About Archive Tags RSS Feed


Robbing Peter to pay Paul, or location spoofing via DNS

17 October 2015 21:50

I rarely watched TV online when I was located in the UK, but now I've moved to Finland with appalling local TV choices it has become more common.

The biggest problem with trying to watch BBC's iPlayer, and similar services, is the location restrictions.

Not a huge problem though:

  • Rent a virtual machine.
  • Configure an OpenVPN server on it.
  • Connect from $current-country to it.

The next part is the harder one - making your traffic pass over the VPN. If you were simple you'd just say "Send everything over the VPN". But that would slow down local traffic, so instead you have to use trickery.

My approach was just to run a series of routing additions, similar to this (except I did it in the openvpn configuration, via pushed-routes):

ip -4 route add .... dev tun0

This works, but it is a pain as you have to add more and more routes. The simpler solution which I switched to after a while was just configuring mitmproxy on the remote OpenVPN end-point, and then configuring that in the browser. With that in use all your traffic goes over the VPN link, if you enable the proxy in your browser, but nothing else will.

I've got a network device on-order, which will let me watch netflix, etc, from my TV, and I'm lead to believe this won't let you setup proxies, or similar, to avoid region-bypass.

It occurs to me that I can configure my router to give out bogus DNS responses - if the device asks for "iplayer.bbc.com" it can return - which is the remote host running the proxy.

I imagine this will be nice and simple, and thought I was being clever:

  • Remote OpenVPN server.
  • MITM proxy on remote VPN-host
    • Which is basically a transparent HTTP/HTTPS proxy.
  • Route traffic to it via DNS.
    • e.g. For any DNS request, if it ends in .co.uk return

Because I can handle DNS-magic on the router I can essentially spoof my location for all the devices on the internal LAN, which is a good thing.

Anyway I was reasonably pleased with the idea of using DNS to route traffic over the VPN, in combination with a transparent proxy. I was even going to blog about it, and say "Hey! This is a cool idea I've never heard of before".

Instead I did a quick google(.fi) and discovered that there are companies offering this as a service. They don't mention the proxying bit, but it's clearly what they're doing - for example OverPlay's SmartDNS.

So in conclusion I can keep my current setup, or I can use the income I receive from DNS hosting to pay for SmartDNS, or other DNS-based location-fakers.

Regardless. DNS. VPN. Good combination. Try it if you get bored.



Comments on this entry

icon A. S. at 10:01 on 17 October 2015

I used DNS64 + NAT64 + dnsmasq to access iPlayer. I have a NAT64 gateway in the UK, a DNS64 server that generates addresses pointing to that NAT64 gateway, and a local dnsmasq setup that forwards .bbc.co.uk and friends to that DNS64 server.

icon Humph at 09:44 on 20 October 2015

AFAICT geofencing, and circumventing geofencing, are a legal and moral grey area.

It's not really clear that it's true that as an end user, "[Y]ou are breaking the iPlayer/BBC licensing terms" by watching the BBC iPlayer from outside the UK. After all, there is no visible end user license that you agree to before watching a programme on iPlayer; the BBC will stream it to anybody with [what it considers to be] a UK IP address.

Presumably the BBC does so based on the internal rationale that most UK residents will have a UK IP address, and most people with UK IP addresses will be UK residents, but is it really the individual iPlayer user's moral and legal responsibility to (second-)guess the BBC's motives and adapt their own behaviour to them?

Besides, there are plenty of people in the UK who have internet access but have no TV and hence pay no TV license. Surely such people are equally "guilty" of watching something without paying for it when they use iPlayer -- they don't even have to fool around with VPNs to do so.

In the case of 3rd party content (e.g. US produced films and shows) that the BBC licenses, the license is likely to be region-based, and the BBC is probably contractually obliged to restrict the broadcast to the UK. But these contracts and agreements are between the BBC and the content producer, the individual iPlayer users aren't party to them.

Lastly I vaguely recall it being suggested that geofencing and per-region licensing might be at odds with EU trade rules on free movement of goods. I understand that content producers might be able to generate more profit by licensing the same content under different terms in different territories, but surely individual end users are not under any kind of moral obligation to help them do so.

icon Ralf at 12:39 on 17 October 2015

Personally, I'd use some iptables trickery in the router to intercept all outgoing HTTP(S) traffic and move it through the VPN. I'd expect that to be less fragile than messing with the DNS. But then, I didn't actually try it ;-)

icon Sven at 12:57 on 17 October 2015

I stayed with a much simpler setup so far to bridge my browser traffic to foreign endpoints. I just use the ssh socks proxy feature and the Toggle Proxy extension in Firefox. When I've endpoints in different locations I just add aliases like usprox for the US and ukprox for the UK to establish a ssh connection quickly, enable the proxy pointing at localhost and I'm done. That of course does not work for TVs you cannot modify.

icon Steve Kemp at 12:59 on 17 October 2015

Yes, if you can modify things then configuring a proxy-server manually is simple.

Similarly if you can configure your router appropriately, and ideally run OpenVPN on it directly, then things are trivial.

The sole reason for jumping through the DNS dance is that I can enforce that at the router and it will apply usefully to the "magic TV box".

icon Hubert Banas at 13:48 on 17 October 2015

Here is my combination: - haproxy at the remote location (runs in docker container) - dnsmasq locally which forwards selected hostnames

All traffic is over OpenVPN so haproxy is not exposed to the external world.

Works great.

icon John Hughes at 13:58 on 19 October 2015

No comment on the moral aspects?

You are breaking the iPlayer/BBC licensing terms.

How would you feel about people doing the same thing to your software? to Debian?

icon Steve Kemp at 18:28 on 19 October 2015

Ethics are important in system administration, so you're right to raise the question, and possibly right to think less of me for going ahead regardless.

I've paid license fees for years, and well understand the nature of of regional-licensing, and broadcasting rights being sold on a per-region basis.

I regard watching BBC content, from here, as being a little bad. But I'd regard downloading torrents as more-bad.

I guess if I were completely fair, legal, honest, and so on I'd do neither. As things stand I'm willing to stream media if I can do so - If it becomes a game of cat and mouse I'll concede and give up reasonably easily, but if I can make a minor effort to enjoy the content I will.

I understand the BBC has piles of money, both from licensing, and from selling to overseas. The fact that I used to pay an expensive license despite those oversea-sales brining in large profits makes me more relax and more comfortable that I would be if I were "stealing" media from, for example, Fox or HBO.