Introduction: Encrypt Your Home Network Traffic (and Still Watch Netflix)
This Instructable covers how to encrypt all outgoing network traffic on your home network, and is geared towards people in the United States. Encryption is an important step towards keeping your browsing and other internet activity out of the hands of corporations and governments. This is particularly pertinent since on 3/27/17 the US regulation that prevented internet service providers (ISPs) from selling all of your personal data was repealed.
The best way to ensure that what you do on the internet in your own home is not sold is to prevent it from being seen in the first place. The ISPs can't sell what they can't see. For this, virtual private networks (VPNs) are the best tool. VPNs effectively create a secure tunnel between you and the endpoint where the VPN spits out the traffic. Your home ISP therefore sees encrypted traffic only.
But, there are some challenges. For one, choosing the right VPN provider can be tough. How do you know who you can really trust with your data? Further, connecting each individual device on your home network can be difficult. Maybe, like me, you've got many devices (Apple TV, Amazon Echo, Android Wear, a phone, a tablet, a Raspberry Pi, etc), some of which can support VPNs directly and some that can't - plus VPN providers often limit the number of connected devices. Not to mention a shared network with housemates or neighbors who're either unwilling or unable to muck with connecting each device to a VPN.
To make matters even more complicated, Netflix goes to extreme lengths to block traffic that comes from VPN and proxies. This is due to pressure from content providers to prevent viewers from using these technologies to circumvent geography based content restrictions. For most people this means you can either use a VPN to encrypt your traffic, or you can watch Netflix, but not both.
In this guide we'll cover how to solve these problems. With a little investment, you can have encrypted traffic and still watch Netflix. Don't need Netflix? Well then things are even simpler, we'll cover that too.
Step 1: Decide on Your Needs
In this guide we'll look at four different configurations. You'll need to choose one of the options below. There are pros and cons of each.
1. Encrypted traffic with no need for Netflix. This is the simplest path and the one you should pursue if you don't use Netflix.
Cost: $0-$80 plus VPN subscription of ~$5/month
2. Multiple WiFi access points using two routers. One router encrypts traffic and the other, which would be connected to when you want to watch Netflix, does not.
Cost: $80-$160 plus VPN subscription of ~$5/month
3. Single WiFi access point with encrypted traffic but certain devices are excluded (unencrypted). This is ideal if you have dedicated devices for watching Netflix (ie AppleTV/Chromecast) and don't watch it on phone/tablet/computer. This option is a bit more complicated technically and not covered here in detail.
Cost: $0-$80 plus VPN subscription of ~$5/month
4. All traffic is encrypted, including Netflix traffic. Here there is only a single WiFi access point. Be warned, Netflix quality may be a little lower due to network speed and bandwidth.
Cost: $80-$160 plus VPN subscription of ~$12/month
Step 2: Acquire Hardware
All four approaches defined in the previous step rely on the ability to connect your home router to a VPN. Most routers don't support this by default. Typically to get this functionality you'll need to install custom firmware that supports secure VPN connections, ideally the OpenVPN protocol. In my opinion, the open-source software DD-WRT is best. You can check their router database to see if your router is supported.
The most widely used and supported consumer router for this type of operation is the Linksys WRT1200AC. Notably, if you want to go with Option 2 (one encrypted and one unencrypted access point) or Option 4 (all traffic is encrypted) from the previous step then you're going to need TWO routers.
For Option 2, you can definitely use your existing router (if you have one) as one of the two routers.
For Option 4, if you have an existing router you may be able to it here as one of the two routers also (depends if it's supported by ExpressVPN), otherwise I suggest you get two Linksys WRT1200AC.
Options 1 and 3 require only a single router, but it needs to be one that's supported by DD-WRT. If you have a router already it may be compatible - check the router database linked above or simply purchase a Linksys WRT1200AC anyway. If you're existing router is not supported by DD-WRT and you want to avoid buying a new router you could also try another firmware software, like OpenWRT.
Step 3: Sign Up for VPN Provider
Picking the right VPN provider is important. There's been some recent studies that show some VPN providers to be touting security and privacy while actually scoring poorly in those categories.
That One Privacy Site provides this comparison chart, which is an excellent resource when it comes to picking the right VPN provider. After research and testing, my personal favorite from a support, security, privacy, reliability, and speed perspective - is Mullvad. This is my recommendation for a great VPN. As with any VPN that's worthwhile, it does cost money, about $5/month. You can pay with Bitcoin if you're super privacy oriented, but simpler payment methods are also available.
