When I route 0.0.0.0 on my vpn I get american netflix.
When I route only the ips listed in this thread I get uk netflix and I am even using my american dns server for the dns lookups with no success, it only works when I route the entire internet via the vpn.
I know the ips are been rerouted as I can see they been rerouted on pings and traceroutes.
The answer seems when I auth to netflix I am doing so on a ip not listed. Because when I was already authed (restarted vpn whilst logged into netflix) I was still able to play american only media. But as soon as I logged out and back in again it was back to uk only.
Any news regarding this?
Unfortunately I am dealing with the same problem, and all my troubleshooting attempts have failed so far.
This thread covers my goal, but the methodology seems to be targeted at a different implementation. Admittedly, I'm a mainly front-end and web guy with some server side experience, but nothing in networking/routing and I usually work on MS/.NET platforms (be nice), so I'm a but out of my element.
I followed the instructions at https://www.privateinternetaccess.com/pages/client-support/#ddwrt_openvpn for my setup, and it works well. If I try and add the IP's/ranged I want to route into the additional config section, but doing so makes it so I no longer connect to the VPN at all. I'm sure another issue is that the config I have set routes all traffic through the VPN, so I have no idea what I need to do in order to change that as well.
Also, how do I know the name of the interface? Tried executing 'brctl show' via telnet, but it didn't even seem to show a VPN at all.
If someone just has a good syntax reference that would maybe be enough for me. I appreciate the hand-holding.
Posted: Thu Jul 03, 2014 4:48 Post subject: Thank You So Very Much
I just wanted to chime in and say thank you for this awesome post.
Took me ages to find it.
I was going crazy trying to figure out a solution for my VoIP ATA (Analog Telephone Adapter) issue.
Basically, I have a DD-WRT Travel Repeater/Switch so that I can go on trips and connect Ethernet to WiFI and help my slightly WiFi-Deaf devices *cough*iPhones*cough*.
The problem I see from time to time is VoIP/SIP/RTP will not function as the AP/Router I connect to will block the traffic (not a purpose block, just the incoming audio is dropped) but it works if I go over my home VPN.
Since I am limited to 384KB/s, I didn't want my entire remote LAN going over VPN just the phone adapter and I never could find a viable solution until now.
Serverlog Clientlog 20141016 02:19:45 I OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 9 2014
20141016 02:19:45 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20141016 02:19:45 W WARNING: file '/tmp/openvpncl/user.conf' is group or others accessible
20141016 02:19:45 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20141016 02:19:45 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20141016 02:19:45 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1532)
20141016 02:19:45 Socket Buffers: R=[172032->131072] S=[172032->131072]
20141016 02:19:45 I UDPv4 link local: [undef]
20141016 02:19:45 I UDPv4 link remote: [AF_INET]62.181.8.109:1194
20141016 02:19:45 TLS: Initial packet from [AF_INET]62.181.8.109:1194 sid=4575d21d ff54a67c
20141016 02:19:45 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20141016 02:19:49 VERIFY OK: depth=1 C=PL ST=PL L=Swinoujscie O=MyDevil CN=MyDevil CA emailAddress=admin@mydevil.net
20141016 02:19:49 VERIFY OK: depth=0 C=PL ST=PL L=Swinoujscie O=MyDevil CN=mydevil.net emailAddress=admin@mydevil.net
20141016 02:19:51 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1605' remote='link-mtu 1573'
20141016 02:19:51 W WARNING: 'tun-mtu' is used inconsistently local='tun-mtu 1564' remote='tun-mtu 1532'
20141016 02:19:51 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
20141016 02:19:51 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
20141016 02:19:51 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
20141016 02:19:51 NOTE: --mute triggered...
