Need your help will pay 20$: PIA on pfsense Netflix detects proxy



  • Title says it all. I need a step by step with pictures and links. Will Paypal 20$ US if it will work.

    thanks



  • to be specific, the vpn must be ON the whole time. i dont need the method where you assign a static ip to the device and route it through WAN (which is what i have rn)



  • Well,
    If the WAN IP that was assigned to you by your VPN is on "the list" then there is no work around possible.
    "The list" is a list that Netflix uses, they don't like VPN's.


  • LAYER 8 Global Moderator

    Geo circumvention via known vpn providers is always going to be a whack-a-mole game.



  • @asphalt3 I've tried dozens of providers and the one I've found out to be rock-solid, no need to change is Windscribe. They have these WINDFLIX (a play on "Netflix", I think) set of servers (i.e; cluster) that they manage themselves and they're on top of it all the time hence it never needs changing. They will also allow you unlimited connections.

    The downside is that the service is pretty slow, about 60Mbps max. It's manageable if you connect to several servers at once, but they'd need to be from different locations which would create issues and you'd still wouldn't get the maximum available from your ISP, you'd effectively have tunneled multi-WAN.

    I got it because it came in a newsletter promo at USD20 for 3 years, I don't use it because I have a faster provider but the tunnel's been up for ages just waiting. :)

    As for the tunnel setup, you have to get an OpenVPN config file from your provider sounds like a pain but most of them have it pretty easy to get in their manual configuration section or something similar to that, open the file with a text editor copy the CA from it beginning on (and containing) the line "-----BEGIN CERTIFICATE-----" up to "-----END CERTIFICATE-----" and add it to pfSense's CAs so you can select it in the OpenVPN client config later you can name it whatever you want, I usually paste it into a blank text document** and save them as whatever.pem so you can open it as a certificate and your OS will show you its information but it's completely not necessary. Afterwards create a new config in VPN>OpenVPN>Clients.

    Look in your config file for a section like the CA before, but this should say "-----BEGIN OpenVPN Static key V1-----" and end in "-----END OpenVPN Static key V1-----" and copy it if it exists, it might not be there depending on your provider. Uncheck "Automatically generate a TLS Key" so the box to input it appears.
    Screen Shot 2019-08-25 at 06.55.05.png

    Then move all the way up and trust your gut matching what's on the config file to what's available on pfSense. Not every setting must be set, actually most of them aren't. Each setting has its own line on the config file, if some don't make sense they go all the way down in the advanced box. All providers have a "no-bind" line which is supposed to go in the advanced box but I've found that this setting prevents the tunnels to be brought up. After you're done save it and click the tiny bar graph still on the OpenVPN section:

    Screen_Shot_2019-08-25_at_06_59_50.png

    It'll take you to the tunnel status, if it's up you should see green checkmarks. It should be up before you even get there, it's pretty fast generally. If it's not still on the OpenVPN section click on the log icon, between the bar graph icon and the question mark icon, this will tell you what up and why didn't it come up, you can go to settings on that screen and increase the log display to something like 500 and invert the order so you can make sense of it faster.

    When you finally manage to get your tunnel up, pfSense will keep it up all the time, you won't need to worry about it. You're not done though.

    Go to Interfaces>Assignments and on the last row select your OpenVPN client (if you attempted configuring one before and you don't know which is the right one, add a description to it VPN>OpenVPN>Clients>[edit]>Description>[save]). When you add the new interface, click its name, it should say something like OPT1,OPT2,etc change the name if you want and enable it by checking the box.

    At this point pages will start to load excruciatingly slow, you'll want to kill yourself. That's because dpinger, a pfSense process that pings gateways is not getting an answer, therefore everything else suffers. I don't know why. You can speed things up by going into pfSense, pressing the 8 key for the shell, and typing "killall dpinger". It will recover automatically after a few changes, don't worry. You might actually have to do it over and over because it recovers.

