Netflix DNS-unblocking without SNI for your Xbox 360, PS3, WDTV, Samsung TV

My poor man’s DNS-unblocking configuration using just a single, public IP address has one serious limitation: it will not run Netflix or Hulu Plus with non-SNI players like the PS3, Xbox 360, Samsung TVs, Sony BluRay players and possibly quite a few other devices. A commenter (kudos go out to Alex) suggested to use Netfilter’s DNAT port forwarding mechanism to overcome this limitation. Using DNAT you can forward packets based on the source-ip:port to a remote-ip:port.

So, here’s a modified version of the poor man’s DNS-unblocking approach. You will need some sort of Linux server at home to do this. I’m using a Raspberry Pi Linux mini computer which is up 24/7 on my LAN. And of course you will need a remote Linux server with an IP address registered in the U.S. You can get a low-end virtual private server for as low as $5/year. Unfortunately, it’s almost impossible to come up with a step-by-step tutorial because every LAN setup is different, hence you have to have some Linux and networking skills in order to get this baby up and running.

And here’s how this approach works: A DNS forwarder like Dnsmasq on your local Linux server will intercept domain names relevant for DNS unblocking. All other queries will be forwarded to the DNS resolver/forwarder of your choice (usually, this will be your router). The intercepted domain names will be resolved to IP addresses which are routed to your Linux server within your LAN. Depending on the resolved IP addresses and ports, iptables DNAT rules will forward the request to a HAProxy proxy on your remote server. Each domain name can have its own internal IP adress and thus its own listening port on your remote server’s HAProxy. And since every domain name can have it’s own HAProxy TCP proxy on your remote server, there’s no need for SNI!
For example: a DNS query to will not be resolved to its actual IP address, it will be resolved to thanks to the internal DNS forwarder. The device asking for’s IP address will try to establish a HTTPS connection to which is routed to a Linux server within your LAN. A DNAT rule will transparently forward all packets sent to to 123.123.123:27201 which is the remote server running HAProxy. The HAProxy proxy listening on port will then forward all layer 4 traffic to

Just enter your local Linux server’s IP address as the DNS address in every device you want to DNS-unblock. You could also set the DNS server address in your router to your local Linux server’s address but make sure not to create an infinite DNS query loop.

Such a DNAT/DNS configuration would be rather complex and prone to errors. That’s why I hacked together a generator which takes a config.json input file and writes three output files:

  • haproxy.conf:
    A complete configuration file for HAProxy. Use it on your remote server’s HAProxy.
  • dnsmasq-haproxy.conf:
    All required DNS mappings for your specified range of internal IP addresses. Put this file in /etc/dnssmasq.d (Debian/Ubuntu) on your local Linux server.
  • iptables-haproxy.conf:
    The DNAT iptables rules. Make sure to load these rules whenever your local Linux server starts.

A few words about the config.json input file for the generator:

  • haproxy_bind_ip:
    IP address of your remote HAProxy server
  • dnat_base_ip:
    Starting IP address for the DNAT rules. Make sure to use static IP addresses in sequential order and route them to your local Linux server using virtual interfaces. Make sure the static IP range doesn’t interfere with your router’s DHCP settings or weird things will happen.
  • dnat_base_port:
    Starting port for the HAProxy proxies.
  • name:
    HAProxy proxy name
  • catchall:
    true/false, set it to true if you want to use a catchall/sni HAProxy for this destination address. I primarily added this feature in order to save IP addresses within the LAN and to reduce the amount of iptables rules and HAProxy configuration entries. Has to be set to false it your device needs can’t handle SNI. When in doubt, set to false.

The generator will provide rules to open the inbound firewall on the remote HAProxy server. Additional rules may be required if you’re firewalling the FORWARD and OUTBOUND chains as well. If something doesn’t work as expected, tcpdump is your friend.

php genconf.php
Make sure the following IP addresses are available as virtual interfaces on your Ddnsmasq-server:

If you are using an inbound firewall on
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 27199 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m multiport -d --dports 27200:27270 -j ACCEPT

File generated: haproxy.conf
File generated: dnsmasq-haproxy.conf
File generated: iptables-haproxy.conf

Don’t forget to enable packet forwarding on the local Linux server using

net.ipv4.ip_forward = 1

in /etc/sysctl.conf.

