How to install Wireguard VPN on Ubuntu VPS to watch Netflix UK in USA


The purpose of this guide is to document the steps I take to set up Wireguard and Unbound on a VPS to unblock netflix titles available on certain locations, for example I’m living in the states but wanted to watch these decent netflix titles only available in UK. You can also use this tutorial if you wanted to watch netflix in any of our available locations:

After completing this tutorial, you will have:

  • A VPN that will provide an encrypted connection using wireguard. It works on almost every ISPs around the world and can cross GFW and Iran’s Filternet easily. Also It can bypass UAE VoIP blocks too so you can use it for unblocking whatsapp voice or video calls in dubai since wireguard encrypts udp connections as well.
  • It won’t leak your DNS like major vpn setups so you can access Netflix, hulu and similar geo-restricted websites and services.

What is Wireguard?

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.

wireguard official website

What is Unbound (DNS Server) ?

Unbound is a validating, recursive, and caching DNS resolver product from NLnet Labs. It is distributed free of charge in open-source form under the BSD license.



In order to follow this tutorial you will need to have a VPS with at least 1GB of memory, although I would personally recommend at least 2 GB if you plan on having a large number of clients. This guide assumes that you are using Ubuntu 18.04 . Other distros will mostly likely work, but I have only tested the steps covered in this tutorial on Ubuntu 18.04.
Also I recommend you to order yours from our ubuntu vps page, since netflix blocks all major companies in industry like digitalocean and vultr by IP. We’re happily announce that all our IPs are working with the netflix as today (July 2019). Also we have a guide on how to order a vps.

Initial Server Setup

I will be using ssh to remotely log into the VPS and configure it. If you are on a Unix-based operating system, it should already be installed. If you are Windows 10, best option is installing Windows Subsystem for Linux (WSL) which is very easy to install and native. You may need to install PuTTY in older versions of windows.
Also I assume that you are using a valid hostname for your vps.

Basic SSH Security Setup

Make sure you know your server’s IP address and login credentials. If you ordered from us you can find these info in our welcome email.

Generate RSA Key pair

Open a terminal (or command prompt) and run:


type a name like wireguard and hit the enter. It will then asks for a passphrase which you can leave it blank by pressing enter twice.

Enter file in which to save the key (C:Userskevin/.ssh/id_rsa): wireguard
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in wireguard.
Your public key has been saved in
The key fingerprint is:
SHA256:PM9TZc0TMO9Iqqq7NC0E+qn32vZp6WELRrFmAc9sw5Y [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|   .         o.. |
|    * .       oo.|
|   . E       .ooo|
|  . + =.    ooo .|
| .   *  S  ... . |
|  . * .  +..     |
|   o * +..+      |
|  ..+.=o=  .     |
| ...+*B*         |

Copy the public key

cat | ssh [email protected] "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys


ssh-copy-id [email protected]
The authenticity of host '' can't be established.
RSA key fingerprint is SHA256:CKp1RW2qe1YEFtz6HOZz3lJnMxYsJm03cH6uGKDnyC8.
Are you sure you want to continue connecting (yes/no)?

type yes to accept the RSA key fingerprint and then provide the root password. Now try to ssh with your key:

ssh -i wireguard [email protected]
C:Usersamir>ssh -i wireguard [email protected]
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-22-generic x86_64)

 * Documentation:
 * Management:
 * Support:

Last login: Wed May 30 03:03:29 2018
[email protected]:~#

Disable Passphrase Authentication

Since passwords are about to become obsolete we have to disable this old mechanism:

sed -ie 's/#?PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -ie 's/#?PermitEmptyPasswords yes/PermitEmptyPasswords no/' /etc/ssh/sshd_config

If you matter security too much you can disable root and create a sudo user but that is out of this tutorial

Installing updates

apt update && apt upgrade -y && reboot

it will take few minutes to update and then reboot. Choose “Yes” when it asks for “restart service when package upgrades without asking”. Update GRUB (install package maintainer’s version) and select both devices with spacebar and hit enter. Keep the local version of /etc/sshd_config and after all this you have to wait a few seconds for reboot and then ssh to your server again.

Unattended Upgrades

This step is optional and you can skip it but you can enable & set up Automatic Unattended Security Updates. Here is the guide from official website.

Install Unbound

apt install -y software-properties-common curl unbound unbound-host
curl -o /var/lib/unbound/root.hints

Configure DNS Server

This section is taken from this guide. Run:

nano /etc/unbound/unbound.conf

to open the unbound config file. Use Ctrl+K to delete all contents and paste the following. Press Ctrl+X and type “y” to save the changes.


  num-threads: 4

  #Enable logs
  verbosity: 1

  #list of Root DNS Server
  root-hints: "/var/lib/unbound/root.hints"

  #Use the root servers key for DNSSEC
  auto-trust-anchor-file: "/var/lib/unbound/root.key"

  #Respond to DNS requests on all interfaces
  max-udp-size: 3072

  #Authorized IPs to access the DNS Server
  access-control:                 refuse
  access-control:                 allow
  access-control:         allow

  #not allowed to be returned for public internet  names

  # Hide DNS Server info
  hide-identity: yes
  hide-version: yes

  #Limit DNS Fraud and use DNSSEC
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes

  #Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
  unwanted-reply-threshold: 10000000

  #Have the validator print validation failures to the log.
  val-log-level: 1

  #Minimum lifetime of cache entries in seconds
  cache-min-ttl: 1800 

  #Maximum lifetime of cached entries
  cache-max-ttl: 14400
  prefetch: yes
  prefetch-key: yes

Now Run:

chown -R unbound:unbound /var/lib/unbound
systemctl enable unbound

Install Wireguard

add-apt-repository -y ppa:wireguard/wireguard
apt-get update
apt-get install -y wireguard && reboot

Install Docker CE

This section covers install docker ce using the repository:

# Install Docker CE
apt-get install 

# Add Docker’s official GPG key
curl -fsSL | sudo apt-key add -

#set up the stable repository
    "deb [arch=amd64] 
    $(lsb_release -cs) 

apt-get update
apt-get install docker-ce docker-ce-cli -y

# Test docker installation
docker run hello-world

Install Subspace

This section covers how to install subspace inside a docker container. Make sure to change the –env SUBSPACE_HTTP_HOST to your publicly accessible domain name.

# Load modules.
modprobe wireguard
modprobe iptable_nat
modprobe ip6table_nat

# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

# Make sure to change the --env SUBSPACE_HTTP_HOST to your publicly accessible domain name.

# Your data directory should be bind-mounted as `/data` inside the container using the `--volume` flag.

mkdir /data

docker create 
     --name subspace 
     --restart always 
     --network host 
     --cap-add NET_ADMIN 
     --volume /usr/bin/wg:/usr/bin/wg 
     --volume /data:/data 

docker start subspace

Configure kernel modules to load at boot

To survive a reboot we need to load kernel modules at boot.

nano /etc/modules-load.d/subspace.conf

Paste the following and save the file:


Setup WireGuard Clients







3.5 2 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x