OpenVPN bypass, Netflix, BBC iPlayer, Plex

marwan · January 7, 2017, 10:34pm

Hey guys i have managed to setup an openVPN and it all works, if you use (Nord VPN), i can help you setup yours i have also submitted documentation on how to setup via openVPN and openWRT, that will be available very soon.
What i need help with is routing specific URLs straight through to the internet, bypassing tun0 (vpn) and straight to eth1.

So i want BBC iplayer and Netflix and plex to go striaght through to eth1 everything else via tun0.

I have used http://baturin.org/docs/iproute2/ but the issue is it seems all the connections are auto sent to the vpn. Can anyone help with this.

I have managed to write/ scavenge a script for DDWRT to do this and i would like one for openWRT

SCRIPT_DIR="/tmp/etc/config"
SCRIPT="$SCRIPT_DIR/add-routes.wanup"
mkdir -p $SCRIPT_DIR

cat << "EOF" > $SCRIPT
#!/bin/sh

# dd-wrt selective domain routing
WAN_GW="$(nvram get wan_gateway)"

# list domains for selective routing
for domain in \
"netflix.com" \
"ichnaea.netflix.com" \
"movies.netflix.com" \
"www.netflix.com" \
"nflxext.com" \
"cdn1.nflxext.com" \
"nflximg.com" \
"nflxvideo.net" \
"ipv4_1.cxl0.c145.sjc002.ix.nflxvideo.net" \
"amazonaws.com" \
"whatsmyip.org"
do
# extract ip addresses
for ip in $(nslookup $domain | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
# add class c route for each ip address to wan gateway
# ip route add echo $ip | cut -d . -f 1,2.0.0/16 via $WAN_GW
ip route add $ip via $WAN_GW
echo $ip
done
done

# flush cache
ip route flush cache
EOF

chmod +x $SCRIPT
sleep 60
$SCRIPT

On openWRT I have managed the following, it seems to add them to the ip routes but when i go to the URL im now being refused and I think this is because my VPN is default all traffic. Any help is appreciated

SCRIPT_DIR="/tmp/etc/config"
SCRIPT="$SCRIPT_DIR/add-routes.sh"
mkdir -p $SCRIPT_DIR

cat << "EOF" > $SCRIPT
#!/bin/sh


# list domains for selective routing
for domain in \
"whatsmyip.org"
do
# extract ip addresses
for ip in $(nslookup $domain | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
ip route add $ip via eth0
echo $ip
done
done

# flush cache
ip route flush cache
EOF

chmod +x $SCRIPT
sleep 60
$SCRIPT

#Bug
small bug in the script above should be
ip route add $ip via eth0
should be
ip route add $ip dev eth0

hhomar · January 8, 2017, 12:59pm

via needs an address, in this case the wan gateway, not a device. Try the following:

# Get the WAN gateway
WAN_GW="$(. /lib/functions/network.sh; network_get_gateway ip wan; echo $ip)"
...
ip route add $ip via $WAN_GW
...

marwan · January 8, 2017, 1:14pm

wow thanks i did change it to
ip route add $ip dev eth0

but that still didnt work as dev can target a device

do you think adding a via and address it will work?

have you used this with openVPN

Thank you for the comment by the way

hhomar · January 8, 2017, 1:52pm

Yes. I tried with OpenVPN and it worked fine.

marwan · January 8, 2017, 2:09pm

thats awesome could you tell me what settings you used for the interface etc, and for the VPN so it wouldn’t pul connections, i would be grateful for some screenshots or code please, as mine kept pulling the connection to the VPN no matter what i tried.
Thank you for all the help this thing has been driving me nuts for a few weeks.
I had the below interface setup, i want it so that if there is no VPN nothing goes through, but to also have bypass for netflix BBC iPlayer etc. I dont really know if this is correct.

marwan · January 8, 2017, 2:18pm

sorry quick follow up are you adding the script to the etc/init.d or is there somewhere in the GUI that you can put it like the box on the startup screen?

marwan · January 9, 2017, 12:24am

Thank you so much got it to work awesome

marwan · January 9, 2017, 12:48am

Solved and here is the solution

your zones need to look something like this

and you paste the following script into the bottom of your startup screen (system >> startup) before the exit 0. restart your router and we are done.

SCRIPT_DIR="/tmp/etc/config"
SCRIPT="$SCRIPT_DIR/add-routes.sh"
mkdir -p $SCRIPT_DIR

cat << "EOF" > $SCRIPT
#!/bin/sh

WAN_GW="$(. /lib/functions/network.sh; network_get_gateway ip wan; echo $ip)"

# list domains for selective routing
for domain in \
"netflix.com" \
"ichnaea.netflix.com" \
"movies.netflix.com" \
"www.netflix.com" \
"nflxext.com" \
"cdn1.nflxext.com" \
"nflximg.com" \
"nflxvideo.net" \
"ipv4_1.cxl0.c145.sjc002.ix.nflxvideo.net" \
"plex.tv" \
"my.plexapp.com" \
"whatsmyip.org"
do
# extract ip addresses
for ip in $(nslookup $domain | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
#ip route add $ip dev eth0
ip route add $ip via $WAN_GW
echo $ip
done
done

# flush cache
ip route flush cache
EOF

chmod +x $SCRIPT
sleep 6
$SCRIPT

if anyone does need any further clarification or help, give me a shout.