108 replies on “Netflix DNS-unblocking without SNI for your Xbox 360, PS3, WDTV, Samsung TV”

  1. I still can watch Netflix on my Laptop, but I get server 2 and server 3 errors on my PS3. Is there any new domains for Netflix setup?

    PS. I read on github that Jan is no more updating this version. Dockerflix is working well, but I still need non-sni for my PS3. So any help (for netflix only) is appreciated.

    1. my answer to my question:
      adding and to config.json solved the problem for me.
      BTW netflix app did not updated, I had to use VPN for that.

  2. Noticed some significant traffic due to the HAProxy health checks, as the t2.micro is limited to 15GB per month I changed

    “server_options”: “check inter 10s fastinter 2s downinter 2s fall 1800”, // Don’t touch unless you know what you’re doing

    in config.json, to

    “server_options”: “check inter 600s fastinter 2s downinter 2s fall 1800”, // Don’t touch unless you know what you’re doing

    So the check interval is now changed from 10seconds to 10minutes.
    It looks a lot ‘quieter’ now :)

  3. Thank you so much Jan, this worked very well for me.

    Using a FireTV with the latest firmware and Netflix.

    I’m Using a free t2.micro EC2 instance (US East) to run the remote HAProxy server. The local part is all handled by a cheap OpenWRT router.
    Installed an OpenVPN server on the EC2 instance, so I don’t have to bother about securing the proxy ports or updating access rules all the time, since my ISP works with dynamic IPs.

    This means all communication between my home router and the EC2 instance is happening via the VPN tunnel and I set haproxy_bind_ip in the config.json file to the internal/tun0 VPN Server IP.


    – OpenWRT Router (v14.07)
    – Edited /etc/dnsmasq.conf and added the entries of dnsmasq-haproxy.conf
    – as a init.d script
    – Added the required virtual interfaces in /etc/config/network in the following style:

    config interface ‘ublock0’
    option ifname ‘@lan’
    option proto ‘static’
    option ipaddr ‘’
    option netmask ‘’

    – Installed openvpn-openssl via opkg and placed keys/config in /etc/openvpn. Enabled at bootup.

    – t2.micro EC2 instance
    – Set up with Ubuntu 14.04 AMI and 30GB SSD. Assigned an public Elastic IP.
    – Set up the OpenVPN UDP Server
    – Installed HAProxy 1.5 (via ppa:vbernat/haproxy-1.5) ; Generated config worked right away.
    – Added the UDP Port of the OpenVPN server to the Security Group of the instance.

    Think this was pretty much it, expected more troubles setting this all up but it worked almost on first try.

  4. Quick question, will this setup work for devices that do indeed support SNI? Like your normal Chrome browser, etc?

    Also, will this work with kodi (aka xbmc?) The python that is bundled with kodi doesnt support SNI, so this method might make it work?

    1. I’ll just respond to myself and say yes, if using this non-sni method does indeed let xbmc/kodi work.

      Thanks for this page! Helped a lot!

  5. Hi, great Tutorial.
    Everything works great for me. I Always use this with german Netflix and watch it in France. The Only Problem at this moment i dont know how i can get Amazon Instant Video work. Could someone help ?

  6. I’ve manually added Youtube to it with the entries and

    Videos are unblocked and I can watch live streams (german restriction) but the the quality on the unblocked videos is horrible (480p I guess).
    I tried different servers in different locations but they all have the same problem. Also when I use openvpn (to the same server) instead of the Tunlr-style method it loads fast and in HD. Therefore I assume it has got something to do with the method I’m using.

    are maybe the 3 entries I used to unblock youtube wrong that it redirects ALL traffic instead only the dns requests?

    I hope anyone knows anything

  7. For tomatoUSB users:

    Add dnsmasq settings to Advanced->DHCP/DNS section.
    Add iptables rules to Administration->Scripts->Firewall. Reboot router or restart firewall via ssh.
    No need to add any interfaces.

    Firewall has 8kB limit, dnsmasq 4kB, so you might have to remove some of the rules, I kept only netflix and still had to remove sony servers, to keep things simple.

