Bypassing openvpn for Prime video on Android TV device
-
I am using pfSense 2.4.5-RELEASE-p1 with pfBlockerNG-devel 3.0.0_5.
Using a WAN interface and two LAN interfaces. Default all traffic is routed through an OpenVPN tunnel.
Recently started to use Prime video (Amazon) and discovered that it does not work via VPN. So searched for a solution and found pfBlockerNG. So did a setup of pfBlockerNG. Added 'https://ip-ranges.amazonaws.com/ip-ranges.json' via IPv4 Source Definitions. Created some aliases for the devices to stream Prime. Created new firewall rules for both LAN interfaces and added the aliases to the firewall rules as source, added the pfBlockerNG alias as destination and filled the gateway to use my WAN interface, instead of the OpenVPN interface.
All works fine for my 'regular' android devices. A phone and a tablet. Can watch Prime and no error about using a VPN. So traffic is routed via WAN and not via OpenVPN.
Now the part where I am lost. A also have an Nvidia shield (v8.2.1), that is an Android TV device, and installed the Prime video app. When I start Prime video, then the Prime app is stuck at the message 'Internet connectivity problem'. As soon as I disable the firewall rule for bypassing OpenVPN and start the Prime app on the Nvidia Shield, the Prime app starts without the message 'Internet connectivity problem' and shows the start screen with movies and series. But offcourse, when selecting a movie or series, the error message is displayed that I am using a VPN.
I also added all Amazon AS entries I found from this site 'https://bgp.he.net/', but no luck.
Any help on how to proceed, is greatly appreciated.
-
@meridium You need to policy route the traffic from your streaming devices out your WAN connection, without using the OpenVPN tunnel connection.
You can do this by first creating static DHCP leases for the streaming devices. Then make an alias containing all the IP addresses for the streaming devices. Then, make an outbound NAT rule and a firewall rule on the LAN or LAN2 (you said you're using two LAN interfaces, so don't know which LAN these are sitting on) that specifically uses the WAN gateway of your ISP, not the OpenVPN gateway. Make sense?
pfblockerNG doesn't have anything to do with this particular problem you're having. It is typically used to keep hackers/attackers out of your internal machines, if you've got that traffic open to the internet in the first place.
So, long story short, you didn't need to install pfblockerNG, and can most likely remove it. Setup policy routing for your streaming devices and that should solve the "VPN errors" they are throwing at you.
Jeff
-
Jeff, first thank you for your reply.
I get the impression you only read the subject and not the body of my post.
You can do this by first creating static DHCP leases for the streaming devices. Then make an alias containing all the IP addresses for the streaming devices. Then, make an outbound NAT rule and a firewall rule on the LAN or LAN2 (you said you're using two LAN interfaces, so don't know which LAN these are sitting on) that specifically uses the WAN gateway of your ISP, not the OpenVPN gateway. Make sense?
Yep, makes perfectly sense. An have done exactly that. As I have mentioned. Have devices on both LAN's. And 'regular' Android devices are working fine. So Prime traffic is routed direct to WAN.
pfblockerNG doesn't have anything to do with this particular problem you're having. It is typically used to keep hackers/attackers out of your internal machines, if you've got that traffic open to the internet in the first place.
Sorry, but yes it does. Need pfBlockerNG to be able to route only Prime directed traffic direct to WAN. All other traffic from the streaming devices still need to go via OpenVPN.
Any other suggestions are welcome!
-
@meridium said in Bypassing openvpn for Prime video on Android TV device:
I am using pfSense 2.4.5-RELEASE-p1 with pfBlockerNG-devel 3.0.0_5.
You saw : pfBlockerNG v3.0.0_6 update ?
If you want pfBlockerNG to' work' for some IP's, and not others, then this :
(future update) Add preliminary DNSBL Group Policy configuration that will globally bypass DNSBL for the defined LA
tells me that pfBlockerNG can't do want you want - for now.Policy routing 'some IP's' to have them using the WAN interface, and other using the OpenVPN interface is done without using pfBlockerNG.
