While I haven't taken a closer look at what happens in the script in detail, I'd highly recommend to AVOID using any sort of "automated" setup at all times. Even if that means that you need to take a little more effort in understanding how basic OpenVPN configuration works (but it's not *that* complicated anyway ).
Call me paranoid, but the automated installer doesn't provide any security measure against the script being modified to do bad things (i.e. by someone who has hijacked HMA's webserver) - there are no security measures such as SHA/MD5 checksums whatsoever.
And apart from that you're bound to live with HMA's out-of-the-box configuration, meaning it's impossible for you to change the VPN server you want to connect to (i.e. the one that geographically closest to you) or use features such as additional config (which is necessary for selective routing).
Following that guide will also allow you to use selective routing as I've described above.
Oh and: The only reason why in the instructions on the link you've pasted you're being told to enable the OpenVPN server is to get "OpenVPN" appear in the Status tab, in order to check the assigned IP address. Since you don't configure the server, it really does nothing else at all.
And apart from that you're bound to live with HMA's out-of-the-box configuration, meaning it's impossible for you to change the VPN server you want to connect to (i.e. the one that geographically closest to you)
While I agree with the general sentiment of what you said they do let you choose what server you want to use before generating the script
I'm absolutely with you - we should try to collect ip-ranges for US-based services somewhere... Perhaps the dd-wrt wiki would be a good place for this?
Regarding the collection itself: I found Wireshark being a very useful tool as it can capture all ip connections that are being made to the outside world. I then ran "whois (IP address)" in my terminal and that returned all entire range.
Btw. thanks for the Nick IPs - have already added them to my config!
I started using privoxy as a transparent proxy on my dd-wrt box. And I use another HTTP proxy on the OpenVPN entpoint side. For me this is no problem because the remote endpoint is a VPS completely managed by myselfe.
This allows me to filter HTTP requests by very fine grained rules on my local side that aren't based on current IP addresses.
Especially when you start doing youtube through such a proxy, this becomes very importent because it's the only managable way to avoid doing all google traffic throug an oversea VPN.
Here's my current local privoxy configuration on my dd-wrt box. It's a useractions file.
the remote endpoint is a VPS completely managed by myselfe.
Due to this, configuring it your way is realistically not a solution for most of us who are using HMA or some other service for VPN.
However, I managed to crash my router due to flooding of NVRAM when I configured Qos on it. I didn't realize I am at capacity with just these few routing rules + VPN. That's terrible because Qos is really a very useful feature and I am sure others have other features they would like to setup.
I can't think of any solution right now. Any suggestions are very welcome.