    Btw, what are POSTROUTING rules supposed to do? Everything works without them.

  8. Hi Jan,
    I would like to add service to the config. Need your help to add it to the config file or some suggestion please on howto.

  9. Anyone managed to make vudu work? I am stuck with, redirected all the possible addresses I could find requests for with tshark to the haproxy and still it gives me error 5000 (cannot login – they say it is usual to those with geolocation issues). The problem is after the connection to cs* which is the last connection before opening the video.

    1. I just had a quick look at it when connecting with Firefox:

      Since the content stream on those cs*-hosts is geo-fenced, you have to take care of those ports as well, the content stream is not being served on 80 or 443. However, since the entire content stream has to go through the proxy, the stream quality will be affected in a bad way. At least for the higher bitrate content. IMO not worth the hassle.


      1. Thanks for your reply. I didn’t really check for other ports because I thought 80&443 are enough. Will give them a try now.

        As for the speed.. I am using Vudu through various vpns’ I have (ramnode, iniz, buyvm, openvirtuals etc) and I can get close to 8-9mbit out of 10 of my home line on its speedtest, about 5 on the actual stream (HDX metered with iftop) so I don’t mind having it proxied.

        I am turning to proxy because the wife complains about lag / timeouts when browsing local content (crap) on her ipad, otherwise I prefer pure unencrypted vpn. Just need to have everything we watch (netflix,hulu,crackle,vudu) covered.


      2. Things will probably work differently on iPad. I just looked at it in the web browser. You may have to wireshark the entire connection handshake until the stream starts to play to see the ports involved. They may be using a range of ports and/or direct non-HTTP socket connections. Could be a tricky one.


      3. Yep, gave a try to add 843 & 13247 to haproxy but it seems not be passing the traffic correctly (tshark is capturing back and forth but nothing shows on the haproxy monitor webpage). I probably have put the wrong setup for these two on haproxy. Anyway, I might end up using the vpn when I watch Vudu as I have it on Roku, PC & Ipad and it’s not worth the hassle I guess.

        Will try some more and I don’t find it tonight I’ll give up.


      4. Managed to make it start with:

        listen data :13247
        mode tcp
        option tcplog
        server check


        But as soon as it buffers / loses connection it goes back to error 5000 (not always). Need to make iptables rules for each of the cs server to keep them alive and not load balance as it creates a mess. Also the final cdn servers (edgecast) are located in west side so it’s gonna be slow for Europe in any configuration.


  10. Hope this helps someone — this stopped working for me for some reason, it still worked on Android but not on Chromecast.

    Turns out, what happened was, for some reason haproxy stopped responding on some of the ports (but not others??), e.g.

    After a lot of debugging, I just randomly restarted haproxy and after that it was sorted. Weird. But I’m happy!

  11. Also instead of binding ip in haproxy can we use fully qualified dns name for the remote server.

  12. What about Xbox One and PS4 are they SNI. Also, do you monitor traffic from game consoles

  13. I found out why some content was working and some wasnt.
    It was because netflix was preparing for the recent launch of netflix in germany. So I only could access content that is available in Germany now.

  14. to “Somebody”:

    I don’t think you understand what this article is about. What you are suggesting with forwarding DNS only, this will not work with non SNI devices. Or unless you have several IP addresses.

    This article makes perfect sense and actually works.

  15. To “Somebody”: Nice try. You’re welcome to leave your comment here but you clearly didn’t read or properly understand this write up and this is why I deleted your misleading comment. Go somewhere else to troll.


  16. Hacktek and Jan thank you for your replies

    I am running now non-sni.
    Windows and Android still work as usual.

    Chromecast has a problem with a lot of content.
    Arrested Development and Fargo works.
    The Office, Bobs Burger, Waynes World did not work.

    Here the queries from my pi:
    Long: to .62 are virtual interfaces on the pi

  17. Is it possible to run the non sni version without a local linux box and run a bind on the vps instead?

  18. but what about using multiple vhost in apache but with all the same cert?
    if they all have the same certificate (self-signed), would apache be able to determine the hostname and do the proper proxying?

    And if that is right, then would the android app or the chromecast have any problem with my self-signed cert?

  19. Hulu has banned many low-end VPS providers. You’ve got to be lucky to find a VPS provider that still works with Hulu but there still a few out there.


  20. And the reason why the images load is probably cause they’re static assets served from a CDN over HTTP, the auth layer works over HTTPS and without sni support there’s no way it will work. You need non-sni.

  21. Chromecast doesn’t support sni so you need to set up the non-sni version. There’s no way to get around the fact that without sni it’s impossible for the proxy to know what the hostname is because it’s under the TLS layer so you either need some sort of man-in-the-middle (which won’t really work because you can’t touch the chromecast’s cert store) or to use iptables nating and forwarding/catching on the other side (which is what non-sni does).

  22. i think theres one address missing to be forwarded at dnsmasq/haproxy for the chromecast as it tries to load images and stream but stops at 13-15% and gives out the above mentioned error “we couldnt play that title right now”

    does anyone know which address/domain it is ?

  23. the pure-sni version works on my netflix for my windows pc and android phone
    hulu however does not work as it says im using an anonymizer (on android it gives an ssl error about the date/time)

    sadly netflix on my chromecast also does not work, i tried several iptable rules but none worked
    chromecast either said
    “we couldnt play that titel right now”
    froze at the “Select a titel to play blabla”
    or said “Oops… we couldn’t connect the app will reboot now and try again”

    Did anyone get it to work with a chromecast?

    I tried the same rules with the unblock us servers and sadly it worked perfectly :\

  24. @Mangoman: if you’re jailbroken and pandora for ios works in sni mode you should be able to just hardcode in the hosts file to the VPS IP running haproxy. This will not work for non-sni mode.

  25. Hi,

    Thanks for the guide. Is there a way to create a DNS server that will work for mobile networks? i.e. – I’d like to connect my iPhone over a dedicated DNS server and use Pandora instead of having to use VPN time after time (my iphone is jailbroken). Problem is that my IP changes all the time (when jumping from one cell tower to another)


  26. I extended this to work without the need of a server if you have a router with dd-wrt. Simple enough just:

    1. Create however many virtual interfaces you need
    i.e. save as many “ifconfig br0:xxx 192.168.x.yyy” as required as a startup script or do it using some sort of loop if there are too many.

    2. Create iptables
    i.e. add all iptables rules to firewall script

    3. Add the dnsmasq config to “Additional DNSMasq Options” in the Services tab.

    4. Enjoy!

    Also, be aware that you may not be able to do this if your router has a small amount of ram. My 42 virtual interfaces + all iptables rules take up ~15 MB of router ram. In my case i still have half left.


    1. Hi Hacktek

      Thanks for the ddwrt guide

      do you run the “ifconfig br0:xxx 192.168.x.yyy” in the command and save startup script?

      What do I put in the first xxx

      Thanks in advance

  27. Ha, my bad. I had forgotten to substitute ha proxy’s config file after moving from sni to non-sni. Seems to be working now.


  28. Hey dude, great post. I was able to run sni version just fine but have made it my weekend project to get non-sni working. Haven’t been successful so far, things make it to the VPS but a tcpdump shows the tcp handshake is not completing. I’m testing, the VPS sends the SYN to server, it replies with its SYN,ACK and then the VPS sends an ACK,RST. Is there some sort of haproxy config that i’m missing?

  29. Great tutorial!
    I was able to install dnsmasq on a spare server on my lan and haproxy following the above instructions. Happy camper here :)

    Question: Security aside, how can I setup dnsmasq facing to the world, provided I have a static IP I can use for my dnsmasq server, so my buddies can use my dns server’s address (like tunlr)?

  30. Hi all,
    short update – the built in netflix app of my fire-tv stopped working so I googled a bit and added the host: to the config.json
    Now it works again.
    @Jerome – as written above – you will need a “local” dns-server which opens up some virtual IPs in your home network – together with the generated iptables entries the requests get routed to your vps where the proxy is running.

  31. Hi Jan,

    Is it possible to run the non-SNI config on a VPS? I’m assuming that to do the DNAT i’d have to rent additional IP addresses in my OpenVZ container or would I be able to simply create virtual interfaces myself without the hosts assistance / cost?