    Your provider gives you one IP address per tunnel, even though both sides are likely to be non-routable IP ranges, since the provider is acting like an ISP they don't know what you do with it or what's behind it (i.e; what network range) so you must perform NAT on it (I wish someone would've explained it like that to me when I was first learning). Go to Firewall>NAT>Outbound. Set it to either hybrid or manual, your current config will be automatically added as individual rules if you set it to manual, so you won't be offline just yet--Oh yeah, I should've begun with "before you begin, make a backup of your system..." my bad!

    Then allow OpenVPN traffic, Firewall>Rules>OpenVPN>Add a free for all type of rule here, on protocol IPv4, which is not recommended but it'll get you there faster. These tab is like a limbo zone where all other OpenVPN clients and servers pass through before they make it to their own tabs...or something like that. Otherwise known as Group Interface. Usually you don't want to mess with these until you're pretty advanced as a user or network admin, I'm not there yet myself :).

    By now your system should be ready to redirect traffic, if I didn't forget anything, I'm sure someone will point it out. Go to Firewall>Rules> and select your main interface, usually "LAN" or do this for the interfaces you want to use the tunnel; edit the existing any to any rule go into its advanced section and change the gateway to the interface name of your OpenVPN client. Save it and you're done.

    You might need to add a rule before (above) the existing any-to-any rule you edited just now, but with destination to your pfSense box (interface address) and without a gateway set if you are using services on pfSense such as FreeRADIUS, DNS or whatever, otherwise the packets will be sent right out to your VPN service provider and discarded since they won't know what to do with them.

    https://www.netgate.com/resources/ <- Look for OpenVPN

    ** Use Notepad or Notepad++ on Windows. On macOS use TextWrangler or TextEdit but press Shift+Command+T to make it plain text.



  • @Gertjan well i change the gateway to WAN instead of default which is for the VPN when I do the static ip bullshit



  • @johnpoz @z71prix said in Alarming WAN Leaking using fast.com (Resolved):

    Thank you KOM for trying. Really strange that everything on mine seems to be working other than a few sites seeing my real IP. I'll provide details. I followed these instructions. https://nordvpn.com/tutorials/pfsense/pfsense-openvpn/

    Disregard looks like it's ok after all. fast.com uses netflix servers. I have netflix passed through VPN. Also www.myipaddress.com uses amazon servers, I allow amazon to pass. Looks like everything is ok. Thank you

    seems like this guy was able to do it



  • @skilledinept Unfortunately Ive already payed for PIA and have gigabyte internet Thanks for your answer tho



  • @asphalt3:

    What @Gertjan and @johnpoz are trying to say is Netflix hates VPN providers (in a manner of speaking). They are constantly searching for VPN provider IP network blocks and then blacklisting those IP addresses from using the Netflix service. Netflix does this because they have contractual obligations for the content they stream that prohibit certain content from being shown in particular geographical areas. They know some users attempt using a VPN service to get around this contractual obligation that Netflix has. Should Netflix turn a blind eye to this circumvention attempt, the folks they buy content from will either stop selling to Netflix or might even sue them. Thus Netflix has a team whose mission is to identify VPN network providers and block them, and thus their customers, from accessing Netflix content. Other streaming providers do the same.

    So whether or not Netflix works for your VPN setup is mainly dependent on two things. First, has Netflix found the VPN exit node IP subnet for your provider (or more specifically, for the particular exit node your provider has assigned to you)? If the answer is "yes", then Netflix is blocked for you when using the VPN. And that leads to the second dependency. You would need a subscription to a VPN provider who was willing to continue playing the whack-a-mole game with Netflix by swapping around the various exit node IP networks they assign to their users. However, in the end, even this is a losing game as eventually Netflix will find all of the provider's networks and block them.

    So you might have your Netflix never work from the start, work fine for some period of time and then break, or if you have a provider such as user @skilledinept mentioned that actively seeks to counter moves by Netflix to block access, then your Netflix will work a while, fail, then start working again for some time, fail ... and rinse and repeat. However, it is likely to eventually fail for good once Netflix finds all of the VPN provider's IP networks.

    So the best thing to do is use policy routing on pfSense and route your traffic from streaming appliances to your normal WAN gateway (the one your ISP gives you) and bypass the VPN for streaming traffic. There are several ways to do this. Search this forum and you will find those suggestions. I know you said you didn't want to do that, but it really is the best way to have dependable streaming.



