amuck-landowner

The Great Netflix VPN Block of 2016

drmike

100% Tier-1 Gogent
Do we have Netflix users here?


Others out there having issues connecting to Netflix recently?  Getting an annoying blocked message on devices. 


Unsure if in my instance it dislikes VPN to remote server (which is a private IP and private VPN) or if my extensive block lists are contributing to it.  Either way I refuse to tear things down to watch internet version of TV.


Anyone having success behind VPN viewing Netflix at current?


Big petition here over the blow up blocking VPN:
https://act.openmedia.org/netflix


39k signatures and counting.  Yuuuuge!


Media article on the situation: http://www.wired.com/2016/03/netflix-discontent-blocked-vpns-boiling/
 

clarity

Active Member
I got this error just yesterday when trying to watch some content behind a firewall. It is a private vpn that has only ever accessed their services a few times, but it is still blocked. I wish that they would open it back up, but I understand why they aren't. It sucks for me!
 

drmike

100% Tier-1 Gogent
I am wondering if they are blocking any datacenter IP or what at this point... feels like they are as I've spun up servers in multiple locations and same rejection message.  But I have funky setup and can believe DNS perhaps is culprit too in my own instance.  Thus, why I asked for group input :)


Bad move by Netflix.  I cancelled the subscription I have due to this.
 

HN-Matt

New Member
Verified Provider
I have a Netflix subscription but never use it, so didn't notice.

Agree re: 'Bad move' though. Those who connect to Netflix via proxy or VPN are more than likely paying an American web host for the IP. If Netflix starts mass blocking certain American IP ranges, doesn't that mean a lot of lost business for American web hosts? That, and it's not like Netflix will gain any new subscribers out of the act. Seems like they're shooting their own economy in the foot more than anything.
 
Last edited by a moderator:

KuJoe

Well-Known Member
Verified Provider
People getting angry at Netflix for trying to survive. They'll also be the first to complain when Netflix has shitty content because they can't get any good licenses from decent studios.
 

drmike

100% Tier-1 Gogent
People getting angry at Netflix for trying to survive. They'll also be the first to complain when Netflix has shitty content because they can't get any good licenses from decent studios.

I'm not mad.  I just can't get Netflix to work. Smells like massive block list of commercial IPs.


I am pro blacklisting malicious stuff.


Netflix knew doing this was going to cause backlash.  They should have taken a softer stance.


Mark my words, Netflix will soften on this IP blocking and so soon.
 

Licensecart

Active Member
I like Netflix myself but I don't mind the UK version the only issue I would like fixed is some cool tv shows from the USA but again why risk it :p


The only issue I have with this really would be the big companies want people to not pirate and pay them money but they can't be bothered to CC programs / films when you can buy it on Blu-ray (some films have CC) and then you can if you want to find everything online for free (Pirate). If they want money they should CC everything :) and put it on Youtube, iTunes etc.
 
Last edited by a moderator:

HN-Matt

New Member
Verified Provider
People getting angry at Netflix for trying to survive. They'll also be the first to complain when Netflix has shitty content because they can't get any good licenses from decent studios.

Uhh, but they bought the American IP because Netflix had shitty content to begin with... if Netflix blocks them, it's not like they're going to retain a subscription in their own region.

So in short Netflix loses a shit load of subscribers who won't return in any other context due to the insularity of regional licensing conceits. What's that phrase again, cutting off the nose to spite the face?
 
Last edited by a moderator:

RLT

Active Member
Netflix has no say in the matter, if they don't show they're blocking those customers then they get penalized to a much higher cost. 


It's a damned if you do and damned if you don't situation they have to choose the route of the lowest loss.
 

HalfEatenPie

The Irrational One
Retired Staff
I think it's a combination of IP ban plus a few other factors involved.


I previously access Netflix using two different methodologies.  SNI Proxy and VPN (l2tp via softether).  


I think I need to tweak my proxy configuration as via my proxy I get the notification on Netflix saying I'm viewing through a proxy.  However, on the exact same server if use a VPN to watch netflix, it's perfectly fine.


I'd have to continue investigating (honestly, I really can't be assed and will probably be setting up selective DNS forwarding on my router through Unblock-Us), but I think tweaking the configuration on my SNI Proxy should fix it right up.  
 

Hxxx

Active Member
Assuming you are in the USA drmike why would you vpn? At this point for netflix, dont tell me is because of privacy... 


If I recall correctly this was done because of licensing issues. A license for USA viewers cant be applied to South America for example. I guess it has some monetary logic. This is similar to youtube video restrictions.


About the vpn ban method,  maybe they started using the billing address to match IP.
 

drmike

100% Tier-1 Gogent
Assuming you are in the USA drmike why would you vpn? At this point for netflix, dont tell me is because of privacy... 


If I recall correctly this was done because of licensing issues. A license for USA viewers cant be applied to South America for example. I guess it has some monetary logic. This is similar to youtube video restrictions.


About the vpn ban method,  maybe they started using the billing address to match IP.

All of my networks are gatewayed out via VPN and nested VPN within that on a per client basis.  Just standard protocol.  Nothing leaves anywhere otherwise.


Billing address and IP correlation wouldn't make sense in my instance since the subscription was bought using the very same VPN network.  If they were to stick things to IP origin at signup anyone traveling would be screwed.  Mobile devices would be an issue too.
 