  32. Thank you so much for this project. Now I can watch even more TV :)

    I managed to deploy it on a tomato router. Hope that the following helps others using tomato or ddwrt:

    1. Used jffs to store the scripts and hosts file.

    2. The firmware has short timeouts. To solve timing problems needed to forked off the scripts with trailing ampersand.

    3. Ash shell is a pain. Used a script with 42 lines of ifconfig br0:virtual-ips to create the necessary virtual interfaces

    3. Had problems when I tried to copy dnsmasq-haproxy.conf as /etc/dnsmasq.custom. Instead, converted the file into hosts file format. Then added addn-hosts=/jffs/hostfile to Advanced/DHCP-DNS/Dnsmasq Custom configuration

    4. The iptables rules for postrouting masquerade are unneeded on the router. For unknown reasons, iptables will intermittently reset. So the without the masquerade rules is set to run under Admin/Scripts/Firewall. It refires whenever the firewall is reset.

  33. Thanks for making the scripts available, makes the config so much easier! :)

    The config requires v1.5 HAProxy, so might want to make that requirement a little more visible (at the top).

    — ab1

  34. Hi,

    thanks for the great tutorial. However, I was wondering: is it possible to get rid of local server for dnsmasq and just forward any DNS request from your LAN to remote VPS, with BIND on the vps taking care of what to forward to other servers (i.e., google dns) and what to masquerade with its own IP address?

    Is that feasible or am I missing something obvious?

  35. Hm.. I’ve seen comment #10980 from Ben regarding Amazon Fire TV..

    I’ve setup the thing, it seems to work, but Amazon Instant Video (through Amazon Prime subscription) doesn’t seem to work.. The flash (or Silverlight) player always get an error, they can’t play any video..

    I could start the Prime 30 day trial, so I assume my setup works ;-) This didn’t work before..

    Anybody know if there are additional hostnames necessary for Amazon Prime Instant Video? I’m also based in Switzerland..

  36. Thanks for this awesome post. I got the DNS-masq up an running, tested with the Tester and work fine. Tested with my server running Sniproxy and works fine.
    I have a problem moving on to HAProxy, can’t get it to work. I used the file output from the generator and get the following error:

    125/122002 (10225) : parsing [/etc/haproxy/haproxy.cfg:103] : unknown keyword ‘use-server’ in ‘backend’ section
    [ALERT] 125/122002 (10225) : parsing [/etc/haproxy/haproxy.cfg:106] : unknown keyword ‘use-server’ in ‘backend’ section…..

    one line for each site, ie:hulu, netflix etc. As I remove this configuration from the file haproxy runs ok. Can you help me it seems that this is a syntax error, Ihave look through the haproxy configuration manual but yet can get to a solution.

  37. I can confirm that this also works with amazon Fire TV. At least in Switzerland.
    Thank you so much!

  38. Thanks, that link helped. Got it up and running.

    Still meh, in near future I think i will route my ps3 through a vpn to the US, these continous configurational needs are a pain in the ass. :)


  39. Hei Jan,

    I had a similar configuration running with SNIproxy and my PS3. All was working, until netflix upgraded its ps3 App to 4.0 or so. Since then, the app refused to login.

    A tcpdump showed that the ps3-app queries my nameserver for the ips of and I assume when my DNS returns a geo-fenced IP for google or yahoo, the ps3 app refuses working.

    I have to admit I was not familiar with the ps3s networking, so, with the aforementioned in mind: Are my observations correct? Your setup is obviusly working.
    Why did my ps3 worked with the netflix before?

  40. Hi mkkyah,
    I have an asus rt-ac66u router and applied the asuswrt-merlin firmware. Using JFFS (writable section of the flash memory) I am able to add the dns info requiered in the /jffs/configs/dnsmasq.conf.add that is being used in /etc/dnsmasq.conf after reboot.
    If you require iptables rules, there is another script (/jffs/scripts/firewall-start ) that allow you to set the rules and be persistent from reboot to reboot.
    HAProxy built is required also, please ensure you use 1.5.
    Non-sni is really simple with the “DNS unblocking using Dnsmasq and HAProxy” post, but for my purposes Pandora didn’t work in mobile (iphone) so I move to “Tunlr clone” solution with sni-proxy and that worked.

  41. @Beart: Since your ISP may assign a different IP address to your router every now and then, that’s somewhat difficult. It’s highly unlikely someone finds out you’re running this sort of proxy on your VPS. I’m publishing my test-server publicly on the Internet and even then there’s hardly any traffic on it. I don’t think you should worry about it.


  42. Jan,
    How to block acces to my usa VPS haproxy server, exept for my own?
    If other people point there raspberry to my haproxy server, they use my VPS. I want the only one who will have acces. Can i do this with iptables?

  43. Thanks Jan, It works. now i can access the netflix on my samsung tv. one more query, i cant access some website from my place, how can i unblock it using the same setup. your advice please.

  44. Hi apuredol,
    I’m afraid I don’t have any answer for your problem, but can you explain how you managed non-sni work on DD-Wrt router?

  45. Hi! Trying to run in my asus dd-wrt enabled. Non-sni worked but I am trying to run sni enable to check if I am able to reproduce pandora in my iphone.

    I think routing is ok, my router log is sending the request to the expecte ip port of my vps
    XXX.XXX.XXX.XXX is my vps route, and 27209 is the target port. Anyway the SRC is not my virtual interface.

    Apr 20 00:05:01 kernel: ACCEPT ACCEPT IN=br0 OUT=eth0 SRC= DST=XXX.XXX.XXX.XXX LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=52446 DF PROTO=TCP SPT=53965 DPT=27209 SEQ=767690344 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303040101080A4331651B0000000004020000)

    But in my VPS server the log I am getting a BAD REQUEST
    YYY.YYY.YYY.YYY My public IP

    Apr 19 20:12:18 apuredol haproxy[29520]: YYY.YYY.YYY.YYY:55551 [19/Apr/2014:20:12:04.127] f_netflix-www_http b_netflix-www_http/ 14803/0/-1/-1/14804 503 212 – – CC– 1/1/0/0/0 0/0 {|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36} “GET / HTTP/1.1”
    Apr 19 20:14:14 apuredol haproxy[29520]: YYY.YYY.YYY.YYY:55594 [19/Apr/2014:20:12:14.641] f_netflix-www_http f_netflix-www_http/ -1/-1/-1/-1/120001 408 212 – – cR– 0/0/0/0/0 0/0 {|} “”

    Any guess?

  46. And I’m having problems with non-SNI version. I think I make some mistakes with iptables.conf.
    Beart, can you explain that part a little bit? I started with your explanations and it worked at the end with pure-sni.

  47. Ok, I managed to make a pure-SNI install with Jan’s new genconf work.
    Thanks to Jan and Beart’s posts it worked. I have written down what I did step by step for myself and others like me.
    I started on fresh VPS and Pi installations, some steps may be unnecessary:

    Remote US VPS: Ubuntu 13.10

    apt-get update
    apt-get upgrade

    apt-get install software-properties-common

    add-apt-repository ppa:vbernat/haproxy-1.5
    apt-get update
    apt-get install haproxy

    apt-get install nano

    Local Raspberry pi:

    sudo apt-get update
    sudo apt-get upgrade
    sudo apt-get install dnsmasq

    apt-get install nano
    apt-get install php5

    sudo nano /etc/apache2/ports.conf EDIT -> listen 80 to listen 8010
    sudo service apache2 restart

    sudo apt-get install git-core
    git clone

    cd tunlr-style-dns-unblocking
    sudo nano config.json EDIT-> haproxy_bind_ip: 198.xx.xx.xx dnat_base_ip: (use a free range of your local ip, my pi is on

    php genconf.php pure-sni -> 2 files generated:haproxy.conf/
    sudo cp dnsmasq-haproxy.conf /etc/dnsmasq.d
    sudo service dnsmasq restart

    scp haproxy.conf root@198.xx.xx.xx:/etc/haproxy/haproxy.cfg

    nano /etc/sysctl.conf UNCOMMENT -> net.ipv4.ip_forward = 1

    remote VPS:
    nano /etc/default/haproxy EDIT -> ENABLED=0 to ENABLED=1

    service haproxy start

    set your pc/device DNS to pi’s ip and browse, it works.

  48. I have rebuilt the VPS with centos 6_64 and installed haproxy 1.5, now haproxy is working.
    I can’t load iptables-haproxy.conf now: “iptables-restore: line 1 failed”

    my conf file is like:

    /sbin/iptables -t nat -A PREROUTING -p tcp –dport 80 -d -j DNAT –to-destination 198.xx.xx.xx:27200
    /sbin/iptables -t nat -A POSTROUTING -p tcp –dport 27200 -j MASQUERADE
    /sbin/iptables -t nat -A PREROUTING -p tcp –dport 443 -d -j DNAT –to-destination 198.xx.xx.xx:27201
    /sbin/iptables -t nat -A POSTROUTING -p tcp –dport 27201 -j MASQUERADE

  49. I think it’s current version; haproxy –version returns:
    HA-Proxy version 1.5-dev22-1a34d57 2014/02/03

  50. I get fallowing error when trying to start haproxy 1.5 with generated hmaproxy.conf on ubuntu 13.10_64 server:
    * Starting haproxy haproxy [ALERT] 106/175743 (11248) : [/usr/sbin/haproxy.main()] No enabled listener found (check the keywords) ! Exiting.

  51. If you don’t have a requirement for non-SNI, you could always run the updated generator using the pure-sni parameter and just go with the simpler setup without DNAT.


  52. It’s because you can’t access your LAN from the outside. It’s not going to work. The non-SNI approach works because it doesn’t use an internal network. You probably need a combination of the two approaches.


  53. If i put port 53 open on the raspberry pi, and i use my external internet ip as dns server. all websites will load. Except Netflix and all the others like etc. They will link to 192.168.178.x That will not work offcourse on a remote location. I try’d your Ip adres with Dnsmasq. And it works on my samsung tv(and netflix resolvs to your 208.110x.x)

  54. Jan,
    I want my netflix all the time, sometimes i am in Belgium and Germany. for work/holiday. But i dont have a clue how to acces my setup from the outside. With sniproxy it’s simple. (open port 80/443) But with haproxy i dont have a clue. Kind regards.

  55. Fixed it! Forgot to add 1 ip adres @ /etc/network/interfaces.
    Saw it because i did a ping -a @ my windows pc. It resolves to my raspberry pi.

    And much other websites resolves to (ip of my windows pc) It’s working 100% now. Thnx Jan!

  56. Does it matter that i have a webserver (port 80) &vpn server (1194)running at my home location? That might give conflicts?

  57. It’s 80% working now. Netflix usa will load on my pc/samsung tv. But not on my samsung tab. And all the other sites then Netflix will not load. Do you have an idea?

    1. There are quite a few places where things can go wrong. You will have to use a packet sniffer like tcpdump on the RPi and the VPS at the same time so see what’s coming where it’s going.


  58. haproxy 1.4.24-1 was the problem, installed 1.5 and haproxy will start. Now the last step. iptables. Because dnsmasq work. But when i go to netflix for example. No page will load. Need to set the correct iptables i guess.

  59. Jan, i will not quit till it work :)

    Remote US VPS: Ubuntu 13.10 IP: 167.x.x.x

    sudo apt-get update
    sudo apt-get upgrade
    sudo apt-get install haproxy (haproxy 1.4.24-1 installed)

    Local Raspberry pi: Raspbian External ip: 84.x.x.x Internal ip:

    -sudo apt-get update
    -sudo apt-get upgrade
    -sudo apt-get install dnsmasq
    -git clone
    -cd to tunlr-style-dns-unblocking/poor-mans-non-sni folder
    -nano config.json -> haproxy_bind_ip: 167.x.x.x | dnat_base_ip: Free local ip range, starting with
    What about the “user”: “haproxy”, “password”: “Change-Me-Now” Is user haproxy just for a web login page, or must it be a user on my raspberry pi?

    -php genconf.php -> 3 files generated: haproxy.conf / dbsnasq-haproxy.conf / iptables-haproxy.conf
    -sudo cp dnsmasq-haproxy.conf /etc/dnssmasq.d
    -SCP the haproxy.conf from raspberry pi to remote VPS in folder /etc/haproxy/ The folder now contain 2 files named: haproxy.cfg (stock file) and haproxy.conf and 1 stock folder named “errors”
    -Loading all the iptable rules from iptables-haproxy.conf on raspberry pi.
    -nano /etc/sysctl.conf -> uncomment net.ipv4.ip_forward = 1

    Guess everything is ready on the pi now?

