TL;DR
find a Debian or Ubuntu box with root on a clean public IP and run:
apt-get update && apt-get -y install vim dnsutils curl sudo git && \
curl -sSL https://get.docker.com/ | sh && \
mkdir -p /opt/netflix-proxy && cd /opt/netflix-proxy && \
curl -L https://github.com/ab77/netflix-proxy/archive/latest.tar.gz | tar xz --strip-components=1 && \
./build.sh
netflix-proxy
is a smart DNS proxy to watch Netflix
, Hulu
[n2], HBO Now
and others out of region. It is deployed using Docker and uses BIND
and SNIProxy
[n1] to provide proxy and DNS functionality. It helps to bypass[n17] The Great Firewall and works for blocked sites too, such as PornHub. And if you happen to live in Germany and want to watch YouTube like the rest of the world does, just add googlevideo.com
to zones.override
file and run docker restart bind
.
However, this solution will only work with devices supporting Server Name Indication (SNI)[n7] and only if they honour DNS settings. To test SNI, open a web browser on the device you are planning to watch content and go to https://sni.velox.ch/.
Update March/2017: Raspberry Pi un-blocking solution http://unzoner.com/ is live and works on all devices. You'll need to supply your own Raspberry Pi or compatible device. You could also subscribe to the mailing list and be notified of new fetures, updates, outages, etc..
If you have access to a high-speed residential Internet connection and would like to have your ISP fees paid in exchange for hosting a small piece of kit, please email [email protected] your interest.
Update June/2016: HE TunnelBroker IPv6 endpoints are now also blocked. Your best bet now is to find a small VPS which offers native IPv6 support and which isn't yet blocked by Netflix (and keep it quiet 😬). For other, non-IPv6 enabled services that honour DNS settings, this solution should still work fine.
Update March/2016: IPv6 addresses of common hosting providers are now blocked in the same way as IPv4 (incl. Digital Ocean and Vultr). Netflix could be "tagging" accounts[n11]. Netflix and BBC iPlayer are also perfoming geo checks on their media hosts, so the relevant media domains are now proxied by default[n8]. Please note, that proxying media delivery could increase the bandwidth bill you get from your VPS provider. However, since most VPS providers offer 1TB per month inclusive with each server and most home ISPs don't offer anywhere near that amount, it should be a moot point in most situations.
Please see the Wiki page(s) for some common troubleshooting ideas.
Unblocked Netflix? Great success! Vote now and see the results.
The following are supported out of the box, however adding additional services is trivial and is done by updating zones.override
file and running docker restart bind
:
- Netflix
- Hulu[n2]
- HBO Now
- Amazon Instant Video
- Crackle
- Pandora
- Vudu
- blinkbox
- BBC iPlayer[n5]
- NBC Sports and potentially many more
This project is free, covered by the MIT License. It is provided without any warranty and can be used for any purpose, including private and commercial. However, if you are planning to use it for commercial purposes (i.e make money off it), please do not expect me to provide support for free, as it would be unfair. A commercial support model can always be negotiated, if required. Please contact me if this is something that interests you.
The following paragraphs show how to get this solution up and running with a few different Cloud providers I've tried so far. If you prefer a video tutorial, here is one prapared by one of the users. Note, OpenVZ won't work[n15], make sure to get a proper virtual machine using KVM or Xen. These instructions are based on the assumption, that access to the US region access is desired. If a different region is required (e.g. France), you may struggle with HE tunnel broker, as their entire network appears to be geo-located in the US. Instead, you could try to find a small hosting provider in the desired region and install with native IPv6 (or even just IPv4) instead of tunnel. To do this, run the build normally, but omit all parameters to build.sh
.
(Netflix is blocked[n16]) The following is based on a standard Ubuntu Docker image provided by DigitalOcean
, but should in theory work on any Linux distribution with Docker pre-installed. Do not enable native IPv6 on the host.
- Head over to Digital Ocean to get $10 USD credit
- Create a Droplet in a geographic location of interest using
Docker 1.x
onUbuntu 14.04
(find in underOne-click Apps
tab). Create a free tunnel broker account.Create a regular tunnel.Set theIPv4 Endpoint
to the Droplet IP, pick a tunnel server in a location closest[n14] to you and clickCreate Tunnel
.SSH to your server and runping6 netflix.com
; if you getNetwork is unreachable
proceed to the next step, otherwise remove native IPv6 first.Run:git clone https://github.com/ab77/netflix-proxy /opt/netflix-proxy && cd /opt/netflix-proxy && ./build.sh -u <tunnelbroker-username> -p <tunnelbroker-password>
, making sure to specify your HE tunnel username and password correctly.- SSH to your server and run:
mkdir -p /opt/netflix-proxy && cd /opt/netflix-proxy && \
curl -L https://github.com/ab77/netflix-proxy/archive/latest.tar.gz | tar xz --strip-components=1 && \
./build.sh
- Make sure to record the URL and credentials for the
netflix-proxy
admin site. - Set your DNS server to the IP given at the end of the script, then go to this site to make sure the same IP is displayed.
- Finally, enjoy
Netflix
and others out of region. - Enjoy or raise a new issue if something doesn't work quite right (also
#netflix-proxy
on freenode).
(Netflix is blocked[n16]) The following is based on a standard Ubuntu image provided by Kamatera
.
- Head over to Kamatera to start your 30 Day Free Trial.
- Create a new server in a geographic location of interest using
Ubuntu Server 14.04 64-bit
OS image. - SSH to your server and run:
apt-get update && apt-get -y install vim dnsutils curl sudo git && \
curl -sSL https://get.docker.com/ | sh && \
git clone https://github.com/ab77/netflix-proxy /opt/netflix-proxy && \
cd /opt/netflix-proxy && ./build.sh
- Make sure to record the URL and credentials for the
netflix-proxy
admin site. - Set your DNS server to the IP given at the end of the script, then go to this site to make sure the same IP is displayed.
- Finally, enjoy
Netflix
and others out of region. - Enjoy or raise a new issue if something doesn't work quite right (also
#netflix-proxy
on freenode).
If you want to share your system with friends and family, you can authorise their home IP address(s) using the netflix-proxy
admin site, located at http://<ipaddr>:8080/
, where ipaddr
is the public IP address of your VPS. Login using admin
account with the password you recorded during the build. If you've forgotten your admin credentials, reset.
The admin
account does not restrict the entry or removal of IPs. If you want to restrict the entry of IPs to the current client IP using an automatically populated drop-down, create a standard user account using the account-creator.sh
script located in the auth
directory, which will prompt you for the input and create the user account.
You can also use the netflix-proxy
admin site to update your IP address, should your ISP assign you a new one (e.g. via DHCP). If your IP address does change, all HTTP/HTTPS requests will automatically be redirected to the admin site on port 8080
. All DNS requests will be redirected to dnsmasq
instance running on port 5353
. You will most likely need to purge your browser and system DNS caches after this (e.g. ipconfig /flushdns
and chrome://net-internals/#dns
) and/or reboot the relevant devices. This mechanism should work on browsers, but will most likely cause errors on other devices, such as Apple TVs and smart TVs. If you Internet stops working all of a sudden, try loading a browser and going to netflix.com
.
WARNING: do not do enable this unless you know what you are doing.
To enable automatic authorization of every IP that hits your proxy, set AUTO_AUTH = True
in auth/settings.py
and run service netflix-proxy-admin restart
. This setting will effectively authorize any IP hitting your proxy IP with a web browser for the first time, including bots, hackers, spammers, etc. Upon successful authorization, the browser will be redirected to Google.
The DNS service is configured with recursion turned on by default, so after a successful authorization, anyone can use your VPS in DNS amplification attacks, which will probably put you in breach of contract with the VPS provider. You have been WARNED.
The build script automatically configures the system with DNS recursion turned on. This has security implications, since it potentially opens your DNS server to a DNS amplification attack, a kind of a DDoS attack. This should not be a concern however, as long as the iptables
firewall rules configured automatically by the build script for you remain in place. However if you ever decide to turn the firewall off, please be aware of this.
