iPlayer and VPN

Hi,

OK, so I’m a Brit living in the US and my family wants to be able to watch TV from the old country.

We use ROKU devices throughout the house. I have pfSense set up as my home firewall / router.

So, I’m looking at getting a VPN set up to the UK to watch iPlayer, however I only want to route that traffic over the VPN. Now, all the “selective VPN” information I can find would basically force all the Roku box(es) through the VPN, which should make iPlayer work, but would screw up US-based services (like NetFlix).

So, what I’m looking for is a way for pfSense to detect traffic specifically for iPlayer and route only that over the VPN.

Any ideas?

Does anyone know if iPlayer uses specific ports that I could detect? Or is there a list of IP addresses that iPlayer is known to use?

Any help appreciated! :smiley:

One of your best solutions here: Get another Roku dedicated for iPlayer only, hook it up on another input on your TV, and route that one to the UK. (or if missing additional inputs, swap the HDMI cable between them)

To be fair, Netflix was screwed up long before they started banning VPN/proxy usage.

At this point, I can’t even fathom why anyone would waste money on their subpar service.

I use Surfshark with pfsense and policy route my devices through the tunnel as needed based on their IP addresses.

I just wanted to thank everyone who has commented on this thread. I think I’m going to have to get a second Roku (not only due to the VPN thing, but also because of restrictions with installing the iPlayer app.)

I’ll post back an update when I have one :wink:

No, that’s not what you want.

You want a list of the IP addresses iPlayer uses and to policy route then via the vpn. They’ll likely be cdn addresses so that won’t work well.

I route only Netflix traffic from select devices through a VPN.

I use pfBlockerNG to maintain an ‘alias match’ list of Netflix ASN’s, IP’s and DNS names. The sources are GitHub lists of Netflix IP’s, https://bgp.he.net/ and a few manual entries.
A firewall rule then directs all traffic that matches an entry in that list through the VPN.

The result is Netflix on an Nvidia Shield showing content from Singapore and all other apps such as Disney+ showing content from my actual location.

It’s quite a thing to setup, but it’s possible and it works.

detect traffic specifically for iPlayer

not going to happen.

a list of IP addresses that iPlayer is known to use?

the thing is, that this list is ENORMOUS, and it isnt only used by BBC iPlayer - it’s used by other stuff too.

The days of one IP = one service are long long gone. These days everything is CDN backed, so 1 IP could serve thousands of services.

Your easiest solution is to get another ROKU (if theyre cheap) or maybe something like a Fire Stick (30 bucks). Then put the new device on a WiFi network dedicated to VPN (seperate VLAN or similar) - and route the whole network.

I agree. Another device route to your VPN tunnel would be the most efficient way to get what you need. I would say, in general, it’s very hard to maintain routing rules for streaming services since the IP stack they use, do change over time.

I have a setup with a dedicated device and I call it HDMI 1: US Apple TV / HDMI 2: DK Apple TV

That’s the point, I don’t want to send Netflix traffic over the VPN (nor any other service like YouTube, Hulu, HBO etc.) JUST iPlayer…

I’ve not heard of that one. I just looked at it and it appears to be another VPN service? How does it work? It talks about redirecting DNS traffic but I don’t see how that helps?

That’s what I want to do - but need the IP addresses for iPlayer in order to do that :wink:

If I use the IP of my Roku, it will route all traffic, which will fix iPlayer, but break thingsl like NetFlix :-/

I figured they probably used multiple IPs, which is why I was thinking ports…

NSLOOKUP for bbc.com gives me 4 IPV4 addresses, but I don’t know if behind the scenes iPlayer may actually be running on a different one. I guess I could start with those 4 and see where to go from there…

Sadly, I think a separate Roku is going to be the way to go. I can give it a fixed IP, so I don’t think I’ll need to to the whole vLAN thing :wink:

It’s a pain, but there you go!

Can I chime in and say I think BBC runs their own ASN and does not host on the cloud. Their IP ranges are likely very stable. I still recommend the above post about routing a dedicated device out the tunnel to make your life easy.

You can policy route based on source IP for a single device on your network instead.

If it helps some VPN clients on Android (like Wireguard) allow you to specify which apps use the VPN tunnel when connected.

The A records for bbc.com are completely unrelated to your question. You need to find out all the networks their cdn and location detection system use.

I’d give up and use policy routing to route a Roku via a vpn or not and diaable/enable the rule in pfsense as needed. If just pay for acorn.

Thanks! I’ll give it a go :slight_smile:

The problem here is that it’s a Roku. So, the VPN client needs to be on the router.

I can policy based on source device (Roku) but that would force all traffic over the VPN, including NetFlix, HBO etc. and I will have the same issue, but in reverse.

I think I’m going to have to end up with two Rokus :frowning:

That’s kind-of why I’m here - to see if anyone has a list of the IP addresses (or Ports, or any other identifying network feature) they use…

The problem with the suggestion of turning on and off the VPN for the Roku is that it isn’t very family friendly. I’m hoping to make it transparent :wink:
Acorn is fine, but doesn’t let you watch live TV (I don’t think). A lot of what the fam are after is things like News… :expressionless: It also offers a “curated” set of shows, again, not what we want :wink: