Return to Level1Techs.com

pfSense lists to bypass VPN. How are they made?

#1

I am talking about this video right here: https://www.youtube.com/watch?v=ekRgAATnIsU&t=527s

Wendell and Ryan use lists to bypass the VPN on their pfSense for Netflix because Netflix does not play well with VPNs.

I am trying to watch Formula 1 throught F1TV and I am having the same problem but there are no available lists so I need to make one.

How can I do that? I tried running a packet capture and using all resolved hosts but I was unsuccessful.

0 Likes

#2

If you’re talking about alias lists (I’m on my phone and can’t watch the video) then they’re made by periodically resolving the domain name and generating a list of IPs for the firewall. So there are a bunch of reliability problems with that.

The first thing I would suggest doing is making sure that your client devices are using the dns resolver built in to pfsense, and also make sure the dns cache and the alias lookup period are the same, that way when a client requests an address from the dns resolver it should pull the same ip from its cache that the alias list is using, this will help with servers which resolve to multiple IP addresses.

The other thing is you need to make sure you have the FQDN of every server that whatever it is you’re doing tries to connect to. It has to be the absolute address because it resolves to an IP, so a domain name will not work.

And even then its going to struggle with anything weird or CDNs.

1 Like

#3

In the video, they don’t use fqdn’s, they just use a handful of 2nd-level domains (x.y not x.y.z) which I guess pfsense treats as wildcards.

To reverse engineer these for F1, I think you’ll need to record all the IPs you connect to while streaming and then do a reverse lookup for the domains. Assuming you’re using Windows, I’m not the guy to help you with that.

0 Likes

#4

It don’t think it does, this is what the alias page says:

Hosts must be specified by their IP address or fully qualified domain name (FQDN). FQDN hostnames are periodically re-resolved and updated. If multiple IPs are returned by a DNS query, all are used

I doesn’t do wildcards it just resolves whatever domain name you put in.

1 Like

#5

Idk then, I was just going by what they do in the video…

0 Likes

#6

The domain name will usually work for most things, it’s just when you’re dealing with CDNs that it gets fiddly. I suppose it also depends on which part of the system that you’re connecting to is checking on if you’re using a VPN or not.

1 Like

#7

Yeah they seem to be really thorough with their IP checking. They are using AWS so I had to alias all of the AWS IPs along with the hostnames I found in the packet capture and it only worked for about an hour.

Seems like the only solution is to just disable the VPN for my computer whenever I want to access their streams.

0 Likes

#8

You could set up a dedicated media consumption vm and route all it’s traffic outside the vpn, but otherwise it sounds like a headache.

0 Likes