20141016 02:19:51 2 variation(s) on previous 3 message(s) suppressed by --mute
20141016 02:19:51 I [mydevil.net] Peer Connection Initiated with [AF_INET]62.181.8.109:1194
20141016 02:19:53 SENT CONTROL [mydevil.net]: 'PUSH_REQUEST' (status=1)
20141016 02:19:53 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 8.8.8.8 dhcp-option DNS 8.8.4.4 route-gateway 172.30.0.1 ping 10 ping-restart 120 ifconfig 172.30.0.3 255.255.0.0'
20141016 02:19:53 N Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
20141016 02:19:53 N Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
20141016 02:19:53 N Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
20141016 02:19:53 OPTIONS IMPORT: timers and/or timeouts modified
20141016 02:19:53 OPTIONS IMPORT: --ifconfig/up options modified
20141016 02:19:53 OPTIONS IMPORT: route-related options modified
20141016 02:19:53 ROUTE_GATEWAY 10.0.0.1/255.255.255.0 IFACE=vlan2 HWADDR=20:4e:7f:1b:d1:c7
20141016 02:19:53 I TUN/TAP device tap1 opened
20141016 02:19:53 TUN/TAP TX queue length set to 100
20141016 02:19:53 I do_ifconfig tt->ipv6=0 tt->did_ifconfig_ipv6_setup=0
20141016 02:19:53 I /sbin/ifconfig tap1 172.30.0.3 netmask 255.255.0.0 mtu 1532 broadcast 172.30.255.255
20141016 02:19:53 /sbin/route add -net 62.181.8.109 netmask 255.255.255.255 gw 10.0.0.1
20141016 02:19:53 /sbin/route add -net 66.171.248.172 netmask 255.255.255.0 gw 172.30.0.1
20141016 02:19:53 W ERROR: Linux route add command failed: external program exited with error status: 1
20141016 02:19:53 /sbin/route add -net 67.228.228.244 netmask 255.255.255.0 gw 172.30.0.1
20141016 02:19:53 W ERROR: Linux route add command failed: external program exited with error status: 1
20141016 02:19:53 I Initialization Sequence Completed
20141016 02:20:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141016 02:20:00 D MANAGEMENT: CMD 'state'
20141016 02:20:00 MANAGEMENT: Client disconnected
20141016 02:20:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141016 02:20:01 D MANAGEMENT: CMD 'state'
20141016 02:20:01 MANAGEMENT: Client disconnected
20141016 02:20:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141016 02:20:01 D MANAGEMENT: CMD 'state'
20141016 02:20:01 MANAGEMENT: Client disconnected
20141016 02:20:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141016 02:20:01 D MANAGEMENT: CMD 'log 500'
20141016 02:20:01 MANAGEMENT: Client disconnected
20141016 02:20:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141016 02:20:35 D MANAGEMENT: CMD 'state'
20141016 02:20:35 MANAGEMENT: Client disconnected
20141016 02:20:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141016 02:20:35 D MANAGEMENT: CMD 'state'
20141016 02:20:35 MANAGEMENT: Client disconnected
20141016 02:20:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141016 02:20:35 D MANAGEMENT: CMD 'state'
20141016 02:20:35 MANAGEMENT: Client disconnected
20141016 02:20:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141016 02:20:35 D MANAGEMENT: CMD 'log 500'
19700101 00:00:00
Just wanted to leave this for anyone still working at it. I got the selective tunneling working about 3 days ago and so far it's still good. I'm getting my US Netflix from Canada. It even works with my Canada-registered Roku, for those interested.
I only put in the Netflix and (and Amazon EC2) IP's as that's all I was interested in. I augmented the IP list with some from here:
The only other thing I did was remove the line "route xxx.xxx.xxx.xxx 255.255.255.255 net_gateway" from my config. I use Private Internet Access for VPN and they don't provide IP addresses for their gateways, just hostnames. I did a bunch of Googling to try to figure out how to get around having no gateway IP. Some of the definitions I found seemed to suggest the line wasn't necessary. I understand the line "route-nopull" tells the client not to send anything through the VPN tunnel, so then wouldn't adding the "route net_gateway" with the VPN IP not contradict that? All the IP addresses that follow are being sent through the tunnel anyway, and those are all I want in there.
I could be way off on my thinking. I fully admit I know crap-all about these things. All I can do well is copy and paste and hope for the best with some help from Google.
Having said all that, it worked and I have US Netflix up and running.
Just wanted to leave this for anyone still working at it. I got the selective tunneling working about 3 days ago and so far it's still good. I'm getting my US Netflix from Canada. It even works with my Canada-registered Roku, for those interested.