You can also choose to run your own VPN using a cloud-hosted virtual server on something like AWS. That would be a cheaper option, but definitely more technically complicated.
At the very least, find a VPN provider that supports OpenVPN, and you'll want one that has good documentation and support. We're going to be using the DD-WRT to point to the VPN of this provider, that requires some pretty technical information. Best if the VPN provider can give a guide for specifically how to achieve this (Mullvad does).
Step 4: Install DD-WRT on Your Router
Step 5: Configure Router to Based on Selected Option
Follow a guide that details how to connect your router to the VPN provider you selected in Step 3. If you've chosen Mullvad as suggested, then this guide is wonderful.
What you do next depends on which Option you selected in Step 1.
If you chose Option 1 (no Netflix), then congratulations, you're done!
If you chose Option 3 (single WiFi access point with some devices excluded from encryption): The next and last thing you need to do is setup rules within DD-WRT to route traffic based on the IP of device(s) you want to exclude from the VPN. For this you can use either split tunneling or policy routing with OpenVPN on DD-WRT. You could also use pfSense for this, though you'd need another machine (real or virtual). Full disclosure, I haven't had a chance to implement these solutions myself yet, but they should work. Definitely these are the for the more technically inclined. I won't go into more detail on Option 3 in this Instructable.
If you chose Option 4 (single WiFi access point with all traffic encrypted): You'll want to select a non-US server. For best performance I'd suggest Canada (due to proximity).
OK great, for Options 2 and 4 go ahead and proceed to the next step.
Step 6: Chain Routers
For those who want to encrypt network traffic and watch Netflix, this Instructable leverages the use of multiple routers.
As we discussed in Step 1, the recommended setup is to use multi WiFi access points, one that encrypts traffic and one that doesn't. The idea being that the unencrypted WiFi network will be used exclusively for Netflix. This was Option 2.
Alternatively, Option 4 opted for having only a single WiFi access point in which all traffic is encrypted, even Netflix traffic. While the single access point obviously sounds ideal, it's important to consider the trade-offs, and there are two primarily. First is cost, you'll be paying for an additional VPN provider and probably needing to buy a second new router. Second is speed and bandwidth, which is generally fine but will likely result in lower quality video on Netflix.
Regardless of which of those two options you chose, you'll need to have multiple routers. Check the diagram above to see how router configurations differ between these two approaches. Importantly, notice that in the multiple access point option that the router connected to Mullvad comes second in the router chain. In the single access point option the Mullvad-connected router comes first in the router chain.
If you're opting for the multiple access point model (Option 2), then congrats you're done! Connect to router 1 for Netflix and router 2 for everything else.
If, instead, you want to have only a single WiFi access point (Option 4), proceed to the next step.
Step 7: Sign Up for ExpressVPN Account
ExpressVPN is public about their ability to allow people to watch Netflix while using their VPN (Link). What they don't publicize is that they only allow this for traffic originating from outside of the United States.
This is the reason that we've used another VPN service to route our traffic through another country. The idea is that traffic on your local network first goes into the first router and then to the first VPN service (ie Mullvad), coming out of an exit node in another country (Canada suggested). This traffic is then fed into the second router (ExpressVPN) looking like it's originating from outside of the US. Then, ExpressVPN will allow you to watch Netflix.
You could potentially also use a proxy rather than a VPN for the first router. We aren't actually gaining anything by encrypting traffic there, and yet we're impacting performance. A proxy would probably be more performant. There's definitely a way to do this, and your existing router may even support proxies without the need for new firmware. That project is beyond the scope of this Instructable, but noting it here for those savvy enough to pursue it on their own.
Anyway, go ahead and sign up for an ExpressVPN account. They offer a 30-day money back guarantee and have great customer service. If you don't like it you can cancel.
Step 8: Point Child Router to ExpressVPN
Follow the instructions on the ExpressVPN website for configuring the ExpressVPN software on your router. If you're using the Linksys WRT1200AC as suggested, then instructions are here.
Once you're done you'll need to select an exit node in the US. My experience has been that only the Los Angeles node works with Netflix, but others may encounter different results.
After you've connected, you're done. Connect your devices to the second (ExpressVPN) router WiFi. You should now be able to watch Netflix with a VPN! Enjoy.