What this blog entry is:

  • Information on how I set up a [relatively] maintenance-free, reliable and cheap way of getting Netflix on my PCTV (PC connected to my TV), and any other PC on my network or connected to my VPN.
  • Non-exhaustive steps on how to do what I have done.
  • For moderate to advanced I.T. nerds.

What this blog entry is NOT:

  • A detailed step-by-step howto on setting up a VPN tunnel, proxy or any other way to get Netflix which is covered a million times on the internet and can easily be found if you Google it.
  • Not a way in which you can get free Netflix.
  • Not for amateurs! This can be quite challenging, but worth it in the end if done properly.

There are many ways of getting Netflix in Australia. The easiest (and possibly cheapest) is to use one of the various HTTP proxy services based out of the states (or wherever you can get Netflix). But this solution didn’t bode well with me because I already have a VPS in the States and could just use that and I did not want the hassle that comes with setting up one of those accounts. I just wanted something to work all the time and be accessible to me from any of my PC’s in the house and even over my own personal VPN (ie. from work or anywhere else that has internet connection).

This solution is far from the best or the simplest, but it works very well for me and most importantly is flexible and survives reboots without any need to connect to anything or type passwords etc. This means anyone who wants watch Netflix while i’m not home can do so without any hassle.

The four main steps required are:

1.       VPN tunnel (endpoint is on your [Linux] router)
2.      Source-based routing on your [Linux] router
3.      Windows XP VM set for NAT and proxy server
4.      Configure browser to proxy to Windows XP VM

Step 1 – VPN tunnel

This step can be broken down further in to two sub-steps.

Step1a – VPS hosting in USA
Get yourself a cheap VPS (Virtual Private Server) hosting package with servers hosted in USA. I pay about $35USD/year for my VPS server and I use it heavily and not just for Netflix (more on that later).
Pro tip: When searching for a VPS hosting company, see if you can find discount coupons for them too. My hosting package I got for 50% discount thanks to a coupon I found online. The coupon is valid for the life of my account.

A VPS is basically a VM (Virtual Machine) that shares a bare metal machine with many other VMs in a hosting server and is given a public IP address. Because it shares the same hardware as many other VPS’s it’s cheap to run and in turn cheap for you. What makes it even cheaper is that you choose what OS you want installed on it and the console session is pushed out to you over IP. The VPS is a vanilla OS install and all configuration is up to you. The entire process of deployment and provisioning the VPS is entirely automated and because there are no maintenance agreements on the services that you install and run they are as cheap as chips! If you break something, you simply start from scratch.
The down side here is that you need to know what you are doing on them. So assuming that you know all of this, let’s get started!

Install your favourite flavour of Linux. My weapon of choice is CentOS 6 64-bit (on a quad-core 2.3GHz CPU with 256MB RAM and 10GB storage). You will need to:

  1. Add yum repositories and install OpenVPN package
    • Add elrepo and rpmforge

/etc/yum.repos.d/ (place necessary files in here)
/etc/pki/rpm-gpg (place necessary files in here)

  1. Configure iptables and NAT rules
    • Rules used can be:

iptables -A INPUT -p udp –dport 1194 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -P INPUT DROP

The above will allow UDP connections on port 1194 (this will be for our VPN tunnel) and TCP connections on SSH port 22 for remote access. The default policy will then be set to DROP.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

The above will NAT/PAT connections out interface eth0 (assuming this is your internet-facing interface). Then allow all packets to be forwarded in and out of the tunnel interface which you will make soon. All other packets to be forwarded will be dropped.
All self-sourced outbound packets are accepted.

After changes are made don’t forget to save using service iptables save

  1. Enable IP forwarding

Open file /etc/sysctl.conf and change net.ipv4.ip_forward = 1

Reboot your VPS for changes to take effect (or you can modify the file in proc)

  1. Configure OpenVPN service
  2. Create a CA (Certificate Authority) and certificates

After you installed OpenVPN build a CA, then build a server certificate and client certificate and sign them using the CA you just built. Build diffie-hellman. I won’t go in to details on how to do this, you can just Google it. There is a great step-by-step document on this on the OpenVPN site.

One done, you can configure /etc/openvpn/server.conf file. My conf file looks something like this:

local <your VPN public IP goes here>
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt (CA certificate you created earlier)
cert /etc/openvpn/keys/server.crt (server certificate you created earlier)
key /etc/openvpn/keys/server.key (server key you created earlier. Keep this safe)
dh /etc/openvpn/keys/dh1024.pem (Diffie-hellman pem)
server 172.16.0.0 255.255.255.0
push “redirect-gateway” # Client will redirect all gateway traffic to this tunnel
push “dhcp-option DNS 8.8.8.8”
#client-config-dir /etc/openvpn/ccd
duplicate-cn
max-clients 20
user nobody
group nobody
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 4
mute 20
ping 10
ping-restart 120

Start OpenVPN using service openvpn start

Step 1b – Configure client to connect to VPN tunnel on VPS
So now that you have the server waiting for connections, you need to set up the client.
I have a Linux router at home which has two interfaces. One connects to the internet via my cable modem (which is bridged so is effectively acting as a media converter) and the other to my internal Ethernet network.