If you want to turn DNS recursion off, please be aware that you will need a mechanism to selectively send DNS requests for domains your DNS server knows about (i.e. netflix.com) to your VPS and send all of the other DNS traffic to your local ISP's DNS server. Something like Dnsmasq can be used for this and some Internet routers even have it built in. In order to switch DNS recursion off, you will need to build your system using the following command:
git clone https://github.com/ab77/netflix-proxy /opt/netflix-proxy && cd /opt/netflix-proxy && ./build.sh -r 0 -b 1
The following command line options can be optionaly passed to build.sh
for additional control:
Usage: ./build.sh [-r 0|1] [-b 0|1] [-c <ip>] [-z 0|1] [-u <username>] [-p <password>] [-k <update-key>] [-n <1..N>] [-s <subnet>]
-r enable (1) or disable (0) DNS recursion (default: 1)
-b grab docker images from repository (0) or build locally (1) (default: 0)
-c specify client-ip instead of being taken from ssh_connection
-s specify IPv6 subnet for Docker (e.g. 2001:470:abcd:123::/64)
-z enable caching resolver (default: 0)
-u HE tunnel broker username
-p HE tunnel broker password
-k HE tunnel broker update key
-n HE tunnel index (default: 1)
In order to update your existing database schema, please run the provided update.sh
script.
Alternatively you can run the schema updates manually (e.g. if you skipped a version).
The build script has been designed to work on Ubuntu 14.x
and Debian 8.x
. It will most likely fail on all other distributions. Some pre-requisites require the locale to be set correctly and some provider OS images need extra help. If you get locale
issues reported by Python
and/or pip
during the build, try running the following first:
export LANGUAGE=en_US.UTF-8 && \
export LANG=en_US.UTF-8 && \
export LC_ALL=en_US.UTF-8 && \
export LC_CTYPE="en_US.UTF-8" && \
locale-gen en_US.UTF-8 && \
sudo apt-get -y install language-pack-en-base && \
sudo dpkg-reconfigure locales
(Netflix is blocked[n16]) The following is based on a Debian image provided by Vultr
, but should in theory work on any Debian distribution. Do not enable native IPv6 on the host.
- For a limited time, head over to Vultr to create and account and get $20 USD credit.
- Create a compute instance in a geographic location of interest using
Debian 8 x64 (jessie)
image. Create a free tunnel broker account.Create a regular tunnel.Set theIPv4 Endpoint
to the IP address of your Vultr instance, pick a tunnel server closest to you and clickCreate Tunnel
.SSH to your server and runping6 netflix.com
; if you getNetwork is unreachable
proceed to the next step, otherwise remove native IPv6 first.Run:apt-get update && apt-get -y install vim dnsutils curl sudo git && curl -sSL https://get.docker.com/ | sh && git clone https://github.com/ab77/netflix-proxy /opt/netflix-proxy && cd /opt/netflix-proxy && ./build.sh -u <tunnelbroker-username> -p <tunnelbroker-password>
, making sure to specify your HE tunnel username and password correctly.- SSH to your server and run:
apt-get update && apt-get -y install vim dnsutils curl sudo git && \
curl -sSL https://get.docker.com/ | sh && \
git clone https://github.com/ab77/netflix-proxy /opt/netflix-proxy && \
cd /opt/netflix-proxy && ./build.sh
- Make sure to record the credentials for the
netflix-proxy
admin site. - Set your DNS server to the IP given at the end of the script, then go to this site to make sure the same IP is displayed.
- Finally, enjoy
Netflix
and others out of region. - Enjoy or raise a new issue if something doesn't work quite right (also
#netflix-proxy
on freenode).
(Netflix is blocked[n16]) The following is based on a Debian or Ubuntu OS images provided by RamNode
. Do not enable native IPv6 on the host. Also, see RamNode specific IPv6 notes.
- Head over to RamNode to create an account and buy a KVM VPS in a geographic location of interest (OpenVZ won't work).
- Log into the
VPS Control Panel
and (re)install the OS usingUbuntu 14.04 x86_64 Server Minimal
orDebian 8.0 x86_64 Minimal
image. Create a free tunnel broker account.Create a regular tunnel.Set theIPv4 Endpoint
to the IP address of your RamNode VPS, pick a tunnel server closest to you and clickCreate Tunnel
.SSH to your server and runping6 netflix.com
; if you getNetwork is unreachable
proceed to the next step, otherwise remove native IPv6 first.Run:apt-get update && apt-get -y install vim dnsutils curl sudo git && curl -sSL https://get.docker.com/ | sh && git clone https://github.com/ab77/netflix-proxy /opt/netflix-proxy && cd /opt/netflix-proxy && ./build.sh -u <tunnelbroker-username> -p <tunnelbroker-password>
, making sure to specify your HE tunnel username and password correctly.- SSH to your server and run:
apt-get update && apt-get -y install vim dnsutils curl sudo git && \
curl -sSL https://get.docker.com/ | sh && \
git clone https://github.com/ab77/netflix-proxy /opt/netflix-proxy && \
cd /opt/netflix-proxy && ./build.sh
- Make sure to record the credentials for the
netflix-proxy
admin site. - Set your DNS server to the IP given at the end of the script, then go to this site to make sure the same IP is displayed.
