Friday, October 09, 2015

ASUS RT-AC66U Firmware 378.55 (Merlin) & setting up OpenVPN with Private Internet Access (PIA) and a ROKU Media player

I'm fairly late to the Netflix table but I knew early on that Canada was second to the US in terms of available shows(check out this Toronto Star Article). At the time of it's writing the US had just about double, 7202 titles compared to Canada's 3663.

I'm also a UFC fan and subscribe to UFC fight pass, their online streaming service. Last year UFC Fight Pass changed what I got content-wise from their service because the UFC had just signed a deal with TSN that prohibited Fight Pass from showing Prelims and other UFC TV offerings on the streaming service that were also being shown on television. If it happened to be shown on television, then UFC fight pass got "blacked out" in Canada (so you didn't "cut the cable" to encourage getting/keeping a cable subscription I guess). You needed Fight Pass AND a cable package featuring TSN in order to watch all the "free" TV UFC and Fight Pass events. The UFC was screwing over the paying subscribers of their streaming service by withholding UFC events that were also shown on TSN where "non-paying" UFC fans could watch them.

Thanks a lot. Even when we pay for stuff, we still manage to get screwed by cable companies we may or may not subscribe to.

In any event I had been using a VPN service for years, Private Internet Access(PIA) for my everyday surfing needs and wanted to extend it to my Netflix and UFC viewing to get around the annoying geoblocking. Everyone I know uses some sort of DNS-proxy based anti-geoblocking solution but I did not want to subscribe to a second service when I already had a perfectly good VPN service. The catch was that I do most of my media streaming on the main floor with a ROKU device which has zero OS customization (it has a great little remote, easy for the wife and kids to operate though). So how do you get a dumb closed device to use your VPN service? By telling your router to redirect it's IP to your VPN gateway.

Here's what you do.

You need to set up your router so that the OpenVPN client is known to it and then feed it an IP address of a device to have it go through the VPN and appear to come from somewhere else in the world like the good old U.S. of A. Here is a screen shot of my router's OPENVPN Clients tab.

In the "Server Address and Port" field you enter the location you are spoofing. I used
"us-east.privateinternetaccess.com" (no quotes)
along with port 1194. The port and the address need to match and you can find this info on PIA's site along with a full list of locations under the "Regional gateways" section in the bottom left.

https://www.privateinternetaccess.com/pages/client-support/

Enter your PIA userid and password as shown and in the "Redirect Internet traffic" section choose "Policy Rules" in the dropdown and this opens up a section where you can enter the IP address of the device you wish to use with the VPN. In the destination IP just put 0.0.0.0. (I'm using a ROKU media player).

I'm using the following in the "Custom Commands" section:

tls-client
remote-cert-tls server
reneg-sec 0
verb 4
comp-lzo

In the "Authorization Mode"  field I have it set to "TLS" and clicking on "Content modification of Keys & Certificates" brings up a page where you can enter the following cert in the "Certificate Authority" section. 


-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----



And that does it. If you are in Canada like I am fire up NETFLIX on the device you just made use the VPN and look for "Sons of Anarchy" or "30 rock" or any of the other 3000 some offerings not available in the great white north to see if it is working.

I don't feel too bad because it's a service we're paying for and it is the same as if you brought your IPAD with a netflix app across the border and fired it up in a Dunkin Donuts in Maccina or something. Plus the UFC Canada crap burns my ass almost enough to vote with my feet and cancel the service. At least this way I feel better about giving them my $10 a month.