Private VPN Guidance

[Zicco2]

Hi!

 

I'm not that well versed in the world of Networking, so i am writing for some guidance.

 

You are all probably sick of questions like this but please bear with me!

 

I did see LTT's Tailscale video

 

As we all know Netflix is removing the shared account feature, and i wanted to try to throw myself a little out into the vast and deep Networking water.

What i want to accomplish or even figure out if it is possible is: Can i set-up a VPN that split tunnels ONLY Netflix traffic?

 

I get that keeping track of every Netflix IP would be a hassle but if you could split tunnel domains? if that would work? or an app on AppleTV (Other streaming boxes are available)

 

or even if you just split tunnel a single browser through the VPN?

 

I'm pretty sure i can figure out the technical side of it with some google-fu but if the split tunneling is at all possible to do?

 

Thank you to any Networking gods that responds!

[swimtome]

Hopefully someone comes with all the details, but I would think this is doable.

In unraid, I can get the wireguard (tailscale's underlying software) config to only redirect my server ip traffic and all other traffic goes public....

[Block0]

palo alto firewalls could do it with SSL vpns or you could use routing for those tunnels, but that's way more effort than its worth

[LIGISTX]

On 5/30/2023 at 1:31 PM, Zicco2 said:

Hi!

 

I'm not that well versed in the world of Networking, so i am writing for some guidance.

 

You are all probably sick of questions like this but please bear with me!

 

I did see LTT's Tailscale video

 

As we all know Netflix is removing the shared account feature, and i wanted to try to throw myself a little out into the vast and deep Networking water.

What i want to accomplish or even figure out if it is possible is: Can i set-up a VPN that split tunnels ONLY Netflix traffic?

 

I get that keeping track of every Netflix IP would be a hassle but if you could split tunnel domains? if that would work? or an app on AppleTV (Other streaming boxes are available)

 

or even if you just split tunnel a single browser through the VPN?

 

I'm pretty sure i can figure out the technical side of it with some google-fu but if the split tunneling is at all possible to do?

 

Thank you to any Networking gods that responds!

I run a pfsense firewall and I’m sure I could make this work via that, but don’t know how as I never have. What I do for a single device (smart TV), is I route it out over a VPN to another network I own in a physically different location. So all traffic to that TV routes over the VPN. Similar idea, but more broad; I am not doing specific traffic/IP/domain filtering, I just have an internal IP address (the TV) go out over the VPN. This is very easy to set up, and for my needs works perfectly. 

[Zicco2]

10 hours ago, Block0 said:

palo alto firewalls could do it with SSL vpns or you could use routing for those tunnels, but that's way more effort than its worth

Im guessing Palo Alto Firewalls are not cheap? a quick google search indicates they are for enterprise businesses, or do they have "smaller" ones with the same functionality?

[Zicco2]

10 hours ago, LIGISTX said:

I run a pfsense firewall and I’m sure I could make this work via that, but don’t know how as I never have. What I do for a single device (smart TV), is I route it out over a VPN to another network I own in a physically different location. So all traffic to that TV routes over the VPN. Similar idea, but more broad; I am not doing specific traffic/IP/domain filtering, I just have an internal IP address (the TV) go out over the VPN. This is very easy to set up, and for my needs works perfectly. 

Split tunneling a device would work as well, but having it work just the Netflix part would be preferable.

[LIGISTX]

5 minutes ago, Zicco2 said:

Split tunneling a device would work as well, but having it work just the Netflix part would be preferable.

That isn’t really split tunneling. Split tunneling is what you want to do, not what I am doing and saying you can rather easily do. Split tunneling is when you route specific traffic over different gateways in this instance. What I suggest is just routing 100% of a devices traffic over a different gateway. You can always purchase a rather cheap streaming device that supports Netflix, route 100% of its traffic over the VPN gateway, and use it solely for Netflix for example. Lots of ways to skin this cat. 

 

Having a device go out over a VPN is very simple in pfsense, but trying to get a device to route only specific traffic is more difficult since I am not sure you can easily know all of the external connections Netflix will try to make. If you miss any, I assume it’ll be not happy.

[Sir Asvald]

17 hours ago, LIGISTX said:

I run a pfsense firewall and I’m sure I could make this work via that, but don’t know how as I never have. What I do for a single device (smart TV), is I route it out over a VPN to another network I own in a physically different location. So all traffic to that TV routes over the VPN. Similar idea, but more broad; I am not doing specific traffic/IP/domain filtering, I just have an internal IP address (the TV) go out over the VPN. This is very easy to set up, and for my needs works perfectly. 

It can be done with pfsense as I have my own VPN tunnel and a VPN client. The VPN tunnel is used to connect to my network from outside, as for the VPN client is used to connect VPN services like PIA or NordVPN.

 

7 hours ago, Zicco2 said:

Split tunneling a device would work as well, but having it work just the Netflix part would be preferable.

If you are able to setup a Pfsense with a VPN tunnel/VPN client you will be able to separate devices using aliases. So with my network, I have multiple VLANs which I manage.

 

VLANs which I have:

1. IT LAN - Can access all networks - 10.1.20.X
2. Servers - Server VLAN - 10.1.70.X can only communicate with IT LAN
3. IOT - for smart devices - 10.1.21.X - internet access only
4. Home & Guest - for home and for guest access- Internet access only

[LIGISTX]

53 minutes ago, Sir Asvald said:

It can be done with pfsense as I have my own VPN tunnel and a VPN client. The VPN tunnel is used to connect to my network from outside, as for the VPN client is used to connect VPN services like PIA or NordVPN.

 

If you are able to setup a Pfsense with a VPN tunnel/VPN client you will be able to separate devices using aliases. So with my network, I have multiple VLANs which I manage.

 

VLANs which I have:

1. IT LAN - Can access all networks - 10.1.20.X
2. Servers - Server VLAN - 10.1.70.X can only communicate with IT LAN
3. IOT - for smart devices - 10.1.21.X - internet access only
4. Home & Guest - for home and for guest access- Internet access only

Yes, I agree with all of this and I have a similar setup. But as far as ONLY routing Netflix traffic over the VPN which was the original question, that’s what I am saying is a more difficult task.