- Finally, enjoy
Netflix
and others out of region. - Enjoy or raise a new issue if something doesn't work quite right (also
#netflix-proxy
on freenode).
(Netflix is blocked[n16]) The following is based on a standard Ubuntu image provided by Linode
, but should work on any Linux distribution without Docker installed. Do not enable native IPv6 on the host or disable it post-build and before moving onto step 7.
- Head over to Linode and sign-up for an account.
- Create a new
Linode
in a geographic location of interest and deploy anUbuntu 14-04 LTS
image into it. Create a free tunnel broker account.Create a regular tunnel.Set theIPv4 Endpoint
to the IP address of your Linode, pick a tunnel server closest to you and clickCreate Tunnel
.SSH to your server and runping6 netflix.com
; if you getNetwork is unreachable
proceed to the next step, otherwise remove native IPv6 first.Run:apt-get update && apt-get -y install vim dnsutils curl sudo git && curl -sSL https://get.docker.com/ | sh && git clone https://github.com/ab77/netflix-proxy /opt/netflix-proxy && cd /opt/netflix-proxy && ./build.sh -u <tunnelbroker-username> -p <tunnelbroker-password>
, making sure to specify your HE tunnel username and password correctly.- SSH to your server and run:
apt-get update && apt-get -y install vim dnsutils curl sudo git && \
curl -sSL https://get.docker.com/ | sh && \
git clone https://github.com/ab77/netflix-proxy /opt/netflix-proxy && \
cd /opt/netflix-proxy && ./build.sh
- Make sure to record the credentials for the
netflix-proxy
admin site. - Set your DNS server to the IP given at the end of the script, then go to this site to make sure the same IP is displayed.
- Finally, enjoy
Netflix
and others out of region. - Enjoy or raise a new issue if something doesn't work quite right (also
#netflix-proxy
on freenode).
(untested) The following is based on a standard Ubuntu image provided by DreamHost
, but should work on any Linux distribution without Docker installed and running under non-root user (e.g. Amazon Web Services
[n13]). Do not enable native IPv6 on the host.
- Head over to DreamHost and sign-up for an account.
- Find the
DreamCompute
orPublic Cloud Computing
section and launch anUbuntu 14-04-Trusty
instance in a geographic location of interest. - Make sure to add an additional firewall rule to allow DNS:
Ingress - IPv4 - UDP - 53 - 0.0.0.0/0 (CIDR)
- Also add a
Floating IP
to your instance. Create a free tunnel broker account.Create a regular tunnel.Set theIPv4 Endpoint
to the IP address of your instance, pick a tunnel server closest to you and clickCreate Tunnel
.SSH to your server and runping6 netflix.com
; if you getNetwork is unreachable
proceed to the next step, otherwise remove native IPv6 first.Run:sudo apt-get update && sudo apt-get -y install vim dnsutils curl git && curl -sSL https://get.docker.com/ | sh && sudo usermod -aG docker $(whoami | awk '{print $1}') && sudo git clone https://github.com/ab77/netflix-proxy /opt/netflix-proxy && cd /opt/netflix-proxy && ./build.sh -u <tunnelbroker-username> -p <tunnelbroker-password>
, making sure to specify your HE tunnel username and password correctly.- SSH to your server and run:
sudo apt-get update && sudo apt-get -y install vim dnsutils curl git && \
curl -sSL https://get.docker.com/ | sh && sudo usermod -aG docker $(whoami | awk '{print $1}') && \
sudo git clone https://github.com/ab77/netflix-proxy /opt/netflix-proxy && \
cd /opt/netflix-proxy && ./build.sh
- Make sure to record the credentials for the
netflix-proxy
admin site. - Set your DNS server to the IP given at the end of the script, then go to this site to make sure the same IP is displayed.
- Finally, enjoy
Netflix
and others out of region. - Enjoy or raise a new issue if something doesn't work quite right (also
#netflix-proxy
on freenode).
