wireguard bypass question

wireguard bypass question

[Ryan McGee]

[-- Attachment #1: Type: text/plain, Size: 710 bytes --]

Hello,

Sorry if this has been asked before. I recently installed LED on my router
and setup a wireguard tunnel to the Mullvad VPN. Wireguard is amazingly
fast!

So the issue that I am hoping for some direction on. The Mullvad VPN
servers are blocked by netflix. I'm trying to figure out how to have the
netflix domain bypass the wireguard tunnel and go straight through my ISP.
I found an app for lede called vpnbypass but it seems to have been designed
for OpenVPN which I'm assuming does things very differently than wireguard.

So how would I go about making a split tunnel to send netlix domain traffic
through my ISP instead of the wireguard tunnel? Or is this possible?

Thanks and have an awesome day!

[-- Attachment #2: Type: text/html, Size: 1074 bytes --]

Re: wireguard bypass question

[Jason A. Donenfeld]

Hi Ryan,

You can use the `ipset=` feature of dnsmasq for this (which I wrote a
number of years ago). It will add matched domains to a netfilter ipset
object, which you can then use for policy based routing.

I had a look at the vpnbypass project, and it doesn't actually look
OpenVPN centric at all. It looks to me like it actually uses this
dnsmasq feature along with classic policy routing. It looks like it
automatically discovers your WAN interface too. Give vpnbypass a try
and let me know if there are problems with it.

Jason

Re: wireguard bypass question

[Ryan McGee]

[-- Attachment #1: Type: text/plain, Size: 1351 bytes --]

So I set up the VPN using Mullvad's guad here:
https://mullvad.net/guides/running-wireguard-router/

I've tried vpnbypass filling out just the domain "/netflix.com/vpnbypass"
then I also tried adding the port ranges, IPs and ports found at:
https://backlothelp.netflix.com/hc/en-us/articles/115000257627-What-are-Netflix-s-Aspera-IP-Addresses-and-Port-Ranges-

Nothing seems to work as netflix still sees me going through a VPN.

I've rebooted the router after making changes to vpnbypass just to be safe.

The only thing I can think of is maybe the firewall settings in the Mullvad
guide but I really don't know enough about this kind of stuff. I can follow
guides and how-tos, but that is about the end of it =)

On Thu, Oct 5, 2017 at 5:52 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:

> Hi Ryan,
>
> You can use the `ipset=` feature of dnsmasq for this (which I wrote a
> number of years ago). It will add matched domains to a netfilter ipset
> object, which you can then use for policy based routing.
>
> I had a look at the vpnbypass project, and it doesn't actually look
> OpenVPN centric at all. It looks to me like it actually uses this
> dnsmasq feature along with classic policy routing. It looks like it
> automatically discovers your WAN interface too. Give vpnbypass a try
> and let me know if there are problems with it.
>
> Jason
>

[-- Attachment #2: Type: text/html, Size: 2133 bytes --]

Re: wireguard bypass question

[Jason A. Donenfeld]

On Fri, Oct 6, 2017 at 3:00 AM, Ryan McGee <rwm.pc.repair@gmail.com> wrote:
> So I set up the VPN using Mullvad's guad here:
> https://mullvad.net/guides/running-wireguard-router/
> The only thing I can think of is maybe the firewall settings in the Mullvad
> guide but I really don't know enough about this kind of stuff. I can follow
> guides and how-tos, but that is about the end of it =)

That guide is horrible. I wouldn't recommend following it.

> Nothing seems to work as netflix still sees me going through a VPN.

Try adding /zx2c4.com/vpnbypass as well as 192.95.5.67, reboot, and
then try to visit zx2c4.com/ip. See then which IP it returns.

If this doesn't work, can you send the output of:

iptables-save
ip rule show all
ip route show table all
ip addr show

And then we'll see what's going on.

Re: wireguard bypass question

[Ameretat Reith]

On Thu, 5 Oct 2017 18:00:00 -0700
Ryan McGee <rwm.pc.repair@gmail.com> wrote:

> So I set up the VPN using Mullvad's guad here:
> https://mullvad.net/guides/running-wireguard-router/
> 
> I've tried vpnbypass filling out just the domain
> "/netflix.com/vpnbypass" then I also tried adding the port ranges,
> IPs and ports found at:
> https://backlothelp.netflix.com/hc/en-us/articles/115000257627-What-are-Netflix-s-Aspera-IP-Addresses-and-Port-Ranges-

Ryan, Netflix IPs are much much more than this list.

> Nothing seems to work as netflix still sees me going through a VPN.

On which platform you want to watch Netflix? If It's Linux, you may mark
packets of one instance of browser by the power of namespaces and
abusing TOS field of IP packets and then on LEDE you can exclude these
packets from VPN by iptables. If you watch on any browser, dnsmasq and
IPset approach is cleanest approach [1]. If It's mobile, you need to
find Netflix and AWS IPs and route them outside of VPN by iptables. Last
approach works everywhere but It's most dirty method.

If I were you I would just start another access point in router and
exclude incoming traffic to that AP from VPN. Then I'd connect to this
AP just for watching Netflix.

1: In this case our interests are subdomains of `netflix.com` and
`nflxvideo.net`