Smart DNS proxy to watch Netflix
TL;DR
find a (recent)n19 Debian or Ubuntu box with root on a clean public IP and run:
apt-get update\
&& apt-get -y install vim dnsutils curl sudo\
&& curl -fsSL https://get.docker.com/ | sh || apt-get -y install docker.io\
&& mkdir -p ~/netflix-proxy\
&& cd ~/netflix-proxy\
&& curl -fsSL https://github.com/ab77/netflix-proxy/archive/latest.tar.gz | gunzip - | tar x --strip-components=1\
&& ./build.sh
See the Wiki page(s) for some common troubleshooting ideas.
… or subscribe to Unzoner VPN service to un-block:
netflix-proxy
is a smart DNS proxy to stream Netflix
, Hulu
[n2], HBO Now
and others out of region. It is deployed using Docker containers and uses dnsmasq
[n18] and sniproxy
[n1] to provide SmartDNS services. It works for some blocked sites, such as PornHub and YouTube. Subscribe to the mailing list and be notified of new features, updates, etc.
The following are supported out of the box, however adding additional services is trivial and is done by updating dnsmasq.conf
file and running docker restart dnsmasq
:
This project is free, covered by the MIT License. It is provided without any warranty and can be used for any purpose, including private and commercial. However, if you are planning to use it for commercial purposes (i.e make money off it), please do not expect free support, as it would be unfair. A commercial support model can always be negotiated, if required. Please contact me if this is something that interests you.
The following paragraphs show how to get this solution up and running with a few different Cloud providers I’ve tried so far. If you prefer a video tutorial, here is one prapared by one of the users. Note, OpenVZ won’t work[n15], make sure to get a proper virtual machine using KVM or Xen.
(Netflix is blocked[n16]) The following is based on a standard Ubuntu Docker image provided by DigitalOcean
, but should in theory work on any Linux distribution with Docker pre-installed.
One-click Apps
tab).mkdir -p ~/netflix-proxy\
&& cd ~/netflix-proxy\
&& curl -fsSL https://github.com/ab77/netflix-proxy/archive/latest.tar.gz | gunzip - | tar x --strip-components=1\
&& ./build.sh
netflix-proxy
admin site.Netflix
and others out of region.#netflix-proxy
on freenode for help.If you want to share your system with friends and family, you can authorise their home IP address(s) using the netflix-proxy
admin site, located at http://<ipaddr>:8080/
, where ipaddr
is the public IP address of your VPS. Login using admin
account with the password you recorded during the build. If you’ve forgotten your admin credentials, reset.
The admin
account does not restrict the entry or removal of IPs. If you want to restrict the entry of IPs to the current client IP using an automatically populated drop-down, create a standard user account using the account-creator.sh
script located in the auth
directory, which will prompt you for the input and create the user account.
You can also use the netflix-proxy
admin site to update your IP address, should your ISP assign you a new one (e.g. via DHCP). If your IP address does change, all HTTP/HTTPS requests will automatically be redirected to the admin site on port 8080
. All DNS requests will be redirected to dnsmasq
instance running on port 5353
. You will most likely need to purge your browser and system DNS caches after this. On Windows, run ipconfig /flushdns
. On OS X, run:
sudo killall -HUP mDNSResponder\
&& sudo dscacheutil -flushcache`
Then restart the browser (e.g chrome://restart
) and/or reboot the relevant devices. This mechanism should work on browsers, but will most likely cause errors on other devices, such as Apple TVs and smart TVs. If you Internet stops working all of a sudden, try loading a browser and going to netflix.com
.
ipaddr
is the public IP address of your VPS), substitute admin credentials and run:curl -L http://<ipaddr>:8080/autoadd?username=<admin-username>&password=<admin-password>
curl -L http://<ipaddr>:8080/autoadd?ip=<your-public-ipaddr>&username=<admin-username>&password=<admin-password>
WARNING: do not do enable this unless you know what you are doing.
To enable automatic authorization of every IP that hits your proxy, set AUTO_AUTH = True
in auth/settings.py
and run service netflix-proxy-admin restart
. This setting will effectively authorize any IP hitting your proxy IP with a web browser for the first time, including bots, hackers, spammers, etc. Upon successful authorization, the browser will be redirected to Google.
The DNS service is configured with recursion turned on by default, so after a successful authorization, anyone can use your VPS in DNS amplification attacks, which will probably put you in breach of contract with the VPS provider. You have been WARNED.
The build script automatically configures the system with DNS recursion turned on. This has security implications, since it potentially opens your DNS server to a DNS amplification attack, a kind of a DDoS attack. This should not be a concern however, as long as the iptables
firewall rules configured automatically by the build script for you remain in place. However if you ever decide to turn the firewall off, please be aware of this.
The following command line options can be optionaly passed to build.sh
for additional control:
Usage: ./build.sh [-b 0|1] [-c <ip>]
-b grab docker images from repository (0) or build locally (1) (default: 0)
-c specify client-ip instead of being taken from ssh_connection
In order to update your existing database schema, please run the provided update.sh
script. Alternatively you can run the schema updates manually (e.g. if you skipped a version).