Copy the client certificate, key and the CA certificate to the Linux router and configure it to connect to the VPS VPN service. The configuration I use is similar to below:

client
dev tun1
proto udp
remote <VPS public IP address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca “/etc/openvpn/keys/ ca.crt”
cert “/etc/openvpn/keys/client.crt”
key “/etc/openvpn/keys/client.key”
#cipher BF-CBC
comp-lzo
verb 4
mute 20
ping 10
ping-restart 240
log-append  /var/log/openvpn.log
status /var/log/openvpn-status.log
tun-mtu 1500
tun-mtu-extra 32
fragment 1495
mssfix 1495
script-security 2
up /etc/openvpn/up.sh

The last line is needed for source-based routing and will be explained later.

Step 2 – Source-based routing on your [Linux] router

So we want only the traffic that is coming from the Windows XP VM to be tunnelled through to the VPS in USA. All other traffic goes out the internet locally as normal. To do this we need to tell the Linux router to keep an eye out for any packets that have a source address of the Windows XP VM (let’s say it’s 192.168.1.1) and if it sees this packet to then forward it down the tunnel.

Edit the file /etc/iproute2/rt_tables and add:
200     USAtun

This creates another routing table called USAtun (it can also be referenced using its number, 200)

Then add entries to the new table you just made:
ip rule add from 192.168.1.1/32 table USAtun
ip route add default dev tun1 table 200

The above will match any packets coming from 192.168.1.1 and apply USAtun routing table instead of the normal routing table. The USAtun routing tables says “any packets than I see I will route it out interface tun1” (Step 1b above shows that tun1 is the tunnel interface used by the OpenVPN client to connect to the VPS).

Note: The above config only lasts as long as the interface tun1 is up. To keep the config persistent you needed to use up.sh script in the OpenVPN client config. The script contents are:

#!/bin/bash
# Add route to custom routing table USAtun (ip route show table USAtun)
/sbin/ip route add default dev tun1 table USAtun
/sbin/ip rule add from 192.168.1.1/32 table USAtun
wait 2
/etc/init.d/iptables restart
# end

To verify your settings you can ip route show table USAtun or do a tcpdump to verify the packets are going out the tunnel. Now, on the other side (on the VPS) you need to add a return route and open the firewall to the traffic using iptables.

Step 3 – Windows XP VM set for NAT and proxy server

I’m using KVM hypervisor on my CentO 6 Linux server at home. You can use anything really, even an actual PC (although that would be silly, considering that we are trying to keep this as maintenance-free as possible).

The VM is configured with two interfaces on the same network. The first is 192.168.1.1 as explained above and the second is 192.168.1.2. The second interface is the one that is used on the internal network for your PC’s to connect to the proxy service on the VM.

Note: The VM is set to forward and translate (NAT) and also has a proxy service. I use this VM for many things and Netflix is just one of them, so you may want to set it up a little differently.

The 192.168.1.1 interface is configured with a DNS and gateway (internal IP of router).
The 192.168.1.2 interface is not configured with a DNS or gateway.

Using netsh I configured Win XP to NAT:

netstat -rn (or route print) will have the NIC cards listed at the top including their actual interface names. The two I have are:

0x10003 LAN1_Public (this has IP 192.168.1.1)
0x10004 LAN2_Private (this has IP 192.168.1.2)

– Open services.msc and set ‘Routing and Remote Access’ to automatic and start the service
– Open regedit.exe and go to HKLM > system > CurrentControlSet > services > tcpip > parameters. Find IPEnableRouter and set it from 0 to 1
– Restart WinXP

Open command prompt and run:

netsh routing ip nat install
netsh routing ip nat add interface “LAN1_Public” full
netsh routing ip nat add interface “LAN2_Private” private
route add 172.16.0.0 mask 255.255.255.0 192.168.1.10 if 0x3 -p

– Disable the Win XP firewall entirely
– Install proxy software. I’m using a free one called CCproxy (v7.2). Works great with minimal configuration.

Step 4 – Configure browser to proxy to Windows XP VM

On the PC you want to watch Netflix go in to the browser settings and set the proxy to 192.168.1.2 and whatever port you configured CCproxy to listen on.

You should be able to watch Netflix now (you still need a Netflix account though!) and so long as you have your VM set to auto-boot, OpenVPN set to connect on boot and CCproxy (on the VM) set to start on boot then this set-up should survive reboots and continue to work.

The great thing about this is that you can use it for just about any sort of tunnelling. I personally have PlayOn installed on the XP VM and also use it to tunnel a bunch of other things. It doesn’t matter which protocol or port is used, the VM will handle it all. I also used it to tunnel the Olympics stream live from BBC through another VPS I have in the UK. Although it takes some time and effort to set all this up, the amount of flexibility and ease-of-deployment it gives you afterwards is worth the trouble, IMHO.

Please ‘like’ this post if you found it useful and share with your friends!
If you have any questions, would like me to clarify certain steps or have your own suggestions please leave a comment. I usually reply within the day.