  • Just wondering if anyone has tried using their own VPN from a VPS like linode, AWS or similar?



  • datacenter IP ranges are usually blocked by Netflix as well IME.



  • I subscribe to a few service providers that advertise Netflix working over their service, and it does work using their app.

    Over pfsense it does not.

    Best luck, I use the over wan method



  • i use expressvpn and work great for netflix install on pfsense box



  • @yepitro1986 unfortunately cant cancel my PIA subscription.

    BUMP



  • https://www.reddit.com/r/PFSENSE/comments/4lcfdf/netflix_to_wan_not_opt1vpn/d3mgta4/

    This guy got it and it works for me too. I'm not sure how his second approach works; I only did the first.

    On the same computer, I am now able to go to ipchicken.com and see my VPN IP address but Prime Videos doesn't give me a VPN warning anymore.

    It's somewhat related to: https://forum.netgate.com/topic/96559/routing-netflix-through-wan-and-else-through-vpn/4


  • LAYER 8 Global Moderator

    He is just policy routing, he routes netflix/amazon out his normal wan and other traffic out his vpn.. Duh! Nobody ever said this wouldn't work.. That is how normally do it, netflix not going to block your normal wan IP - they block vpns..



  • @johnpoz said in Need your help will pay 20$: PIA on pfsense Netflix detects proxy:

    He is just policy routing, he routes netflix/amazon out his normal wan and other traffic out his vpn.. Duh! Nobody ever said this wouldn't work.. That is how normally do it, netflix not going to block your normal wan IP - they block vpns..

    Guess I misunderstood the ask. I thought he wanted to use his ISP for Netflix and everything else over VPN.


  • LAYER 8 Global Moderator

    That what we are suggesting he do ;)

    He hasn't been back. bmeeks suggested he just policy route some 22 days ago.


  • LAYER 8 Moderator

    Also if he insists on his PIA account he paid for (and obviously didn't read the other posts telling him it won't work unless PIA has a network Netflix didn't already block), then he'll be stuck with his problem. 🤷



  • @JeGr said in Need your help will pay 20$: PIA on pfsense Netflix detects proxy:

    Also if he insists on his PIA account he paid for (and obviously didn't read the other posts telling him it won't work unless PIA has a network Netflix didn't already block), then he'll be stuck with his problem. 🤷

    Well I don’t wanna compromise my gigabyte speed using a slower vpn neither lose money on a vpn I already purchased before starting this thread



  • @MrLinux said in Need your help will pay 20$: PIA on pfsense Netflix detects proxy:

    https://www.reddit.com/r/PFSENSE/comments/4lcfdf/netflix_to_wan_not_opt1vpn/d3mgta4/

    This guy got it and it works for me too. I'm not sure how his second approach works; I only did the first.

    On the same computer, I am now able to go to ipchicken.com and see my VPN IP address but Prime Videos doesn't give me a VPN warning anymore.

    It's somewhat related to: https://forum.netgate.com/topic/96559/routing-netflix-through-wan-and-else-through-vpn/4

    Thanks will try that again maybe this one will help.


  • LAYER 8 Moderator

    @asphalt3 said in Need your help will pay 20$: PIA on pfsense Netflix detects proxy:

    Well I don’t wanna compromise my gigabyte speed using a slower vpn neither lose money on a vpn I already purchased before starting this thread

    Understandable, but if Netflix has anything from PIA listed it is pretty much useless for your usecase in running Netflix over it. That's just the way it is with Geo- and VPN-Blocking. Either you exclude Netflix/AWS/Amazon things from the VPN or you (mostly) get blocked for using a VPN. Nothing we can do about that if you don't want to either switch VPNs nor run Netflix "unencrypted" via your normal WAN.


  • LAYER 8 Global Moderator

    You can use whatever vpn want for your vpn stuff, but for netflix you just route that out your normal wan, without vpn... Which is what he linked too, and what brought up 22 days ago.. Policy Routing..

    If you insist on sending your netflix traffic through your vpn then its going to be wack-a-mole.. It may work, it may not - as soon as they block that vpn it will stop, etc. etc.



  • Netflix over a blocked - by Netflix - VPN can be made working ....

    The concession will be : look out for a second VPN that is accepted by Netflix - or run your own on a VPS or something like that. Or : run a VPN server at your neighbours house ^^

    Now, you must be willing to hook up your TV set - using a HDMI - to your PC - or use the Window 10 trick : stream your PC image to your TV set.

    Initial setup : pfSense tunnels everything - your entire LAN - through your initial VPN service.
    From your PC : before looking Netflix, launch a VPN to your own VPN server, the one that Netflix accepts. Throw the image on your TV set.
    You created a tunnel in a tunnel !
    This works !
    ( I tested it ones )

    Netflix works now .... but your new problem might be the black helicopters over your house. There are agencies that get nervous when you make tunnels in tunnels ... (darknet etc).



  • @JeGr said in Need your help will pay 20$: PIA on pfsense Netflix detects proxy:

    @asphalt3 said in Need your help will pay 20$: PIA on pfsense Netflix detects proxy:

    Well I don’t wanna compromise my gigabyte speed using a slower vpn neither lose money on a vpn I already purchased before starting this thread

    Understandable, but if Netflix has anything from PIA listed it is pretty much useless for your usecase in running Netflix over it. That's just the way it is with Geo- and VPN-Blocking. Either you exclude Netflix/AWS/Amazon things from the VPN or you (mostly) get blocked for using a VPN. Nothing we can do about that if you don't want to either switch VPNs nor run Netflix "unencrypted" via your normal WAN.

    That’s exactly what I want to do “exclude Netflix/AWS/Amazon ” maybe I wasn’t clear



  • @johnpoz said in Need your help will pay 20$: PIA on pfsense Netflix detects proxy:

    You can use whatever vpn want for your vpn stuff, but for netflix you just route that out your normal wan, without vpn... Which is what he linked too, and what brought up 22 days ago.. Policy Routing..

    If you insist on sending your netflix traffic through your vpn then its going to be wack-a-mole.. It may work, it may not - as soon as they block that vpn it will stop, etc. etc.

    What do you mean by “route that out your normal wan”? Right now I’ve assigned a static ip to my smart tv that I route through wan. I am not sure to understand what you’re saying. You mean that by using policy routing there’s another way around... I don’t understand



  • @asphalt3 said in Need your help will pay 20$: PIA on pfsense Netflix detects proxy:

    @johnpoz said in Need your help will pay 20$: PIA on pfsense Netflix detects proxy:

    You can use whatever vpn want for your vpn stuff, but for netflix you just route that out your normal wan, without vpn... Which is what he linked too, and what brought up 22 days ago.. Policy Routing..

    If you insist on sending your netflix traffic through your vpn then its going to be wack-a-mole.. It may work, it may not - as soon as they block that vpn it will stop, etc. etc.

    What do you mean by “route that out your normal wan”? Right now I’ve assigned a static ip to my smart tv that I route through wan. I am not sure to understand what you’re saying. You mean that by using policy routing there’s another way around... I don’t understand

    That is a policy-based rule. It selects an outbound gateway using conditions defined in the rule. In your case, you have a static IP assigned to your Smart TV, and when the rule detects traffic from your Smart TV outbound to the Internet that matches the ports/protocols you may have specified, the rule triggers and routes the traffic out the normal WAN interface instead of out on the VPN.

    You have two options for handling how you route. You can assign static IP addresses to your streaming devices that you want to use for Netflix and then use your existing policy-based rule. The other option is to create an alias containing all the known IP addresses for the CDN that make up the Netflix distribution chain. The pfBlockerNG package helps with that because it can download lists of IP addresses and maintain the aliases for you. The only difference in this case is that your policy rule would change so the source IP was "any" instead of your assigned Smart TV static IPS and the destination IP would be the alias (or aliases) containing all the CDN IP addresses for Netflix.

