Watching from Sweden
When I've been visiting my wife in the US we've been watching some series and movies on, sitting in bed and snacking on something. I like the presentation of it, it's cute. It's sort of the same feeling i've had with spotify. Finally content providers are starting to provide good experiences on the internets.

Back in Sweden, me and my wife spend most of our free time together connected through skype. Sometimes it's nice to both of us be watching the same thing at the same time, sort of mimicking the experience of actually being in the same bed next to each other watching the same thing.

Before we'd tried hulu, we'd just google around the internets looking for some shoddy, seedy, backalley website where movies can be streamed. But after trying out something smooth, cute, polished like hulu.. it's really hard going back.

That's the kind of thing that motivates me to learn about tools like amazons ec2/s3, openvpn and routing :)

So. let's talk about that.

Hello, hulu

Using a VPN to route hulu traffic through Amazon EC2 to make it look like i'm surfing from the US (or at least from a Cloud) on Mac OS X.

Step one; Setting up the Amazon EC2 tools.

Pretty much taken from: Starting Amazon EC2 with Mac OS X

  1. Get an account at and sign up for Elastic Compute Cloud

  2. Once signed up, follow the link to Create a New X.509 Certificate and when they ask you if you're sure, say yes. This generates two key-files, a private and a public one.

  3. Download both files

  4. Download the EC2 Command-Line Tools from here.

  5. Open Terminal, create an .ec2 directory in your home directory and open it

  6. cd ~
    mkdir .ec2
    cd .ec2
    open .

  7. Copy the public and private key-files into the new .ec2 directory

  8. Unzip the EC2 Tools, and copy the unzipped bin and lib directories into the .ec2 directory

  9. Edit your .profile to set some ec2 environmental variables. Using nano (or some other text editor), open your .profile

  10. nano ~/.profile

  11. At the bottom of the file, add

  12. # Setup Amazon EC2 Command-Line Tools
    export EC2_HOME=~/.ec2
    export PATH=$PATH:$EC2_HOME/bin
    export EC2_PRIVATE_KEY=`ls $EC2_HOME/pk-*.pem`
    export EC2_CERT=`ls $EC2_HOME/cert-*.pem`
    export JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Home/

    Save and close the file. Nano uses Ctrl+O to save, and then Ctrl+X to exit.
  13. Reload it for the the changes to take effect

  14. . ~/.profile

Step two: Setting up a Debian image in EC2

  1. Start by creating a keypair. We need this to log into the instances we create. It'll be printed to the commandline, and you'll need to copy & paste it, including the —–BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—– lines into a new file named ec2-keypair in the .ec2 directory and then change the permission of the file

  2. ec2-add-keypair ec2-keypair

  3. Time to start up your instance. Remember, at this point amazon starts charging you for their time and bandwidth.

  4. ec2-run-instances ami-67fe190e -k ec2-keypair

  5. While it's booting up you can check it's status by running, this will also show you the domain name we'll use to connect to the instance later on

  6. ec2-describe-instances

  7. Now we need to open up the ports for ssh and openvp to our instance

  8. ec2-authorize default -p 22
    ec2-authorize default -p 1194

  9. And now, connect to your instance over ssh using your keypair

  10. ssh -i ~/.ec2/ec2-keypair

Step three: Configuring openvpn, NAT and IP forwarding

This part mostly from: Install OpenVPN on Ubuntu, Hulu Outside the US and Network Security

  1. Start by updating the package system, optionally running any needed upgrades, then install openvpn and openssl

  2. aptitude update
    aptitude upgrade
    aptitude install openvpn openssl

  3. Prepare the scripts we'll use to create private and public keys for the vpn

  4. cd /etc/openvpn/
    cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ easy-rsa
    cd easy-rsa

  5. Open the script called vars and edit the lines at the bottom according to your location

  6. nano vars

    these are the default values:

    # These are the default values for fields
    # which will be placed in the certificate.
    # Don't leave any of these fields blank.
    export KEY_COUNTRY="US"
    export KEY_PROVINCE="CA"
    export KEY_CITY="SanFrancisco"
    export KEY_ORG="Fort-Funston"
    export KEY_EMAIL="me@myhost.mydomain"

  7. Run the script you just edited, and clean up the key generation environment

  8. . ./vars

  9. Build the openvpn keys used for connecting a client to the server

  10. ./build-ca
    ./build-key-server server
    ./build-key client

    You'll be asked a bunch of questions, but you should just go with the default values, and y for any y/n prompt.

