Watching hulu.com from Sweden
flower
starfighter
When I've been visiting my wife in the US we've been watching some series and movies on hulu.com, sitting in bed and snacking on something. I like the presentation of it, it's cute. It's sort of the same feeling i've had with spotify. Finally content providers are starting to provide good experiences on the internets.

Back in Sweden, me and my wife spend most of our free time together connected through skype. Sometimes it's nice to both of us be watching the same thing at the same time, sort of mimicking the experience of actually being in the same bed next to each other watching the same thing.

Before we'd tried hulu, we'd just google around the internets looking for some shoddy, seedy, backalley website where movies can be streamed. But after trying out something smooth, cute, polished like hulu.. it's really hard going back.

That's the kind of thing that motivates me to learn about tools like amazons ec2/s3, openvpn and routing :)

So. let's talk about that.

Hello, hulu

Using a VPN to route hulu traffic through Amazon EC2 to make it look like i'm surfing from the US (or at least from a Cloud) on Mac OS X.



Step one; Setting up the Amazon EC2 tools.


Pretty much taken from: Starting Amazon EC2 with Mac OS X


  1. Get an account at http://aws.amazon.com/ and sign up for Elastic Compute Cloud

  2. Once signed up, follow the link to Create a New X.509 Certificate and when they ask you if you're sure, say yes. This generates two key-files, a private and a public one.

  3. Download both files

  4. Download the EC2 Command-Line Tools from here.


  5. Open Terminal, create an .ec2 directory in your home directory and open it


  6. cd ~
    mkdir .ec2
    cd .ec2
    open .

  7. Copy the public and private key-files into the new .ec2 directory

  8. Unzip the EC2 Tools, and copy the unzipped bin and lib directories into the .ec2 directory


  9. Edit your .profile to set some ec2 environmental variables. Using nano (or some other text editor), open your .profile


  10. nano ~/.profile

  11. At the bottom of the file, add


  12. # Setup Amazon EC2 Command-Line Tools
    export EC2_HOME=~/.ec2
    export PATH=$PATH:$EC2_HOME/bin
    export EC2_PRIVATE_KEY=`ls $EC2_HOME/pk-*.pem`
    export EC2_CERT=`ls $EC2_HOME/cert-*.pem`
    export JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Home/

    Save and close the file. Nano uses Ctrl+O to save, and then Ctrl+X to exit.
  13. Reload it for the the changes to take effect


  14. . ~/.profile



Step two: Setting up a Debian image in EC2




  1. Start by creating a keypair. We need this to log into the instances we create. It'll be printed to the commandline, and you'll need to copy & paste it, including the —–BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—– lines into a new file named ec2-keypair in the .ec2 directory and then change the permission of the file


  2. ec2-add-keypair ec2-keypair


  3. Time to start up your instance. Remember, at this point amazon starts charging you for their time and bandwidth.


  4. ec2-run-instances ami-67fe190e -k ec2-keypair


  5. While it's booting up you can check it's status by running, this will also show you the domain name we'll use to connect to the instance later on


  6. ec2-describe-instances


  7. Now we need to open up the ports for ssh and openvp to our instance


  8. ec2-authorize default -p 22
    ec2-authorize default -p 1194


  9. And now, connect to your instance over ssh using your keypair


  10. ssh -i ~/.ec2/ec2-keypair root@ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com



Step three: Configuring openvpn, NAT and IP forwarding


This part mostly from: Install OpenVPN on Ubuntu, Hulu Outside the US and Network Security


  1. Start by updating the package system, optionally running any needed upgrades, then install openvpn and openssl


  2. aptitude update
    aptitude upgrade
    aptitude install openvpn openssl


  3. Prepare the scripts we'll use to create private and public keys for the vpn


  4. cd /etc/openvpn/
    cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ easy-rsa
    cd easy-rsa

  5. Open the script called vars and edit the lines at the bottom according to your location


  6. nano vars

    these are the default values:

    # These are the default values for fields
    # which will be placed in the certificate.
    # Don't leave any of these fields blank.
    export KEY_COUNTRY="US"
    export KEY_PROVINCE="CA"
    export KEY_CITY="SanFrancisco"
    export KEY_ORG="Fort-Funston"
    export KEY_EMAIL="me@myhost.mydomain"

  7. Run the script you just edited, and clean up the key generation environment


  8. . ./vars
    ./clean-all


  9. Build the openvpn keys used for connecting a client to the server


  10. ./build-ca
    ./build-key-server server
    ./build-key client
    ./build-dh

    You'll be asked a bunch of questions, but you should just go with the default values, and y for any y/n prompt.

  11. You'll end up with three files in the keys folder. Copy the files back to your client computer, for example with scp


  12. cd keys
    scp ca.crt client.crt client.key me@myip


  13. Create a configuration file /etc/openvpn/openvpn.conf


  14. dev tun
    proto tcp
    port 1194

    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/server.crt
    key /etc/openvpn/easy-rsa/keys/server.key
    dh /etc/openvpn/easy-rsa/keys/dh1024.pem

    user nobody
    group nogroup
    server 10.8.0.0 255.255.255.0

    persist-key
    persist-tun

    #status openvpn-status.log
    #verb 3
    client-to-client

    # hulu / akamai
    push "route 77.67.0.0 255.255.128.0 vpn_gateway"
    push "route 80.128.0.0 255.224.0.0 vpn_gateway"

    # p.hulu.com
    push "route 208.91.157.10 255.255.255.255 vpn_gateway"

    # t.hulu.com
    push "route 209.130.205.38 255.255.255.255 vpn_gateway"

    log-append /var/log/openvpn
    comp-lzo


  15. Edit /etc/default/openvpn and add this line


  16. AUTOSTART="openvpn"


  17. Create another configuration file /etc/network/if-up.d/iptables


  18. cd /etc/network/if-up.d
    nano iptables


  19. Add these lines to it, to enable IP forwarding and NAT


  20. #!/bin/sh

    # configure IP forwarding and IPTables NAT
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


  21. Change the permissions of it and run it


  22. chmod +x iptables
    ./iptables


  23. Start the openvpn server


  24. /etc/init.d/openvpn start



Step four: Configure your mac to connect to the vpn, with Tunnelblick




  1. Download and install Tunnelblick

  2. Put the files we downloaded from the keys directory into ~/Library/openvpn/

  3. Create a new configuration file for the connection in Tunnelblick. Don't forget to change the remote server from xxx.xxx.xxx.xxx with the address to your ec2 instance


  4. client
    dev tun
    proto tcp
    remote x.y.z.w 1194
    resolv-retry infinite
    nobind

    user nobody
    group nogroup

    persist-key
    persist-tun

    ca ca.crt
    cert client1.crt
    key client1.key

    comp-lzo
    verb 3


  5. Tell Tunnelblick to connect, and you the rest should sort itself out.


  6. You can verify that the routes have been added to your computer by running:


  7. netstat -r -n



(optional) Step five: Saving your instance for later, powering it down, and starting it back up


This mostly taken from Saving a Customised Linux Amazon Instance (EC2 and S3)


  1. Start by going back to http://aws.amazon.com/ and signing up for the Simple Storage Service

  2. Copy over your keys to the instance


  3. scp -i ~/.ec2/ec2-keypair ~/.ec2/pk-*.pem ~/.ec2/cert-*.pem root@ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com:/mnt

  4. SSH to the server, and create a bundle out of your customized instance


  5. ec2-bundle-vol -d /mnt -k /mnt/pk-*.pem -c /mnt/cert-*.pem -u XXXXXXXXXXXX

    Where XXXXXXXXXXXX is your Amazon account number without the dashes.

  6. Copy over the bundle to the Simple Storage Service


  7. ec2-upload-bundle -b [your-s3-bucket] -m /mnt/image.manifest.xml -a [aws-access-key-id] -s [aws-secret-access-key]

    Your access-key and secret-access-key can be found on the AWS website under "Access Identifiers"

  8. Now, go back to your client machine and register your bundle on S3 as an AMI with EC2.


  9. ec2-register [your-s3-bucket]/image.manifest.xml


  10. And, you're done. Now you can shut down the instance when you're not using it. And then just start it back up using your new AMI


  11. ec2-terminate-instances i-xxxxxxxx



And that should be it! :D

I will come back and look at this entry tomorrow when i'm not sleepy and can think straight again :3

?

Log in