I only put in the Netflix and (and Amazon EC2) IP's as that's all I was interested in. I augmented the IP list with some from here:
The only other thing I did was remove the line "route xxx.xxx.xxx.xxx 255.255.255.255 net_gateway" from my config. I use Private Internet Access for VPN and they don't provide IP addresses for their gateways, just hostnames. I did a bunch of Googling to try to figure out how to get around having no gateway IP. Some of the definitions I found seemed to suggest the line wasn't necessary. I understand the line "route-nopull" tells the client not to send anything through the VPN tunnel, so then wouldn't adding the "route net_gateway" with the VPN IP not contradict that? All the IP addresses that follow are being sent through the tunnel anyway, and those are all I want in there.
I could be way off on my thinking. I fully admit I know crap-all about these things. All I can do well is copy and paste and hope for the best with some help from Google.
Having said all that, it worked and I have US Netflix up and running.
Thanks I was having similar issue and with a private proxy. Now Im able to stream hulu...
There are two hosts involved:
* A VPS in a data center
* My local dd-wrt
The VPS runs OpenVPN on 0.0.0.0:1194, which is completely default. Its internal IP could bei 192.168.50.1.
The VPS additinally runs Privoxy on 192.168.50.1:8118, so the Privoxy HTTP proxy is only available thorugh OpenVPN, not through the public interface of the VPS. We don't want to provide our very own http provxy open for public use.
The dd-wrt internally provides 192.168.0.1/24, just default.
....
I've got selective routing working via IP address ranges but it's not the nicest of solutions and the 'holy grail' is to route via domains.
As for your proxy method goli, would it be possible to use this without a VPS?
For example, let's say I've installed Privoxy on the router, could I set up a rule set that only forwards some traffic onwards to my VPN (PIA) whilst leaving the rest of my traffic untouched? Again, could this be done without needing a VPS?
Or are there alternatives to Privoxy that will allow me to route selectively to the VPN?
Sorry old post, but just wanna do the same think, like redirecting traffic from privoxy to openvpn if match a domain ... is it possible?
EDIT : just figure out that forward rules of privoxy only goes to another proxy...
(openvpn and privoxy are both on dd-wrt device) i'm just lost with routing table and dont know how to get packet outgoing privoxy
Which uses ipset, cron, iproute2, and iptables to selectively route through VPN based on domain. Thing is, it's a bit out of my skillset to get these working on dd-wrt and also asuswrt-merlin, which I've tried. So far, I've got close, but I'm getting stuck on iproute2 implementations on asuswrt - which should be easy but I can;t figure it out right now.
Judging from the link, it seems like a great method. Thought it might help one of you.
Posted: Thu Oct 15, 2015 4:06 Post subject: Does this work for later versions?
I appreciate that this is an old thread, but has anyone been able to successfully implement the OP's instructions on router using the latest dd-wrt builds?
I'm fairly new to all this but I recently flashed my netgear r6300v1 and followed the OP's instructions without success. I am using PIA's vpn servers. After setting up the vpn and following the OP's instructions, PIA confirms that I am connected to its servers but when I go to surf any of the listed services my computer seems to be by-passing the vpn altogether. For instance, what's my ip just shows my actual ip.
Edit: I forgot to ask, is it necessary to include any commands elsewhere, eg in the firewall section, apart from the code set out by the OP? Also, how would I go about working out the subnet mask for each IP address I include in the routing table (assuming I can get this thing to work).
Joined: 03 Mar 2016 Posts: 22 Location: Austin, TX
Posted: Sun Mar 13, 2016 20:08 Post subject: Re: Invert
dizzasta wrote:
Is it possible to invert this?
I want it all communicates via VPN and only defined services such as Facebook and amazon to use my Provider-IP.
dizzasta
Did anyone ever figure out how to do this? I'm in the US and these days with Netflix blocking VPNs I'd like to do the opposite. All traffic through a VPN except Netflix.
I've been reading up on routing policies, but it is slow going.
Edit: I now see there are other discussions going on this topic that should answer my question. Very sorry for digging this old one up. _________________ WRT1900ACS with DD-WRT v3.0-r29300M kongmv (03/25/16)
I have checked Netflix and Hulu from Canada they work fine with express vpn however it is little bit costly but the quality of encryption is good, however there are some other best Canada VPNs that i found from " https://www.vpnranks.com/5-best-canada-vpn/ " but chose Express among them because i heard and read a lot of good reviews about it.