    I personally would recommend the option you are already using with static IP addresses for your streaming devices. That alias option is going to have hiccups because the list of CDN (content distribution network) IP addresses is ever-changing. Sometimes the third-party maintainer of those free IP lists falls behind on updates. If that happens and your alias containing all the Netflix CDN IP addresses gets out of date, then Netflix could get erroneously routed out via your VPN (because the destination IP that a client looked up via DNS happened to not match any of the IPs in the "Netflix Alias" configured in pfBlockerNG).



  • @bmeeks
    Hi
    I had a similar problem and I had to separate the traffic of Netflix on the streaming device (Apple TV) from all other traffic and to put it on my desired direction.
    Because the ip addresses of the servers Netflix is constantly changing (and a lot of them) , I have created a module in PFSense+Netgraph+parser DNS responses (written in C)
    Now I can catch all dns responses that have text Netflix, nflxvideo or nflxso ,and put the ip addresses of these responses in the table PF .
    And with the help of this table and PBR send the traffic where I need to go
    It looks like this (the part of the log)

    Sep 17 13:46:18 daemon started
      Found file /usr/local/tmp/dns_parser/ip.db, restore table netflix_ip 
      Successfully restored 291 ip-addresses
    Sep 17 13:50:39 Get DNS response for server: cast-uiboot.prod.http1.netflix.coM
      Alias name(CNAME):  prod.http1.geo.netflix.coM
      Alias name(CNAME):  prod.http1.eu-west-1.prodaa.netflix.coM
      Domain name(ANAME):  prod.http1.eu-west-1.prodaa.netflix.coM
       IP address 34.252.211.92 will be added to table
      Domain name(ANAME):  prod.http1.eu-west-1.prodaa.netflix.coM
       IP address 52.17.137.54 will be added to table
      Domain name(ANAME):  prod.http1.eu-west-1.prodaa.netflix.coM
       IP address 52.214.57.81 will be added to table
      Domain name(ANAME):  prod.http1.eu-west-1.prodaa.netflix.coM
       IP address 52.214.167.17 will be added to table
      Domain name(ANAME):  prod.http1.eu-west-1.prodaa.netflix.coM
       IP address 54.77.61.253 will be added to table
      Domain name(ANAME):  prod.http1.eu-west-1.prodaa.netflix.coM
       IP address 34.242.54.142 will be added to table
      Domain name(ANAME):  prod.http1.eu-west-1.prodaa.netflix.coM
       IP address 34.251.119.18 will be added to table
      Domain name(ANAME):  prod.http1.eu-west-1.prodaa.netflix.coM
       IP address 34.251.249.50 will be added to table
      Total ip addresses to add 8, Succefully added 8 ip addresses  to table netflix_ip
    Sep 17 13:50:40 Get DNS response for server: occ-0-38-2773.1.nflxso.neT
      Domain name(ANAME):  occ-0-38-2773.1.nflxso.neT
       IP address 23.246.26.150 will be added to table
      Domain name(ANAME):  occ-0-38-2773.1.nflxso.neT
       IP address 23.246.26.157 will be added to table
      Total ip addresses to add 2, Succefully added 2 ip addresses  to table netflix_ip
    Sep 17 13:50:45 Get DNS response for server: ipv4-c079-arn001-ix.1.oca.nflxvideo.neT
      Domain name(ANAME):  ipv4-c079-arn001-ix.1.oca.nflxvideo.neT
       IP address 23.246.26.156 will be added to table
    Total ip addresses to add 1, Succefully added 1 ip addresses  to table netflix_ip
    

    This part of the table and rule for it

    fe13e8b4-a41b-4fc7-bd84-3f1ca7939189-image.png

    c03dd3b6-2df5-4990-a0ad-16215fdb24fe-image.png
    a774230e-4d31-4a39-b7d3-db8acec2fea1-image.png


  • LAYER 8 Moderator

    One can also use pfBlockerNG for that. Import the Netflix AS delegations etc. and put that into an IP alias. Some of our customers are doing it like that without much problems. Netflix + AWS AS and a few minor IPs and you have a pretty solid working base.



