Whitelist Amazon AWS servers for those using VPN gateway (Netflix and others)



  • Hey guys, I use PIA as a gateway in my router to protect all my devices on my network, regardless if it's a phone, laptop, game console, etc…

    Anyways, I was just hit with the "Disable Proxy" message with Netflix, even though I am based in the US using a US VPN server. So I did some research and got the full list of Amazon AWS servers. I filtered just the US servers, but will also provide the global list for those looking to access their regional content without having to disable the entire VPN gateway or bypassing single devices to the default gateway with a rule.

    I bulk imported this list as an Alias and made a rule on LAN with the Alias as the destination to route through my default (ISP) gateway. Once applied, I could start watching Netflix again, without any additional rules! Hopefully this helps others using VPN's as a gateway.

    Hope this helps others!

    EDIT: I didn't realize that I had another Alias that contained Netflix-owned subnets when I tried fiddling with this at an earlier time. I have included that list in a zip file containing the Amazon Lists also. You will need to add the Netflix IP's in addition to whichever Amazon Alias you create for this to work properly. You can download the zip containing all lists here: https://drive.google.com/file/d/0B2CkAYamWXnjazA0Z0k5WDBpNFk/view?usp=sharing

    The Netflix list contains MOST of the public subnets I could find. I didn't specify to just my region, so I hope it will work for most. But, if you still have issues, there might be an additional subnet that you need to whitelist due to your region. If this is the case, Wireshark capture your NIC while loading up Netflix, and filter the results by Protocol. Find all DNS requests and whitelist the "Answer" IP's after the Netflix domain requests. Pretty easy to do if you're at all familiar with Wireshark. If anyone needs help with that, let me know!

    EDIT 2: I have been updating the Reddit X-post a little more often, which also has an additional link for a larger set of Netflix IP's in case anyone is still having issues. - https://www.reddit.com/r/PFSENSE/comments/48prww/amazon_aws_whitelist_using_vpn_gateway_for/
    AmazonAWS_US_MinusGovernment.txt
    AmazonAWS_Global.txt



  • Thanks for this, man.  I've been killing myself trying to find a list of hostnames to build a bypass like I did for hulu. It worked with a list 24 hostnames, but I could never find a comprehensive list for netflix.



  • Thank you for this! I am still a little confused… I don't currently have PIA because I had to cancel it because of Netflix. But how does this work? The way I had it set up before was with this guide " https://www.privateinternetaccess.com/forum/discussion/18111/openvpn-step-by-step-setup-for-pfsense-firewall-router-with-video ". Would this still work? Isn't it just routing everything from the WAN to the VPN?

    Thanks,
    Maxamus456



  • knight26: Glad I could help!!

    maxamus456: The link you provided is the same setup I followed initially when I first got everything configured. It's important to follow the instructions to the T if you want to be sure that you have it configured properly, without a chance of "leakage". After you've got your VPN configured properly as a gateway, you would then disable your default LAN rule, and configure a new one while specifying the VPN gateway (in advanced options at the bottom) under the new (VPN) Allow-All rule. You can then work on white-listing services. In the case of this post, Amazon AWS services along with Netflix. If you need further help, hop on over to the Reddit X-Post, I'm a bit more active there than I am here.



  • Thanks much for making the list! FQDNs weren't going to cut it this time like it would with something like Hulu, saved me a ton of time.



  • I've been trying for days and still can't get this to work.  So far I have 500+ CIDR entries from pfblocker and still didn't work.  Anyone have any idea?



  • Update:

    Can't get this to work, at least Canada, there's seem to be more and more AS # added to their content delivery.  I've found these so far but not sure if it's 100% from netflix.

    AS14618
    AS2906
    AS209
    AS16509
    AS4804

    Still can't stream.  This is ridiculous, I think I will cancel Netflix at this point because I'm going over the top just to protect my privacy.  pfblocker populated 17825 CIDR entires for this and still can't stream.



  • Sorry to bump this up again but I've been having issues and can't seem to whitelist Netflix effectively. I've loaded the latest AWS and Netflix lists I can find from the original Reddit thread but no dice. Am I missing something?



  • if you are in Canada, specifically on Bell Aliant you also need to allow the following

    ntflxhfns[0-9].bellaliant.net



  • i know this is old thread, but still wanted to check.
    does anyone have whitelist for xfinity stream app to work while at home, to bypass vpn? web url is tv.xfinity.com

    thanks



  • ok i found the AS numbers for xfinity live tv

    AS7922


Log in to reply