The purpose of this guide is to document the steps I take to set up Wireguard and Unbound on a VPS to unblock netflix titles available on certain locations, for example I’m living in the states but wanted to watch these decent netflix titles only available in UK. You can also use this tutorial if you wanted to watch netflix in any of our available locations:
After completing this tutorial, you will have:
- A VPN that will provide an encrypted connection using wireguard. It works on almost every ISPs around the world and can cross GFW and Iran’s Filternet easily. Also It can bypass UAE VoIP blocks too so you can use it for unblocking whatsapp voice or video calls in dubai since wireguard encrypts udp connections as well.
- It won’t leak your DNS like major vpn setups so you can access Netflix, hulu and similar geo-restricted websites and services.
What is Wireguard?
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.wireguard official website
What is Unbound (DNS Server) ?
Unbound is a validating, recursive, and caching DNS resolver product from NLnet Labs. It is distributed free of charge in open-source form under the BSD license.Wikipedia
In order to follow this tutorial you will need to have a VPS with at least 1GB of memory, although I would personally recommend at least 2 GB if you plan on having a large number of clients. This guide assumes that you are using Ubuntu 18.04 . Other distros will mostly likely work, but I have only tested the steps covered in this tutorial on Ubuntu 18.04.
Also I recommend you to order yours from our ubuntu vps page, since netflix blocks all major companies in industry like digitalocean and vultr by IP. We’re happily announce that all our IPs are working with the netflix as today (July 2019). Also we have a guide on how to order a vps.
Initial Server Setup
I will be using
ssh to remotely log into the VPS and configure it. If you are on a Unix-based operating system, it should already be installed. If you are Windows 10, best option is installing Windows Subsystem for Linux (WSL) which is very easy to install and native. You may need to install PuTTY in older versions of windows.
Also I assume that you are using a valid hostname for your vps.
Basic SSH Security Setup
Make sure you know your server’s IP address and login credentials. If you ordered from us you can find these info in our welcome email.
Generate RSA Key pair
Open a terminal (or command prompt) and run:
type a name like wireguard and hit the enter. It will then asks for a passphrase which you can leave it blank by pressing enter twice.
Enter file in which to save the key (C:Userskevin/.ssh/id_rsa): wireguard Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in wireguard. Your public key has been saved in wireguard.pub. The key fingerprint is: SHA256:PM9TZc0TMO9Iqqq7NC0E+qn32vZp6WELRrFmAc9sw5Y [email protected] The key's randomart image is: +---[RSA 2048]----+ | . o.. | | * . oo.| | . E .ooo| | . + =. ooo .| | . * S ... . | | . * . +.. | | o * +..+ | | ..+.=o= . | | ...+*B* | +----[SHA256]-----+
Copy the public key
cat C:Usersamirwireguard.pub | ssh [email protected] "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys
ssh-copy-id [email protected]
The authenticity of host 'netflix.routerhosting.com' can't be established. RSA key fingerprint is SHA256:CKp1RW2qe1YEFtz6HOZz3lJnMxYsJm03cH6uGKDnyC8. Are you sure you want to continue connecting (yes/no)?
type yes to accept the RSA key fingerprint and then provide the root password. Now try to ssh with your key:
ssh -i wireguard [email protected]
C:Usersamir>ssh -i wireguard [email protected] Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-22-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Last login: Wed May 30 03:03:29 2018 [email protected]:~#
Disable Passphrase Authentication
Since passwords are about to become obsolete we have to disable this old mechanism:
sed -ie 's/#?PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config sed -ie 's/#?PermitEmptyPasswords yes/PermitEmptyPasswords no/' /etc/ssh/sshd_config
If you matter security too much you can disable root and create a sudo user but that is out of this tutorial
apt update && apt upgrade -y && reboot
it will take few minutes to update and then reboot. Choose “Yes” when it asks for “restart service when package upgrades without asking”. Update GRUB (install package maintainer’s version) and select both devices with spacebar and hit enter. Keep the local version of /etc/sshd_config and after all this you have to wait a few seconds for reboot and then ssh to your server again.
This step is optional and you can skip it but you can enable & set up Automatic Unattended Security Updates. Here is the guide from official website.
apt install -y software-properties-common curl unbound unbound-host curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
Configure DNS Server
This section is taken from this guide. Run:
to open the unbound config file. Use Ctrl+K to delete all contents and paste the following. Press Ctrl+X and type “y” to save the changes.
server: num-threads: 4 #Enable logs verbosity: 1 #list of Root DNS Server root-hints: "/var/lib/unbound/root.hints" #Use the root servers key for DNSSEC auto-trust-anchor-file: "/var/lib/unbound/root.key" #Respond to DNS requests on all interfaces interface: 0.0.0.0 max-udp-size: 3072 #Authorized IPs to access the DNS Server access-control: 0.0.0.0/0 refuse access-control: 127.0.0.1 allow access-control: 10.99.97.0/24 allow #not allowed to be returned for public internet names private-address: 10.99.97.0/24 # Hide DNS Server info hide-identity: yes hide-version: yes #Limit DNS Fraud and use DNSSEC harden-glue: yes harden-dnssec-stripped: yes harden-referral-path: yes #Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning unwanted-reply-threshold: 10000000 #Have the validator print validation failures to the log. val-log-level: 1 #Minimum lifetime of cache entries in seconds cache-min-ttl: 1800 #Maximum lifetime of cached entries cache-max-ttl: 14400 prefetch: yes prefetch-key: yes
chown -R unbound:unbound /var/lib/unbound systemctl enable unbound
add-apt-repository -y ppa:wireguard/wireguard apt-get update apt-get install -y wireguard && reboot
Install Docker CE
This section covers install docker ce using the repository:
# Install Docker CE apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common # Add Docker’s official GPG key curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - #set up the stable repository add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" apt-get update apt-get install docker-ce docker-ce-cli containerd.io -y # Test docker installation docker run hello-world
This section covers how to install subspace inside a docker container. Make sure to change the –env SUBSPACE_HTTP_HOST to your publicly accessible domain name.
# Load modules. modprobe wireguard modprobe iptable_nat modprobe ip6table_nat # Enable IP forwarding sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv6.conf.all.forwarding=1 # Make sure to change the --env SUBSPACE_HTTP_HOST to your publicly accessible domain name. # Your data directory should be bind-mounted as `/data` inside the container using the `--volume` flag. mkdir /data docker create --name subspace --restart always --network host --cap-add NET_ADMIN --volume /usr/bin/wg:/usr/bin/wg --volume /data:/data --env SUBSPACE_HTTP_HOST=netflix.routerhosting.com subspacecloud/subspace:latest docker start subspace
Configure kernel modules to load at boot
To survive a reboot we need to load kernel modules at boot.
Paste the following and save the file:
wireguard iptable_nat ip6table_nat