The following is based on Ubuntu image provided by Gandi
using root
login with SSH key only (no password). For default non-root admin
login, adjust step 6 to use sudo
where nesessary. If using HE tunnel borker, you will definitely need to disable native IPv6, as it is enabled by default.
- Head over to Gandi to create a virtual server in a geographic location of interest.
Create a free tunnel broker account.Create a regular tunnel.Set theIPv4 Endpoint
to the IP address of your server, pick a tunnel server in the US and clickCreate Tunnel
.SSH to your server and runping6 netflix.com
; if you getNetwork is unreachable
proceed to the next step, otherwise remove native IPv6 first.Run:apt-get update && apt-get -y install vim dnsutils curl sudo git && curl -sSL https://get.docker.com/ | sh && git clone https://github.com/ab77/netflix-proxy /opt/netflix-proxy && cd /opt/netflix-proxy && ./build.sh -u <tunnelbroker-username> -p <tunnelbroker-password>
, making sure to specify your HE tunnel username and password correctly.- SSH to your server and run:
apt-get update && apt-get -y install vim dnsutils curl sudo git && \
curl -sSL https://get.docker.com/ | sh && \
git clone https://github.com/ab77/netflix-proxy /opt/netflix-proxy && \
cd /opt/netflix-proxy && ./build.sh
- Make sure to record the credentials for the
netflix-proxy
admin site. - Set your DNS server to the IP given at the end of the script, then go to this site to make sure the same IP is displayed.
- Finally, enjoy
Netflix
and others out of region. - Enjoy or raise a new issue if something doesn't work quite right (also
#netflix-proxy
on freenode).
The following has not been tested and is based on a standard Ubuntu
image provided by Microsoft Azure
using cloud-harness
automation tool I wrote a while back and assumes an empty Microsoft Azure
subscription. Also, because Azure block ICMP thorough the load-balancer and don't offer native IPv6 support, IPv6 isn't going to work.
- Head over to Microsoft Azure and sign-up for an account.
- Get Python.
- On your workstation, run
git clone https://github.com/ab77/cloud-harness.git /opt/cloud-harness
. - Follow
cloud-harness
Installation and Configuration section to set it up. - Create a storage account.
- Create a new hosted service.
- Add a hosted service certificate for SSH public key authentication
- Create a reserved ip address.
- Create a virtual network.
- Create a
Ubuntu 14.04 LTS
virtual machine as follows:
./cloud-harness.py azure --action create_virtual_machine_deployment \
--service <your hosted service name> \
--deployment <your hosted service name> \
--name <your virtual machine name> \
--label 'Netflix proxy' \
--account <your storage account name> \
--blob b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu-14_04-LTS-amd64-server-20140414-en-us-30GB \
--os Linux \
--network VNet1 \
--subnet Subnet-1 \
--ipaddr <your reserved ipaddr name> \
--size Medium \
--ssh_auth \
--disable_pwd_auth \
--verbose
- Use the Azure Management Portal to add
DNS (UDP)
,HTTP (TCP)
andHTTPS (TCP)
endpoints and secure them to your home/work/whatever IPs using the AzureACL
feature. - SSH to your VM as
azureuser
using custom public TCP port (not22
) and use any non-root user Ubuntu instructions to build/installnetflix-proxy
.
This project is linked with Travis CI
to deploy and test the project automatically. The Python script testbuild.py
is used to deploy and test netflix-proxy
. This script deploys a test Droplet
and then runs a serious of tests to verify (a) that all Docker
containers start; (b) the built.sh
script outputs the correct message at the end; (c) all the relevant services survive a reboot; and (d) proxy is able to comunicate with Netflix over SSL.
The testbuild.py
script can also be used to programatically deploy Droplets
from the command line:
usage: testbuild.py digitalocean [-h] --api_token API_TOKEN
[--client_ip CLIENT_IP]
[--fingerprint FINGERPRINT [FINGERPRINT ...]]
[--region REGION] [--branch BRANCH]
[--tb_user TB_USER] [--tb_passwd TB_PASSWD]
[--tb_key TB_KEY] [--tb_index TB_INDEX]
[--create] [--destroy] [--list_regions]
[--name NAME]
optional arguments:
-h, --help show this help message and exit
--api_token API_TOKEN
DigitalOcean API v2 secret token
--client_ip CLIENT_IP
client IP to secure Droplet
--fingerprint FINGERPRINT [FINGERPRINT ...]
SSH key fingerprint
--region REGION region to deploy into; use --list_regions for a list
--branch BRANCH netflix-proxy branch to deploy (default: master)
--tb_user TB_USER HE tunnel broker username
--tb_passwd TB_PASSWD
HE tunnel broker password
--tb_key TB_KEY HE tunnel broker update key
--tb_index TB_INDEX HE tunnel broker tunnel index (default: 1)
--create Create droplet
--destroy Destroy droplet
--list_regions list all available regions
--name NAME Droplet name
Note, you will need a working Python 2.7
environment and the modules listed in tests/requirements.txt
(run pip install -r tests/requirements.txt
).
Video playback tests are currently disabled due to Netflix DigitalOCean/HE Tunnel Broker blocking.
After a successfull build deployment, testvideo.py
is executed to test Netflix video playback. This is done by playing back 60 seconds of a title known to only be available in the US region (e.g. 1,000 Times Good Night).
usage: testvideo.py netflix [-h] --email EMAIL --password PASSWORD
[--seconds SECONDS] [--titleid TITLEID]
[--tries TRIES]
optional arguments:
-h, --help show this help message and exit
--email EMAIL Netflix username
--password PASSWORD Netflix password
--seconds SECONDS playback time per title in seconds (default: 60)
--titleid TITLEID Netflix title_id to play (default: 80001898)
--tries TRIES Playback restart attempts (default: 4)
A screenshot is saved at the end of the test and uploaded to the gh-pages
branch.
Similarly, testvideo.py
is executed to test Hulu video playback using one of the free titles (e.g. South Park S01E01: Cartman Gets an Anal Probe). The build is configured not to fail in the event of Hulu test failing. This is because Hulu is almost cetrtainly blocked from Digital Ocean.
This solution uses IPv6 downstream from the proxy to unblock IPv6 enabled providers, such as Netflix. No IPv6 support on the client is required for this to work, only the VPS must public IPv6 connectivity. You may also need to turn off IPv6 on your local network (and/or relevant devices).[n6] Having said that, the current iteration uses HE's
free tunnel broker service to provide IPv6 connectivity, since HE
is geo-located in the US, Netflix geoblocking, allows the traffic through.
+----------+ +-----------+ +-----------------+
| | | | | |
| client | +--------------> | proxy | +-------------> | Netflix, etc. |
| | (ipv4) | | (ipv6) | |
+----------+ +-----------+ +-----------------+
When IPv6 public address is present on the host, Docker is configured with public IPv6 support. This is done by assuming the smallest possible IPv6 allocation, dividing it further by two and assigning the second half to the Docker system. Network Discovery Protocol (NDP) proxying is required for this to work, since the second subnet can not be routed[n9]. Afterwards, Docker is running in dual-stack mode, with each container having a public IPv6 address. This approach seems to work in some cases where native IPv6 is used, unfortunately it fails on quite a lot of providers, see work-around.
If IPv6 is provided via a tunnel, Docker subnet can not be reliably calculated and must be specified using -s
parameter to the build.sh
script. If IPv6 is not enabled at all, the VPS is built with IPv4 support only.
RamNode (and any other provider which uses SolusVM as its VPS provisioning system[n10]) assign a /64
subnet to the VPS, but don't route it. Instead, individual addresses must be added in the portal if they are to be used on the host. After speaking with RamNode support, it appears this is a side-effect of MAC address filtering, which prevents IP address theft. This means that even though the subnet can be further divided on the host, only the main IPv6 address bound to eth0
is ever accessible from the outside and none of the IPv6 addresses on the bridges below can communicate over IPv6 to the outside.
To demonstrate this behavour, follow these steps:
IPV6_SUBNET=<allocated-ipv6-subnet> (e.g. 2604:180:2:abc)
IPV6_ADDR=<allocated-ipv6-addr> (e.g. 2604:180:2:abc::abcd)
# re-configure eth0
ip -6 addr del ${IPV6_ADDR}/64 dev eth0
ip -6 addr add ${IPV6_ADDR}/80 dev eth0
# install Docker
apt-get update && apt-get -y install vim dnsutils curl sudo git && curl -sSL https://get.docker.com/ | sh
# update DOCKER_OPTS
# for upstart based systems (e.g. Ubuntu):
printf "DOCKER_OPTS='--ipv6 --fixed-cidr-v6=\"${IPV6_SUBNET}:1::/80\"'\n" > /etc/default/docker && \
service docker restart
# -- OR --
# for systemd based systems (e.g. Debian):
# change "ExecStart" in /lib/systemd/system/docker.service to:
ExecStart=/usr/bin/docker daemon -H fd:// --ipv6 --fixed-cidr-v6="${IPV6_SUBNET}:1::/80"
systemctl daemon-reload && \
systemctl docker restart
# verify IPv6 configuration inside Docker containers
docker run -it ubuntu:14.04 bash -c "ip -6 addr show dev eth0; ip -6 route show"
# test (this will fail)
docker run -it ubuntu:14.04 bash -c "ping6 google.com"
However, if we NAT all IPv6 traffic from this host using eth0
, communication will be allowed:
# NAT all IPv6 traffic behind eth0
ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# test (this will succeed)
docker run -it ubuntu:14.04 bash -c "ping6 google.com"
This solution is meant to be a quick and dirty (but functional) method of bypassing geo-restrictions for various services. While it is (at least in theory) called a smart DNS proxy
, the only smart
bit is in the zones.override
file, which tells the system which domains to proxy and which to pass through. You could easilly turn this into a dumb/transparent DNS proxy
, by replacing the contents of zones.override
with a simple[n4] statement:
zone "." {
type master;
file "/data/conf/db.override";
};
This will in effect proxy every request that ends up on your VPS if you set your VPS IP as your main and only DNS server at home. This will unfortunately invalidate the original purpose of this project. Ideally, what you really want to do, is to have some form of DNS proxy at home, which selectively sends DNS requests to your VPS only for the domains you care about (i.e. netflix.com) and leaves everything else going out to your ISP DNS server(s). Dnsmasq could be used to achieve this, in combination, perhaps, with a small Linux device like Raspberry Pi or a router which can run OpenWRT.
There is a similar project to this, which automates the Dnsmasq configuration.
If your client is running OS X, you can skip dnsmasq and simply redirect all DNS requests for e.g. netflix.com
to your VPS IP by creating a file at /etc/resolver/netflix.com
with these contents:
nameserver xxx.yyy.zzz.ttt
replacing xxx.yyy.zzz.ttt
with your VPS IP, of course.
If you have any idea, feel free to fork it and submit your changes back to me.
If you find this useful, please feel free to make a small donation with PayPal or Bitcoin.
Paypal | Bitcoin |
---|---|
1GUrKgkaCkdsrCzb4pq3bJwkmjTVv9X7eG |
If you feel all of this is too complicated, I don't blame you. If you want change, vote with your wallet by cancelling your Netflix (and other) subscriptions(s) and/or by signing the petition:
- https://github.com/dlundquist/sniproxy by Dustin Lundquist
[email protected]
Hulu
is heavily geo-restricted from most non-residential IP ranges and doesn't support IPv6.- You can now specify your home/office/etc. IP manually using
-c <ip>
option tobuild.sh
. - See, serverfault post.
- See, this issue.
- If you have a working IPv6 stack, then your device may be preferring it over IPv4, see this issue.
- See, https://en.wikipedia.org/wiki/Server_Name_Indication.
- See, https://www.reddit.com/r/VPN/comments/48v03v/netflix_begins_geo_checks_on_cdn/.
- See, Using NDP proxying. Both the caching resolver and Docker dual-stack support are disabled by default due to differences in IPv6 configurations provided by various hosting providers (i.e. RamNode).
- See, http://www.webhostingtalk.com/showthread.php?t=1262537&p=9157381#post9157381.
- See, https://www.facebook.com/GetflixAU/posts/650132888457824, Netflix Geoblocking - Part 2 and read How Netflix is blocking VPNs and Wiki.
- Bypass Netflix Geoblocks with IPv6.
- See, IPv6 on Amazon AWS EC2.
- If Netflix still thinks you are in a wrong country, try a different tunnel server (e.g. in a US location).
- See, https://openvz.org/Docker_inside_CT.
- Netflix have most definitely blocked this service provider network ranges, so following the process is unlikely to yeild an unblocking solution. If you own a compatible device, you could try
black.box
unzoner. - GFW is probably re-writing DNS responses for certain very sensitive domains (i.e. facebook.com), so unfortunately a simple proxy solution like this won't work. VPN technology is required to bypass, try
black.box
unzoner.
-- v2.6
© 2016 belodetek