The build script has been designed to work on Ubuntu and Debian. It will most likely fail on all other distributions. Some pre-requisites require the locale to be set correctly and some provider OS images need extra help. If you get locale
issues reported by Python
and/or pip
during the build, try running the following first:
export LANGUAGE=en_US.UTF-8\
&& export LANG=en_US.UTF-8\
&& export LC_ALL=en_US.UTF-8\
&& export LC_CTYPE="en_US.UTF-8"\
&& locale-gen en_US.UTF-8\
&& sudo apt-get -y install language-pack-en-base\
&& sudo dpkg-reconfigure locales
(Netflix is blocked[n16]) The following is based on a Debian image provided by Vultr
, but should in theory work on any Debian distribution.
apt-get update\
&& apt-get -y install vim dnsutils curl sudo\
&& curl -fsSL https://get.docker.com/ | sh || apt-get -y install docker.io\
&& mkdir -p ~/netflix-proxy\
&& cd ~/netflix-proxy\
&& curl -fsSL https://github.com/ab77/netflix-proxy/archive/latest.tar.gz | gunzip - | tar x --strip-components=1\
&& ./build.sh
netflix-proxy
admin site.Netflix
and others out of region.#netflix-proxy
on freenode for help.(Netflix is blocked[n16]) The following is based on a standard Ubuntu image provided by Kamatera
.
apt-get update\
&& apt-get -y install vim dnsutils curl sudo\
&& curl -fsSL https://get.docker.com/ | sh || apt-get -y install docker.io\
&& mkdir -p ~/netflix-proxy\
&& cd ~/netflix-proxy\
&& curl -fsSL https://github.com/ab77/netflix-proxy/archive/latest.tar.gz | gunzip - | tar x --strip-components=1\
| tar x --strip-components=1\
&& ./build.sh
netflix-proxy
admin site.Netflix
and others out of region.#netflix-proxy
on freenode for help.(Netflix is blocked[n16]) The following is based on a Debian or Ubuntu images provided by RamNode
.
VPS Control Panel
and (re)install the OS using Ubuntu or Debian image.apt-get update\
&& apt-get -y install vim dnsutils curl sudo\
&& curl -fsSL https://get.docker.com/ | sh || apt-get -y install docker.io\
&& mkdir -p ~/netflix-proxy\
&& cd ~/netflix-proxy\
&& curl -fsSL https://github.com/ab77/netflix-proxy/archive/latest.tar.gz | gunzip - | tar x --strip-components=1\
&& ./build.sh
netflix-proxy
admin site.Netflix
and others out of region.#netflix-proxy
on freenode for help.(Netflix is blocked[n16]) The following is based on a standard Ubuntu image provided by Linode
, but should work on any Linux distribution without Docker installed.
Linode
in a geographic location of interest and deploy an Ubuntu image into it.apt-get update\
&& apt-get -y install vim dnsutils curl sudo\
&& curl -fsSL https://get.docker.com/ | sh || apt-get -y install docker.io\
&& mkdir -p ~/netflix-proxy\
&& cd ~/netflix-proxy\
&& curl -fsSL https://github.com/ab77/netflix-proxy/archive/latest.tar.gz | gunzip - | tar x --strip-components=1\
&& ./build.sh
netflix-proxy
admin site.Netflix
and others out of region.#netflix-proxy
on freenode for help.(untested) The following is based on a standard Ubuntu image provided by DreamHost
, but should work on any Linux distribution without Docker installed and running under non-root user (e.g. Amazon Web Services
[n13]).
DreamCompute
or Public Cloud Computing
section and launch an Ubuntu instance in a geographic location of interest.Ingress - IPv4 - UDP - 53 - 0.0.0.0/0 (CIDR)
Floating IP
to your instance.sudo apt-get update\
&& sudo apt-get -y install vim dnsutils curl\
&& curl -fsSL https://get.docker.com/ | sh || apt-get -y install docker.io\
&& sudo usermod -aG docker $(whoami | awk '{print $1}')\
&& mkdir -p ~/netflix-proxy\
&& cd ~/netflix-proxy\
&& curl -fsSL https://github.com/ab77/netflix-proxy/archive/latest.tar.gz | gunzip - | tar x --strip-components=1\
&& ./build.sh
netflix-proxy
admin site.Netflix
and others out of region.#netflix-proxy
on freenode for help.The following is based on Ubuntu image provided by Gandi
using root
login with SSH key only (no password). For default non-root admin
login, adjust step 6 to use sudo
where necessary.
