If your like me you might already use a VPN to route your traffic through. The problem is some sites just don't like VPN services and will actively block you from using them without disabling or bypassing it.
Netflix is a prime example of a website that does not like VPN services, because they are seen as a way to circumvent the geo-restrictions imposed on the content library offered.
Below are WPAD rules I use to essentially send Netflix traffic directly and avoid any VPN errors/dreaded unknown error network messages. Error messages that Netflix throws back at you related to VPN usage when streaming might include:
- "You seem to be using an unblocker or proxy"
- VPN/proxy error M7111-1331-5059
- Unknown network error Q8226
- Unknown network error Q8227
- U IZ A SUSPECTED VPN/PROXY PIRATE, GET BANNED M8!!!1111 (OK that one is made up)
This list covers the main Netflix top level domains that requests generally come from. This doesn't tend to change too much, but it is possible for new top level domains to be introduced, more recently nflxso.net had started appearing in requests.
if (dnsDomainIs(host, "nflxvideo.net") ||
dnsDomainIs(host, "netflix.com") ||
dnsDomainIs(host, "netflix.net") ||
dnsDomainIs(host, "nflximg.com") ||
dnsDomainIs(host, "nflximg.net") ||
dnsDomainIs(host, "nflxext.com") ||
dnsDomainIs(host, "nflxso.net"))
return "DIRECT";
Amazon Web Services is used as a content provider and unfortunately, hostnames will vary, so this is quite a wide rule.
if (dnsDomainIs(host, "amazonaws.com"))
return "DIRECT";
More recently I noticed interesting requests being made from the Netflix app on a mobile device. A request like the example below was seen in the logs:
http://62.254.47.128/range/0-18983
These are actually Netflix CDN servers that are actually hosted within the network of my ISP (Virgin Media). The problem is as the requests themselves are made via IP address, rather than domain, they are not picked up by any of the above rules. In order to match these, shExpMatch has to be used to essentially match the format of the request itself.
if (shExpMatch(url, "http://*/range/0-*"))
return "DIRECT";
Essentially the rule breaks down to:
- Any traffic that is http from any hostname or IP
- Where request begins with
/range/0-
The range sub request, is quite unique and shouldn't match anything outside of Netflix purposes. This rule is a bit fragile however.
The IP address appearing in each request seemed to rotate quite heavily, so attempting to create a CIDR to whitelist the ranges was impractical. A regex based request match seems the only reliable way to make this work, but it is reliant on the request format not changing, which cannot be assured.
In addition, you may also find better luck with services when you whitelist other common CDN sites, here's a list that I use but it is by no means exhaustive.
if (shExpMatch(host, "*.e.akamai.net") ||
shExpMatch(host, "*.cloudfront.net") ||
shExpMatch(host, "*.akamaihd.net") ||
shExpMatch(host, "*.uplynk.com") ||
shExpMatch(host, "*.edgefcs.net") ||
shExpMatch(host, "*.edgesuite.net") ||
shExpMatch(host, "*.footprint.net") ||
shExpMatch(host, "*.llnwd.net") ||
shExpMatch(host, "*.llnwi.net") ||
shExpMatch(host, "*.theplatform.com") ||
shExpMatch(host, "*.brightcove.net") ||
shExpMatch(host, "*.brightcove.com"))
return "DIRECT";
Using these rules should allow for Netflix to work while keeping a VPN active, subject to how your VPN is setup. Essentially with WPAD, this file is loaded by the browser and any requests that match the directive to go direct will bypass any proxy and subsequent proxy chain and go straight via the WAN.
This method can apply to other sites, you can find more examples of what you can do in WPAD file below: