I had whole home VPN configured and I couldn't access NFLX streaming content from the house. Getting Netflix traffic to bypass the VPN is incredibly difficult without hacking the client side code to have it update the bypass rules on-demand in response to the client side JSON payloads - or hook into DNS resolution and do VPN bypassing there based on a regeular expression of the origin and the returned records.
The way NFLX works under the hood, from the client's perspective, is that it makes an initial request to a service hosted in AWS. That service stitches together the list-of-lists on the home page. Then you select a film to watch, it again reaches out to a service hosted in AWS to ask to stream the content. This is really straightforward to get working with whole home VPN, you just bypass the VPN for those origins (using DNS queries to get the IP blocks) and you are golden. A little cron job could keep that IP bypass list fresh and it worked well enough to get through the UI.
But then the AWS service responds with a list of streams you are licensed to watch and URLs that point to their location. Those URLs point to Netflix's OpenConnect CDN hosts. Nearly every time I went to stream, I'd pull a different origin for the content and that would route back through the VPN. The list wasn't stable, so I couldn't compile a comprehensive list of origins to route around the VPN with.
So NFLX blocks VPNs to protect their licenses, which I understand. But their architecture made it impossible for me to allow their service to bypass my VPN. So any device I wanted/needed to use NFLX on had to have a direct connection to the internet.
I had whole home VPN configured and I couldn't access NFLX streaming content from the house. Getting Netflix traffic to bypass the VPN is incredibly difficult without hacking the client side code to have it update the bypass rules on-demand in response to the client side JSON payloads - or hook into DNS resolution and do VPN bypassing there based on a regeular expression of the origin and the returned records.
The way NFLX works under the hood, from the client's perspective, is that it makes an initial request to a service hosted in AWS. That service stitches together the list-of-lists on the home page. Then you select a film to watch, it again reaches out to a service hosted in AWS to ask to stream the content. This is really straightforward to get working with whole home VPN, you just bypass the VPN for those origins (using DNS queries to get the IP blocks) and you are golden. A little cron job could keep that IP bypass list fresh and it worked well enough to get through the UI.
But then the AWS service responds with a list of streams you are licensed to watch and URLs that point to their location. Those URLs point to Netflix's OpenConnect CDN hosts. Nearly every time I went to stream, I'd pull a different origin for the content and that would route back through the VPN. The list wasn't stable, so I couldn't compile a comprehensive list of origins to route around the VPN with.
So NFLX blocks VPNs to protect their licenses, which I understand. But their architecture made it impossible for me to allow their service to bypass my VPN. So any device I wanted/needed to use NFLX on had to have a direct connection to the internet.