-1

I'm setting up my Pi to act as a VPN gateway for selected devices on my home network. At the moment I can configure my phone to use the Pi as the router and can browse the internet, my IP shows up as that of the VPN server I'm connecting to. But various streaming apps do not work (e.g. netflix). I can open them, browse their content list, etc. But once I try to actually play a video they all come back with some sort of network error or timeout. If I disconnect the VPN on the Pi then all the above works completely fine.

I have a router that is also serves the WiFi. The Pi is connected to it through ethernet. For the devices that I want to use the VPN I configure them manually to use Pi's IP as the router (just changing the router IP and nothing else).

Output of ifconfig (when VPN is running):

$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.42  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::a515:8084:2816:5d8b  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:40:b4:9e  txqueuelen 1000  (Ethernet)
        RX packets 2569338  bytes 1525175276 (1.4 GiB)
        RX errors 8  dropped 380  overruns 0  frame 8
        TX packets 1395704  bytes 1035073670 (987.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 7070266  bytes 450585180 (429.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7070266  bytes 450585180 (429.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.100.0.2  netmask 255.255.255.0  destination 10.100.0.2
        inet6 fe80::ff3:b845:1401:8643  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 1866  bytes 462932 (452.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1922  bytes 355470 (347.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b8:27:eb:15:e1:cb  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

And my iptables:

$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT

$ sudo iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE

IP forwarding is on

$ cat /proc/sys/net/ipv4/ip_forward
1

And the OpenVPN client config I'm using (the server I'm connecting to is NordVPN)

client
dev tun
proto tcp
remote 195.158.249.168 443
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
verify-x509-name CN=si14.nordvpn.com
push "dhcp-option DNS 1.1.1.1"
remote-cert-tls server

auth-user-pass login.txt
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
# ...
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
# ...
-----END OpenVPN Static key V1-----
</tls-auth>

I don't know what else I'm missing here. I'm only familiar enough with networking that I know that I basically don't know anything so would appreciate any help!

Improve this question
5
  • A VPN endpoint is likely in another locale. If you're in UK, for example, and the VPN server at the other end is in Japan, Netflix might question your account being used there. BTW, when I started a VPN while my email client was connected, Google immediately locked my account for that reason. In a similar way, if you're currently in UK and a charge is made on your credit card in Buenos Ares, it might be rejected.
    – DrMoishe Pippik
    Commented Jun 2 at 18:23
  • 1
    All major streaming services employ a multitude of strategies to enforce geo-blocking. Something that works today could no longer be working tomorrow. I suggest you don't bother, unless you really absolutely totally want to.
    – Daniel B
    Commented Jun 2 at 18:38
  • The setup works fine if I run NordVPN directly on my TV or phone. So I doubt it's that. The issue does seem to be something around the type of packets/protocol used for streaming vs normal web browsing.
    – Jan Hančič
    Commented Jun 2 at 19:25
  • I've used netflix as an example. Other services that I know don't have any sophisticated geoblocking fail in the same way due to some network connectivity issues.
    – Jan Hančič
    Commented Jun 2 at 19:27
  • I see some answers talk about geo-blocking (which might be correct). but if you try to do some packet capturing (tcpdump) you can confirm if certain traffic is getting blocked.
    – Amjad Abdullah
    Commented Jun 21 at 0:02

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .