Netflix VPS : How to install Wireguard VPN on Ubuntu VPS to watch Netflix UK in USA


Reading Time: 5 minutes

Netflix vps

The purpose of this guide is to document the steps I take to set up Wireguard and Unbound on a Netflix VPS to unblock Netflix titles available in certain locations, for example, I’m living in the states but wanted to watch these decent netflix titles only available in UK. You can also use this tutorial if you wanted to watch Netflix in any of our available locations :

After completing this tutorial, you will have:

  • A VPN that will provide an encrypted connection using wireguard. It works on almost every ISPs around the world and can cross GFW and Iran’s Filternet easily. Also, It can bypass UAE VoIP blocks too so you can use it for unblocking WhatsApp voice or video calls in Dubai since wireguard encrypts UDP connections as well.
  • It won’t leak your DNS like major VPN setups so you can access Netflix, Hulu, and similar geo-restricted websites and services.

What is Wireguard?

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.

wireguard official website

What is Unbound (DNS Server)?

Unbound is a validating, recursive, and caching DNS resolver product from NLnet Labs. It is distributed free of charge in open-source form under the BSD license.



In order to follow this tutorial, you will need to have a Netflix VPS with at least 1GB of memory, although I would personally recommend at least 2 GB if you plan on having a large number of clients. This guide assumes that you are using Ubuntu 18.04. Other distros will most likely work, but I have only tested the steps covered in this tutorial on Ubuntu 18.04.
Also, I recommend you to order yours from our ubuntu vps page since Netflix blocks all major companies in the industry like digitalocean and vultr by IP. We’re happily announcing that all our IPs are working with Netflix as of today (July 2019). Also, we have a guide on how to order a vps.

Windows 10 VPS Hosting

Get yourself an efficient Windows 10 VPS for remote desktop, at the cheapest price out there. FREE Windows 10 running on NVMe SSD storage and high-speed internet.

Check Out Windows 10 VPS Plans
Windows 10 VPS Hosting

Initial Server Setup

I will be using ssh to remotely log into the Netflix VPS and configure it. If you are on a Unix-based operating system, it should already be installed. If you are Windows 10, the best option is installing Windows Subsystem for Linux (WSL) which is very easy to install and native. You may need to install PuTTY in older versions of windows.
Also, I assume that you are using a valid hostname for your Netflix VPS.

Basic SSH Security Setup

Make sure you know your server’s IP address and login credentials. If you ordered from us you can find this info in our welcome email.

Generate RSA Key pair

Open a terminal (or command prompt) and run:


type a name like wireguard and hit the enter. It will then asks for a passphrase which you can leave it blank by pressing enter twice.

Enter file in which to save the key (C:Userskevin/.ssh/id_rsa): wireguard
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in wireguard.
Your public key has been saved in
The key fingerprint is:
SHA256:PM9TZc0TMO9Iqqq7NC0E+qn32vZp6WELRrFmAc9sw5Y [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|   .         o.. |
|    * .       oo.|
|   . E       .ooo|
|  . + =.    ooo .|
| .   *  S  ... . |
|  . * .  +..     |
|   o * +..+      |
|  ..+.=o=  .     |
| ...+*B*         |

Copy the public key

cat | ssh [email protected] "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys


ssh-copy-id [email protected]
The authenticity of host '' can't be established.
RSA key fingerprint is SHA256:CKp1RW2qe1YEFtz6HOZz3lJnMxYsJm03cH6uGKDnyC8.
Are you sure you want to continue connecting (yes/no)?

type yes to accept the RSA key fingerprint and then provide the root password. Now try to ssh with your key:

ssh -i wireguard [email protected]
C:Usersamir>ssh -i wireguard [email protected]
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-22-generic x86_64)

 * Documentation:
 * Management:
 * Support:

Last login: Wed May 30 03:03:29 2018
[email protected]:~#

Disable Passphrase Authentication

Since passwords are about to become obsolete we have to disable this old mechanism:

sed -ie 's/#?PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -ie 's/#?PermitEmptyPasswords yes/PermitEmptyPasswords no/' /etc/ssh/sshd_config

If you matter security too much you can disable root and create a sudo user but that is out of this tutorial

Installing updates

apt update && apt upgrade -y && reboot

it will take few minutes to update and then reboot. Choose “Yes” when it asks for “restart service when the package upgrades without asking”. Update GRUB (install package maintainer’s version) and select both devices with spacebar and hit enter. Keep the local version of /etc/sshd_config and after all this, you have to wait a few seconds for reboot and then ssh to your server again.

Unattended Upgrades

This step is optional and you can skip it but you can enable & set up Automatic Unattended Security Updates. Here is the guide from official website.

Install Unbound

apt install -y software-properties-common curl unbound unbound-host
curl -o /var/lib/unbound/root.hints

Configure DNS Server

This section is taken from this guide. Run:

nano /etc/unbound/unbound.conf

to open the unbound config file. Use Ctrl+K to delete all contents and paste the following. Press Ctrl+X and type “y” to save the changes.


  num-threads: 4

  #Enable logs
  verbosity: 1

  #list of Root DNS Server
  root-hints: "/var/lib/unbound/root.hints"

  #Use the root servers key for DNSSEC
  auto-trust-anchor-file: "/var/lib/unbound/root.key"

  #Respond to DNS requests on all interfaces
  max-udp-size: 3072

  #Authorized IPs to access the DNS Server
  access-control:                 refuse
  access-control:                 allow
  access-control:         allow

  #not allowed to be returned for public internet  names

  # Hide DNS Server info
  hide-identity: yes
  hide-version: yes

  #Limit DNS Fraud and use DNSSEC
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes

  #Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
  unwanted-reply-threshold: 10000000

  #Have the validator print validation failures to the log.
  val-log-level: 1

  #Minimum lifetime of cache entries in seconds
  cache-min-ttl: 1800 

  #Maximum lifetime of cached entries
  cache-max-ttl: 14400
  prefetch: yes
  prefetch-key: yes

Now Run:

chown -R unbound:unbound /var/lib/unbound
systemctl enable unbound

Install Wireguard

add-apt-repository -y ppa:wireguard/wireguard
apt-get update
apt-get install -y wireguard && reboot

Install Docker CE

This section covers install docker ce using the repository:

# Install Docker CE
apt-get install 

# Add Docker’s official GPG key
curl -fsSL | sudo apt-key add -

#set up the stable repository
    "deb [arch=amd64] 
    $(lsb_release -cs) 

apt-get update
apt-get install docker-ce docker-ce-cli -y

# Test docker installation
docker run hello-world

Install Subspace

This section covers how to install subspace inside a docker container. Make sure to change the –env SUBSPACE_HTTP_HOST to your publicly accessible domain name.

# Load modules.
modprobe wireguard
modprobe iptable_nat
modprobe ip6table_nat

# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

# Make sure to change the --env SUBSPACE_HTTP_HOST to your publicly accessible domain name.

# Your data directory should be bind-mounted as `/data` inside the container using the `--volume` flag.

mkdir /data

docker create 
     --name subspace 
     --restart always 
     --network host 
     --cap-add NET_ADMIN 
     --volume /usr/bin/wg:/usr/bin/wg 
     --volume /data:/data 

docker start subspace

Configure kernel modules to load at boot

To survive a reboot we need to load kernel modules at boot.

nano /etc/modules-load.d/subspace.conf

Paste the following and save the file:

A Web designer, with Experience in digital marketing , Totally fueled by passion to understand and learn different aspects of digital marketing.


Leave A Comment

11 thoughts on “Netflix VPS : How to install Wireguard VPN on Ubuntu VPS to watch Netflix UK in USA”

  1. I am living in germany and I bought a vps with UK ip address and it actually works. Now I have access to the contents that are UK only.

  2. One of the good things that you are offering with your Netflix VPS is wireguard. I have used it and I think it is one of the best VPNs out there. Although I use open vpn for majority of my work but for this certain task wireguard suits better

  3. Along with open vpn, pptp and sstp, wireguard is a rather new comer VPN to the world. I have my doubts about it but I should definitely try it out since there are a lot of words around it

  4. I got this website from my friend who told me regarding this website and now
    this time I am visiting this web page and reading very informative posts at this time.

  5. I live in Netherlands and I needed to have a US ip for my work and I wanted to watch US Netflix too. I got my VPS from routerhosting and I should thank you for this step-by-step tutorial. I followed the steps and everything is working super.

  6. What is the difference between Wireguard and other VPNs like Open VPN or Psiphone? I mean couldn’t we use one of those instead of Wireguard to connect to Netflix?

Leave a Reply

Your email address will not be published. Required fields are marked *