I've the impression this policy routing isn't set up correctly. -
@gertjan said in Bypassing openvpn for Prime video on Android TV device:
You saw : pfBlockerNG v3.0.0_6 update ?
Saw that there is an update. But did not apply it yet.
If you want pfBlockerNG to' work' for some IP's, and not others, then this :
(future update) Add preliminary DNSBL Group Policy configuration that will globally bypass DNSBL for the defined LA
tells me that pfBlockerNG can't do want you want - for now.Policy routing 'some IP's' to have them using the WAN interface, and other using the OpenVPN interface is done without using pfBlockerNG.
I've the impression this policy routing isn't set up correctly.Not sure if we are talking about the same thing here. I am not trying to circumvent ip's that are blocked by pfBlockerNG. I am only using pfBlockerNG to populate an alias with server addresses used by Prime video. And then using that alias on a firewall rule to bypass my OpenVPN tunnel. And mentioned, that it is working fine for my 'regular' android devices, but not for my Android TV device. And looking if someone can point me into a direction what could be causing this.
Thx!
-
@meridium said in Bypassing openvpn for Prime video on Android TV device:
it is working fine for my 'regular' android devices, but not for my Android TV device
Two things come to mind that could cause that.
- Your rules for whatever reason are not being applied to the IP of your TV device.
- Your device is using some other dns that resolves where its trying to go to an IP other than what is in your alias. Or is using an IP directly that again this is not listed in your rules to not use the vpn.
I would suggest a sniff of the traffic of this devices IP. So you can see exactly where its trying to go, also should be able to see if using something other than your local dns - but this could be via doh or dot? When you try and launch prime video - what IPs is trying to go to in your sniff. Are they not in your alias list of prime video IPs, etc.
If your sure your device is using your dns and nothing else, validated via your sniff, etc. And only going to IPs that are in your alias. Then evaluate your rules to why they are not being applied like you think they should be.
Simpler solution to any or all of these sorts of problems - would be to just policy route the IP of your device out your normal wan.. Vs trying to only do that for prime video.
-
@johnpoz Been a while feeling as stuped as I feel now. Tried everything, including disabling pfBlockerNG, and found it had nothing to do with pfBlockerNG. Did a full bypass on the IP of the device and still no luck. After hours of looking at sniffing logs and trying several changes, I discovered... I once disabled one NAT mapping and exactly the one for LAN to the WAN interface. The mapping for LAN to the OpenVPN interface was enabled. I enabled the NAT mapping for LAN to the WAN interface and prime video now works like a charm.
Sorry for the hassle and thank you for your time!
-
So you had messed with outbound nat? For why? Followed some stupid guide for vpn service that told you to do that?
There is normally little reason to ever take outbound nat out of auto, if you do want to do something with say policy route and nat something out a vpn.. Hybrid is better choice and just add the outbound nats you would need to use your vpn..
Glad you got it sorted.
-
@johnpoz A left over thing from the time pfsense was new to me. Wanted to be sure no traffic was going out over WAN.
Thx.
-
@gertjan said in Bypassing openvpn for Prime video on Android TV device:
@meridium said in Bypassing openvpn for Prime video on Android TV device:
I am using pfSense 2.4.5-RELEASE-p1 with pfBlockerNG-devel 3.0.0_5.
You saw : pfBlockerNG v3.0.0_6 update ?
If you want pfBlockerNG to' work' for some IP's, and not others, then this :
(future update) Add preliminary DNSBL Group Policy configuration that will globally bypass DNSBL for the defined LA
tells me that pfBlockerNG can't do want you want - for now.Policy routing 'some IP's' to have them using the WAN interface, and other using the OpenVPN cinema hd apk download interface is done without using pfBlockerNG.
I've the impression this policy routing isn't set up correctly.Thnaks buddy for the great information It really help me!!