huge thanks to hhomar for helping out

Simon_Walker · January 24, 2017, 8:47am

There is an alternative solution, where you route everything above a certain IP address back to your normal IP address and the rest uses the VPN, in order to make use of this you need to:

Add these lines to your openvpn.conf file (or whatever your openVPN .conf file is called) and delete any other route-pull lines:

route-nopull
route-noexec
up /etc/openvpn/cg/up-script.sh
down /etc/openvpn/cg/down-script.sh

up-script.sh - the up-script (Will need creating)

ip rule add from 192.168.1.128/25 priority 10 table vpn
ip route add 192.168.1.128/25 dev tun1 table vpn
ip route add default via $ifconfig_remote dev tun1 table vpn
ip route flush cache

down-script.sh - the down-script: (Will need creating)

rm /etc/openvpn/cg/up
touch /etc/openvpn/cg/down
ip rule del from 192.168.1.128/25

Change the 192.168.1.128/25 in both scripts to reflect the local IP addresses of the devices you don’t want to be using VPN (so in this case above .128 goes to the host network, and below goes via the VPN)

h/t to Pedro Lopez at NordVPN for helping me with this (giving it to me)

Its far more elegant and does’t rely on resolved IP addresses - OK if you don’t live in the UK its not that helpful

Vaclav · January 24, 2017, 11:45am

Hi guys,
could someone of you make a wiki article about this? Here is the place: https://www.turris.cz/doc/en/public/start

Thanks,
Václav

Leonardo · January 24, 2017, 7:23pm

Hi,
I use a similar script.
OpenVPN pass parameters to the up script:

    ip rule add from 192.168.1.128/25 priority 10 table vpn
    ip route add 192.168.1.128/25 dev $1 table vpn
    ip route add default via $5 dev  $1 table vpn
    ip route flush cache

I created an entry in iptables for the vpn table.

If you don’t forward the DNS, then you are exposed to DNS leak (your IP).
It would be nice to have different DNS rules for different IP.

If the client support IPv6, you need to drop the IPv6 for them.

Twinkie · January 24, 2017, 8:08pm

Reading this i got an idea. Is it possible to configure TOR beside my normal ISP connection ? E.g. i mean in order to enjoy little bit of privacy i would like to have separate SSID that will pass alll traffic from this SSID into tor or VPN next to my normal SSID for all other traffic. Did someone archieved this kind of setup ?

marwan · January 26, 2017, 1:37pm

if I use
route-nopull
route-noexec
nothing will go through VPN

how can i just push one IP address through host network
I have used the below for IP address and ports.
they both work but netflix proxy is still triggered and i dont know why?
if i test it on the iphone and TV ip address tests come out as virginMedia so what im i missing, i even used google DNS on those devices.

If you do want to use the below script you can list the ports and IP addresses and it will loop and add each one.
the port there (“34200”) is for plex

i also used /32 on IP addresses is that correct?

vim /etc/hotplug.d/iface/95-wanipupdate

#!/bin/sh

ports="
32400
"

ipAddresses="
"

[ "$INTERFACE" = "wan" ] || exit 0
[ "$ACTION" = "ifup" -o "$ACTION" = "ifupdate" ] || exit 0
[ -f /etc/config/openvpn -a -d /etc/openvpn ] || exit 0
TID="200"; FW_MARK="0x88"; IPSET="vpnbypass"; pid="$(pidof ash 95-wanipupdate | awk '{print $1}')"; [ -n "$pid" ] && pid="[$pid]"
. /lib/functions/network.sh; network_get_ipaddr wanip wan; network_get_gateway gwip wan; network_get_ipaddr lanip lan
[ ! "$wanip" ] && logger -t "${IPSET}${pid}" 'ERROR: Could not get wan ip' && exit 0
[ ! "$gwip" ] && logger -t "${IPSET}${pid}" 'ERROR: Could not get wan gateway' && exit 0
ip rule del fwmark $FW_MARK table $TID; iptables -t mangle -F; ipset -F $IPSET; ipset -X $IPSET
ip route flush table $TID; ip route flush cache
ip route add default via $gwip table $TID; ip route flush cache
(modprobe xt_set || modprobe ip_set; insmod ip_set_hash_ip) >/dev/null 2>&1
ipset -N $IPSET iphash -q; ipset -F $IPSET;

for port in $ports
do
iptables -t mangle -A PREROUTING -p tcp -m multiport --sport $port -j MARK --set-mark $FW_MARK
done

for ipAddress in $ipAddresses
do
iptables -t mangle -I PREROUTING -s $ipAddress/32 -j MARK --set-mark $FW_MARK
done

iptables -t mangle -A PREROUTING -m set --match-set $IPSET dst -j MARK --set-mark $FW_MARK
ip rule add fwmark $FW_MARK table $TID
logger -t "${IPSET}${pid}" "started with TID: $TID FW_MARK: $FW_MARK"
exit 0

Simon_Walker · January 26, 2017, 1:59pm

OOPS idiot mode selected - I misread - the range you identify is the range that should go through the VPN, everything should stay as normal

Sorry!

marwan · January 26, 2017, 2:41pm

hahah we all do it,
i dont want that approach i want everything to default through VPN and exempt one IP address.

my script does work and doesnt work but still triggers netflix proxy and im a few hours from cancelling my subscriptions.