Use a VPN to selectively cloak your IP address to access Pandora, Netflix, and the like

There are certain situations on the internet when you need to pretend to be someone you’re not. For instance, if you want to listen to Pandora. If Pandora detects that your IP address is not originating from the U.S., you will politely be told that licensing agreements prevent them from making their internet radio station available to you. Same with Netflix, Google voice, Hulu, parts of Youtube, just to name a few. To access these services from outside the U.S. all you need is a U.S. based VPN. The easiest way to get a U.S. based IP address is to subscribe to a U.S. based VPN service (like HideMyAss‘ Pro VPN) and route all your computer’s network traffic through a VPN tunnel as long as you need it. This wasn’t flexible enough for me. I wanted to go the extra mile and build my own VPN service, and set up a centralized network routing on my DSL router (a Fritz!Box 7390). That way, all traffic from my internal home network (be it from an Apple TV, iPhone, iPad, a Mac, or even a Windows PC) that I want to originate from an foreign IP address will automatically use the VPN, and all other traffic will use my usual WAN IP address from my DSL service provider. The plan was that any networking device on my internal network will automatically use the VPN for services like Pandora or Netflix and the like, even though the VPN is not configured on those devices. Totally transparent.

I’m a big fan of openVPN and since my DSL router is running BusyBox Linux, it was easy to build an openVPN binary for it. I also needed a U.S. based server which would serve as the host that those IP-checking services will “see”. I found myself a dirt cheap Jacksonville/FL based low end openVZ virtual private server (VPS) provider on lowendbox.com for just $25/year. If you chose an openVZ VPS, make sure the provider will provide the tun-device, otherwise you won’t be able to build a VPN using this virtualization technology.

The trickiest part was to set up the routing on the remote (virtualized) VPN server and the DSL router at home. I’m just going to provide the routing configuration in this post since setting up a VPN using openVPN is well documented.

Internal home network: 192.168.178.0/24
DSL Router: 192.168.178.1
VPN network: 10.8.0.0/24
VPN server: 10.8.0.1
VPN client (my DSL router in the VPN): 10.8.0.10
VPN server on venet0: y.y.y.y (internet IP address of the remote server)
Sample host that needs to be VPN-routed: 174.132.254.58 (points to http://www.cmyip.com which, eventually, should show your VPN server’s IP address once everything is set up correctly).

I’m using certificate-based authentication and openVPN’s CCD configuration loading mechanism for the clients (in this case, the only client is the DSL router at the moment).

openVPN server.conf on the remote server:

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
client-config-dir /etc/openvpn/clients
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
tls-server
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
route 192.168.178.0 255.255.255.0

openVPN client configuration file in /etc/openvpn/clients on the remote VPN server:

ifconfig-push 10.8.0.10 10.8.0.9
push "route-gateway 10.8.0.9"
push "route 174.132.254.58 255.255.255.255"
iroute 192.168.178.0 255.255.255.0

openVPN client.conf on the local DSL router:

client
dev tun
dev-node /var/tmp/tun
proto udp
remote y.y.y.y 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
pull

Make sure IP-forwarding is set to 1 on the VPN server. You also need to NAT the home and VPN network on the VPN server. On an openVZ server you’ll need the SNAT option to do this.

 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source $(ifconfig venet0:0 | grep -i 'inet' | cut -d: -f2 | awk '{ print $1}')
iptables -t nat -A POSTROUTING -s 192.168.178.0/24 -o venet0 -j SNAT --to-source $(ifconfig venet0:0 | grep -i 'inet' | cut -d: -f2 | awk '{ print $1}')

You have to provide the server’s IP address in the –to-source parameter. The above script tries to read the IP address from the network interface configuration.

Obviously, these configuration files will require modification in many places. It’s just to give you a general idea how openVPN needs to be configured in order to get working routing tables for this type of network setup.

2 thoughts on “Use a VPN to selectively cloak your IP address to access Pandora, Netflix, and the like

Comments are closed.