HN-Matt

New Member
Verified Provider
I think I need to tweak my proxy configuration as via my proxy I get the notification on Netflix saying I'm viewing through a proxy.  However, on the exact same server if use a VPN to watch netflix, it's perfectly fine.

That's kind of hilarious. So not an IP block, but a technocratic half-measure with no real effect beyond discriminating against particular software configurations? Not even an autocratic whuffie-style blacklist???
 
Last edited by a moderator:

Hxxx

Active Member
All of my networks are gatewayed out via VPN and nested VPN within that on a per client basis.  Just standard protocol.  Nothing leaves anywhere otherwise.


Billing address and IP correlation wouldn't make sense in my instance since the subscription was bought using the very same VPN network.  If they were to stick things to IP origin at signup anyone traveling would be screwed.  Mobile devices would be an issue too.

You either have some obsession with hiding your data/trail or you are way too smart and know things nobody does. Either way, nice setup.
 

drmike

100% Tier-1 Gogent
You either have some obsession with hiding your data/trail or you are way too smart and know things nobody does. Either way, nice setup.

Everyone should be concerned and at least attempt to make things hard and thusly earned by the bad guys (hackers, thieves, government, foreign governments, etc.).
 

Hxxx

Active Member
Everyone should be concerned and at least attempt to make things hard and thusly earned by the bad guys (hackers, thieves, government, foreign governments, etc.).

It works both ways. I find more vulnerable that you tunnel absolutely everything through them, so basically if one of these vpn fail, let say one of these VPS (if this is what you use) get hacked then you are compromising everything.
 

drmike

100% Tier-1 Gogent
... and let's be honest about things... when one goes avoiding plaintext (everyone should) malicious ISPs flag you, QoS things, flag you, etc.   So the avoidance and intentional privacy intent must march forward.


Still doesn't solve the fingerprinting via leaky crap (that's why to turn off Javascript).... Really break up their apparatus and intent with a text only approach, but even that needs ahh massaged to make not so apparent of what you are doing.

It works both ways. I find more vulnerable that you tunnel absolutely everything through them, so basically if one of these vpn fail, let say one of these VPS (if this is what you use) get hacked then you are compromising everything.

Indeed it does work both ways.


Way the VPN works is as a fleet.  Collection of "connect profiles" those are connected to semi-randomly (not perfected).  The endpoints change regularly and since nested, if one layer fails, it's wrapped in the other.  The VPNs are an ever changing collection of VPS and VPN services.  Killswitch (script) for teardown and reconnect is mandatory.  Bulletproof?  nope, but eventually it gets there and better. 


None of the VPN accounts gets used for that long and remember things are nested.  Assume not everything is nested with just VPN / same type of VPN either.


And... DNS is nested in this and runs to remote crypto'd DNS lookups... so that is VPN ---> VPN ---> crypto'd DNS (at minimum).


Enemy of this is overhead and latency.  Not uncommon to see something like 80ms first hop out the door with the VPN up.
 

Hxxx

Active Member
... and let's be honest about things... when one goes avoiding plaintext (everyone should) malicious ISPs flag you, QoS things, flag you, etc.   So the avoidance and intentional privacy intent must march forward.


Still doesn't solve the fingerprinting via leaky crap (that's why to turn off Javascript).... Really break up their apparatus and intent with a text only approach, but even that needs ahh massaged to make not so apparent of what you are doing.


Indeed it does work both ways.


Way the VPN works is as a fleet.  Collection of "connect profiles" those are connected to semi-randomly (not perfected).  The endpoints change regularly and since nested, if one layer fails, it's wrapped in the other.  The VPNs are an ever changing collection of VPS and VPN services.  Killswitch (script) for teardown and reconnect is mandatory.  Bulletproof?  nope, but eventually it gets there and better. 


None of the VPN accounts gets used for that long and remember things are nested.  Assume not everything is nested with just VPN / same type of VPN either.


And... DNS is nested in this and runs to remote crypto'd DNS lookups... so that is VPN ---> VPN ---> crypto'd DNS (at minimum).


Enemy of this is overhead and latency.  Not uncommon to see something like 80ms first hop out the door with the VPN up.

That's a beautiful setup, indeed. Stable enough?
 

drmike

100% Tier-1 Gogent
That's a beautiful setup, indeed. Stable enough?

It's quirky.  When there is a blip due to a nested VPN, you have to just go get a beverage and come back.. usually just some wonkiness that cleans up.   Might be seconds, might take upwards of a minute.  Most of it is origin of mixing in a shitty VPS provider with a node being dinged or latency on your own direct internet provider (had this happen the other night with like 100ms to first public hop and dropping 40% of packets).


Human nature responsiveness to that fail is to go ripping down connections and re-establishing which is meh, more hassle than anything and prone to busting a public viewable hole in setup.


OpenVPN (which primarily use) is decent about re-establishing connections on its own --- as-needed.  


Yeah it's stable :)  Some days are better than others and depending on who gets mixed in....  Starting to track where the issues are, so I can say no to this provider or a certain network.


Real drag is the public VPN companies.  Lots of blacklisting due to others, failures of service that can be ugly, config / end nodes that change customer side (dumb)...
 
Top
amuck-landowner