  • @Konstanti:

    Yes, there are a couple of different ways to "skin this cat" so to speak. My personal preference would be either static IP addresses (or DHCP reservations) for my streaming devices. But using an IP list containing the Netflix or Amazon or Hulu, etc., IP addresses can work as well. I just know that from time to time those IP addresses are likely to change, and your streaming connection might hiccup if the destination IP the client obtained from its DNS lookup did not match an IP in your streaming provider alias list. That would then result in your streaming client being routed out via the VPN tunnel instead of your normal WAN IP and thus getting blocked.

    Of course it is a hassle to assign static IP addresses, and especially so for "roaming" devices such as say your grandkids mobile devices (if you have grandchildren yet) or the mobile devices of other guests in your home. So I can definitely see the appeal of using the CDN list concept via pfBlockerNG or rolling your own solution.

    In the end, though, I admit to being a huge non-fan of VPNs. I see them as required for only two scenarios: (1) to connect remote offices together into a company-wide LAN or (2) for secure remote access into my own LAN. I'm not a fan of the whole "privacy" thing so much. First of all, as has been stated here many times, you really have no meaningful guarantee of privacy from some of these VPN providers. Most certainly if you are doing something shady or patently illegal behind a VPN you don't have the protection you think you do. A subpoena or search warrant from a government law enforcement agency carries a lot of weight, and just about any VPN provider would cave (especially if they are located within your country of residence). Finally, for what little benefit you may convince yourself you are getting by hiding your web traffic behind a VPN, you also get a good bit of PITA (pain in the a**). Just do a search here on the pfSense forums for "vpn" and see how many folks have issues connecting to various services. You will find that most of the time the cause turns out to be their VPN configuration. In fact, just look at the origin of this very thread. The OP was having streaming issues trying to use the VPN.


  • LAYER 8 Global Moderator

    static is not all that hard, just set a reservation - once this mobile client has connected once.. Just set reservation for it from the dhcp lease listing, just click the little button and assign it an IP.. Next time it gets IP from dhcp it would get the reserved one..

    edit: Isn't that what PIA vpn name stands for? Pain In Ass ;) hehehehe



  • @johnpoz said in Need your help will pay 20$: PIA on pfsense Netflix detects proxy:

    static is not all that hard, just set a reservation - once this mobile client has connected once.. Just set reservation for it from the dhcp lease listing, just click the little button and assign it an IP.. Next time it gets IP from dhcp it would get the reserved one..

    edit: Isn't that what PIA stands for? Pain In Ass ;) hehehehe

    Probably need to edit my acronymn to be PITA instead... ☺ . Still only one coffee down the hatch this morning ...

    And by "hassle" I mean you have to login to the firewall, find the device's MAC and set the IP and reservation. True you won't have to repeat that again, though. I was mainly referring to that first time encounter with a particular device. It's difficult to concentrate on getting the static IP and reservation set up with a panicked 4 year-old in your ear who's "Dora the Explorer" show won't play on the iPad ... 😁 .



  • @bmeeks
    My program updates the list of ip addresses of servers netflix dynamically based on the responses of the DNS server , and the list is constantly increasing in size . So at the moment I have ensured that I was able to split the traffic HBO and AMAZON PRIME traffic from NETFLIX on the same device.And the program is quite stable for 2 weeks.
    I use VPN because HBO doesn't work in Russia , and I want to watch it )))



  • @Konstanti said in Need your help will pay 20$: PIA on pfsense Netflix detects proxy:

    @bmeeks
    My program updates the list of ip addresses of servers netflix dynamically based on the responses of the DNS server , and the list is constantly increasing in size . So at the moment I have ensured that I was able to split the traffic HBO and AMAZON PRIME traffic from NETFLIX on the same device.And the program is quite stable for 2 weeks.
    I use VPN because HBO doesn't work in Russia , and I want to watch it )))

    Your situation is a bit different. You are then, in fact, using the VPN to bypass HBO's geo-restriction policy.


  • LAYER 8 Global Moderator

    @Konstanti said in Need your help will pay 20$: PIA on pfsense Netflix detects proxy:

    I use VPN because HBO doesn't work in Russia , and I want to watch it )))

    Well that is the actual real reason for vpn's as we all well know, circumvention of geo restrictions.. Not that silly nonsense about any sort of privacy ;)


Log in to reply