Reliable way how to avoid Geo restrictions is to use VPN. Thou this is has several challenges which I'd like to cover in this article and document what I found about them. I'll be glad for any PRs which will clarify things or correct me.
- IP of VPN Server is blocked.
- Device does not allow to configure VPN.
- All traffic is going through VPN.
This section contains domains which needs to be on the allowlist in order to bypass geo check for these services.
- appboy.com
- awsglobalaccelerator.com
- akamaiedge.net
- akamai.net
- brightline.tv
- aaplimg.com
- imgix.net
- c.evidon.com
- bamgrid.com
- registerdisney.go.com
- disney-plus.net
- dssott.com
- disneyplus.com
- conviva.com
- braze.com
- hbomax.com
- hbo.com.edgekey.net
- hbo.com
- braze.com
- hulu.com
- hulustream.com
- newrelic.com
- conviva.com
- appsflyer.com
- cdn-gl.imrworldwide.com
- tealiumiq.com
- tags.tiqcdn.com
- huu.com
- demdex.net
- bam-cell.nr-data.net
- www.recaptcha.net
- z.moatads.com
- cast.google.com (add?)
- netflix.com
- showtime.com
- tubitv.com
- tubi.tv
- peacocktv.com
- starz.com
- dcuniverse.com
A lot of services are using banlist of IP ranges to be protected against VPN servers. This solution is pretty effective.
My experience is, that all (I tried Azure, Amazon and Linode) IP from cloud providers are always banned. Only chance to get through it is to either use some unknown hosting or buy commercial VPN service which has a lot of servers (a lot of them will still be blocked).
Solution with commercial VPN service is usually cheaper, but chance that IP you are using there will be blocked is higher (after what you will need to switch to new VPN server, which is usually available as VPN service providers are always adding new servers into pool ...).
One thing which I noticed, I was never able to bypass Geo check L2TP VPN server. Don't know why yet, but it simply didn't work (I checked that I have correct IP visible from public internet). I was more successful with OpenVPN.
Some devices (Apple TV) does not allow to configure VPN. This is problematic when you want to bypass Geo restrictions, but solvable.
The way how to do it is on the router or in general on some device between your Apple TV and your internet provider.
It's possible to configure your router in a way, that it will redirect traffic over VPN.
Another challenge is, that typically you don't want all traffic to go through VPN for several reasons (higher latency for services where it's not needed, limited bandwidth/data, visibility of different content because of different region, ...).
It is possible to configure your router in a way, that it will forward to VPN just traffic, which needs to bypass Geo restrictions.
You can easily configure OpenVPN on Ubiquity routers and route through the VPN only traffic for specific domains. Currently (Dec 2019) it's not possible to do configuration through web interface and changes through CLI are not always reflected in UI.
Be aware, that for mentioned way, devices on your network must have configured DNS servers in a way that your router is your DNS server. Usually it's default, but in case you reconfigured it differently, it will not work.
- Configure OpenVPN client
- Configure NAT
- Configure rules for choosing right gateway
- Configure domains for redirect
At first you need to download file with OpenVPN configuration. This file has extension ovpn.
In case your VPN provider provides also credentials, it's necessary to modify ovpn file. You can open it in text editor and add lines:
auth-user-pass to auth-user-pass /config/auth/vpnauth.txt
route-nopull
This will force OpenVPN client too look for credentials in file on specified path. File vpnauth.txt will have two lines where first line will contain username and second line password.
When you have configuration files, they need to be uploaded to Ubiquity router into new folder auth on path /config/auth. Folder should have permissions set to 644 (owner read+write, everybody else just read).
On Windows you can do it through WinScp or Putty and on Mac through SSH or Midnight Commander. For more details see article on lazyadmin.nl.
When all files from previous step are in place, execute following commands.
- Enter configuration mode of router.
configure
- Create VPN interface (replace
<name>with name of your file).
set interfaces openvpn vtun0 config-file /config/auth/<name>.ovpn
set interfaces openvpn vtun0 description 'VPN'
- Commit, save changes and reboot.
commit
save
exit
After these steps you should see in the web interface connected VPN interface.
Typically you'll have just 1 IP address from your VPN provider, but whole network behind the router which will send traffic through VPN. For this reason we need to configure NAT.
- Enter configuration mode of router.
configure
- Configure NAT for VPN interface.
set service nat rule 5050 description 'OpenVPN Clients'
set service nat rule 5050 log disable
set service nat rule 5050 outbound-interface vtun0
set service nat rule 5050 type masquerade
- Commit and save changes.
commit
save
exit
- Enter configuration mode of router.
configure
- Delete existing static tables (only in case you didn't modified them manually in past, otherwise solve conflicts yourself).
delete protocols static table
- Create table for routing to your ISP (replace
<IP_of_ISP_gateway>).
set protocols static table 1 route 0.0.0.0/0 next-hop <IP_of_ISP_gateway>
- Create table for routing to VPN.
set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface vtun0
- Configure domains which will be redirected (replace
<domains>by list of domains separated by slash (/). Specify US DNS server IP address.
set service dns forwarding options ipset=/<domains>/VpnTraffic
set service dns forwarding options server=/<domains>/<US DNS Server IP>
- Configure routing of queries aiming for US DNS Server IP to go through VPN
set protocols static route <US DNS server IP>/32 next-hop <VPN Gateway IP> distance 1
- Configure firewall to redirect every request which is going to configured domain to go through VPN. (replace
<ethernet_port>with ethernet port which is connected to your local network).
set firewall group address-group VpnTraffic
set firewall modify VpnRule rule 5 action modify
set firewall modify VpnRule rule 5 description 'Target to VPN'
set firewall modify VpnRule rule 5 destination group address-group VpnTraffic
set firewall modify VpnRule rule 5 modify table 2
set interfaces ethernet <ethernet_port> firewall in modify VpnRule
- Configure firewall to redirect every other request through standard gateway
set firewall modify VpnRule rule 20 action modify
set firewall modify VpnRule rule 20 description "Rest of network"
set firewall modify VpnRule rule 20 modify table 1
- Commit and save changes.
commit
save
exit
After this step any traffic aiming for configured domains will be redirected to VPN.
At some point you'll get into situation that you want to remove or add more domains to be redirected.
You can do that by executing:
- Enter configuration mode of router.
configure
- Remove currently configured domains
delete service dns forwarding options
- Configure domains which will be redirected (replace
<domains>by list of domains separated by slash (/).
set service dns forwarding options ipset=/<domains>/VpnTraffic
- Commit and save changes.
commit
save
exit
Changes will take effect immediately.
Note that configuration of domains which are redirected through VPN can be also done through iOS application RouterWizzard. It was written based on this tutorial as I was lazy to do these steps manually all the time.