apt-get update\
&& apt-get -y install vim dnsutils curl sudo\
&& curl -fsSL https://get.docker.com/ | sh || apt-get -y install docker.io\
&& mkdir -p ~/netflix-proxy\
&& cd ~/netflix-proxy\
&& curl -fsSL https://github.com/ab77/netflix-proxy/archive/latest.tar.gz | gunzip - | tar x --strip-components=1\
&& ./build.sh
netflix-proxy
admin site.Netflix
and others out of region.#netflix-proxy
on freenode for help.The following has not been tested and is based on a standard Ubuntu image provided by Microsoft Azure
using cloud-harness
automation tool I wrote a while back and assumes an empty Microsoft Azure
subscription. Also, because Azure block ICMP thorough the load-balancer and don’t offer native IPv6 support, IPv6 isn’t going to work.
git clone https://github.com/ab77/cloud-harness.git ~/cloud-harness
.cloud-harness
Installation and Configuration section to set it up. ./cloud-harness.py azure --action create_virtual_machine_deployment \
--service <your hosted service name> \
--deployment <your hosted service name> \
--name <your virtual machine name> \
--label 'Netflix proxy' \
--account <your storage account name> \
--blob b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu-14_04-LTS-amd64-server-20140414-en-us-30GB \
--os Linux \
--network VNet1 \
--subnet Subnet-1 \
--ipaddr <your reserved ipaddr name> \
--size Medium \
--ssh_auth \
--disable_pwd_auth \
--verbose
DNS (UDP)
, HTTP (TCP)
and HTTPS (TCP)
endpoints and secure them to your home/work/whatever IPs using the Azure ACL
feature.azureuser
using custom public TCP port (not 22
) and use any non-root user Ubuntu instructions to build/install netflix-proxy
.This project is linked with Travis CI
to deploy and test the project automatically. The Python script testbuild.py
is used to deploy and test netflix-proxy
. This script deploys a test Droplet
and then runs a serious of tests to verify (a) that all Docker
containers start; (b) the built.sh
script outputs the correct message at the end; (c) all the relevant services survive a reboot; and (d) proxy is able to comunicate with Netflix over SSL.
The testbuild.py
script can also be used to programatically deploy Droplets
from the command line:
usage: testbuild.py digitalocean [-h] --api_token API_TOKEN
[--client_ip CLIENT_IP]
[--fingerprint FINGERPRINT [FINGERPRINT ...]]
[--region REGION] [--branch BRANCH]
[--create] [--destroy] [--list_regions]
[--name NAME]
optional arguments:
-h, --help show this help message and exit
--api_token API_TOKEN
DigitalOcean API v2 secret token
--client_ip CLIENT_IP
client IP to secure Droplet
--fingerprint FINGERPRINT [FINGERPRINT ...]
SSH key fingerprint
--region REGION region to deploy into; use --list_regions for a list
--branch BRANCH netflix-proxy branch to deploy (default: master)
--create Create droplet
--destroy Destroy droplet
--list_regions list all available regions
--name NAME Droplet name
Note, you will need a working Python 2.7
environment and the modules listed in tests/requirements.txt
(run pip install -r tests/requirements.txt
).
Video playback tests are currently disabled due to provider blocking.
After a successful build deployment, testvideo.py
is executed to test Netflix video playback. This is done by playing back 60 seconds of a title known to only be available in the US region (e.g. 1,000 Times Good Night).
usage: testvideo.py netflix [-h] --email EMAIL --password PASSWORD
[--seconds SECONDS] [--titleid TITLEID]
[--tries TRIES]
optional arguments:
-h, --help show this help message and exit
--email EMAIL Netflix username
--password PASSWORD Netflix password
--seconds SECONDS playback time per title in seconds (default: 60)
--titleid TITLEID Netflix title_id to play (default: 80001898)
--tries TRIES Playback restart attempts (default: 4)
A screenshot is saved at the end of the test and uploaded to the gh-pages
branch.
Similarly, testvideo.py
is executed to test Hulu video playback using one of the free titles (e.g. South Park S01E01: Cartman Gets an Anal Probe). The build is configured not to fail in the event of Hulu test failing. This is because Hulu is almost cetrtainly blocked from Digital Ocean.
This solution uses IPv6 downstream from the proxy to unblock IPv6 enabled providers, such as Netflix. No IPv6 support on the client is required for this to work, only the VPS must have public IPv6 connectivity. You may also need to turn off IPv6 on your local network (and/or relevant devices).[n6]
+----------+ +-----------+ +-----------------+
| | | | | |
| client | +--------------> | proxy | +-------------> | Netflix, etc. |
| | (ipv4) | | (ipv6) | |
+----------+ +-----------+ +-----------------+
If you have any idea, feel free to fork it and submit your changes back to me.
If you find this useful, please feel free to make a small donation with PayPal or Bitcoin.
Paypal | Bitcoin |
---|---|
1GUrKgkaCkdsrCzb4pq3bJwkmjTVv9X7eG |
dustin@null-ptr.net
; this solution will only on devices supporting Server Name Indication (SNI)[n7] and only if they use DNS to resolve names.Hulu
is heavily geo-restricted from most non-residential IP ranges and doesn’t support IPv6.-c <ip>
option to build.sh
.black.box
unzoner.black.box
unzoner.simon@thekelleys.org.uk
.© 2016-2019 ab1