  11. You'll end up with three files in the keys folder. Copy the files back to your client computer, for example with scp

  12. cd keys
    scp ca.crt client.crt client.key me@myip

  13. Create a configuration file /etc/openvpn/openvpn.conf

  14. dev tun
    proto tcp
    port 1194

    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/server.crt
    key /etc/openvpn/easy-rsa/keys/server.key
    dh /etc/openvpn/easy-rsa/keys/dh1024.pem

    user nobody
    group nogroup


    #status openvpn-status.log
    #verb 3

    # hulu / akamai
    push "route vpn_gateway"
    push "route vpn_gateway"

    push "route vpn_gateway"

    push "route vpn_gateway"

    log-append /var/log/openvpn

  15. Edit /etc/default/openvpn and add this line

  16. AUTOSTART="openvpn"

  17. Create another configuration file /etc/network/if-up.d/iptables

  18. cd /etc/network/if-up.d
    nano iptables

  19. Add these lines to it, to enable IP forwarding and NAT

  20. #!/bin/sh

    # configure IP forwarding and IPTables NAT
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

  21. Change the permissions of it and run it

  22. chmod +x iptables

  23. Start the openvpn server

  24. /etc/init.d/openvpn start

Step four: Configure your mac to connect to the vpn, with Tunnelblick

  1. Download and install Tunnelblick

  2. Put the files we downloaded from the keys directory into ~/Library/openvpn/

  3. Create a new configuration file for the connection in Tunnelblick. Don't forget to change the remote server from with the address to your ec2 instance

  4. client
    dev tun
    proto tcp
    remote x.y.z.w 1194
    resolv-retry infinite

    user nobody
    group nogroup


    ca ca.crt
    cert client1.crt
    key client1.key

    verb 3

  5. Tell Tunnelblick to connect, and you the rest should sort itself out.

  6. You can verify that the routes have been added to your computer by running:

  7. netstat -r -n

(optional) Step five: Saving your instance for later, powering it down, and starting it back up

This mostly taken from Saving a Customised Linux Amazon Instance (EC2 and S3)

  1. Start by going back to and signing up for the Simple Storage Service

  2. Copy over your keys to the instance

  3. scp -i ~/.ec2/ec2-keypair ~/.ec2/pk-*.pem ~/.ec2/cert-*.pem

  4. SSH to the server, and create a bundle out of your customized instance

  5. ec2-bundle-vol -d /mnt -k /mnt/pk-*.pem -c /mnt/cert-*.pem -u XXXXXXXXXXXX

    Where XXXXXXXXXXXX is your Amazon account number without the dashes.

  6. Copy over the bundle to the Simple Storage Service

  7. ec2-upload-bundle -b [your-s3-bucket] -m /mnt/image.manifest.xml -a [aws-access-key-id] -s [aws-secret-access-key]

    Your access-key and secret-access-key can be found on the AWS website under "Access Identifiers"

  8. Now, go back to your client machine and register your bundle on S3 as an AMI with EC2.

  9. ec2-register [your-s3-bucket]/image.manifest.xml

  10. And, you're done. Now you can shut down the instance when you're not using it. And then just start it back up using your new AMI

  11. ec2-terminate-instances i-xxxxxxxx

And that should be it! :D

I will come back and look at this entry tomorrow when i'm not sleepy and can think straight again :3


Log in

No account? Create an account