    Switch back to remote VPS And start haproxy
    nano /etc/default/haproxy -> change ENABLED=0 to ENABLED=1
    -service haproxy start -> This will fail. :

    And when i change the content of the stock file haproxy.cfg into the conent of haproxy.conf. It will give a lot of errors:

    Think when haproxy is running, everything will work.

  60. No, i cant make it work. Can you help me maybe?(remote acces no problemo).
    SNI proxy version works 100%. But i want non sni for my samsung tv. Specially borrowd a usa VPS for this :)

  61. The haproxy config file on remote server is /etc/haproxy/
    Must i copy the content of the generated file: haproxy.conf inside the default haproxy.cfg file. Or do i need both files?
    (version 1.4.24 of haproxy, installed with apt-get)

  62. That’s what I meant with:
    Make sure to use static IP addresses in sequential order and route them to your local Linux server using virtual interfaces. Make sure the static IP range doesn’t interfere with your router’s DHCP settings or weird things will happen.
    I can’t tell you how to do this in your environment.

  63. Now it’s more clear. thnx.

    My RPi eth0 adres is But i have other devices running. highest ip is Will de RPi resevate the adresses / 86 for the RPi? Otherwise when friends are here and they login on my wifi with there smartphones. My router will give them for example.

  64. Jan,
    Can you please explain more about the “You will have to add a number of virtual interfaces to /etc/network/interfaces as shown in the output of the generator (on the RPi).” part?

    Do need to edit config.json:


    dnsmasq-haproxy.conf: Lot of 192.168.178.x adresses. I use the 192.168.178.x is also my local ip range at my raspberry pi’s place.

    iptables-haproxy.conf : Dont neem them? Remote server is not firewalled at the moment.

    1. Something like this:

      root@rpi /etc/network # cat interfaces
      # This file describes the network interfaces available on your system
      # and how to activate them. For more information, see interfaces(5).

      # The loopback network interface
      auto lo
      iface lo inet loopback

      # The primary network interface
      auto eth0
      iface eth0 inet static

      auto eth0:51
      iface eth0:51 inet static

      auto eth0:52
      iface eth0:52 inet static


      That’s why in my config.json the dnat_base_ip starts at because is the eth0 of the RPi in my LAN.

  65. I think it’s easier to clone the repo on the RPi, generate the config and eventually scp haproxy.conf to the remote VPS.
    You will have to add a number of virtual interfaces to /etc/network/interfaces as shown in the output of the generator (on the RPi).

    The remote VPS only needs iptables rules if it is firewalled.


  66. Jan, Are these steps correct:

    -git clone your repo on my remote server
    -installing haproxy on remote server
    – installing dnsmasq on local rapsberry pi
    -php haproxy-genconf.php on remote server (Edit config.json) with own details

    -put haproxy.conf on remote server
    -put dnsmasq-haproxy.conf on local raspberry pi
    =put iptables-haproxy.conf on local raspberry pi

    -Add some iptable rules on remote server/raspberry pi?

    -net.ipv4.ip_forward = 1 on local raspberry pi @ in /etc/sysctl.conf

    -Use the IP of my raspberry pi as DNS server.

    Is this the correct way to install it?

  67. Hi Jan, I run the php haproxy-genconf.php and got the following error: PHP Fatal error: Call to undefined function json_decode() in /home/temp/haproxy-genconf.php on line 9. I have downloaded the latest file (haproxy-genconf.php-Removed superfluous log statements) from github.

    1. Ayas, you have to make sure that PHP has access to the JSON PHP library. You could use yum or apt-get to install it.


  68. I have no idea why this is happening. You could always try to resolve the IPv6 address of the backend and use it instead of the domain name in HAProxy’s configuration file. Obviously, this approach has some serious limitations but it may be helpful for debugging.


  69. Well somehow when using haproxy I get netflix over ipv4, but when browsing directly on the server it chooses ipv6. Not sure why this is different…

    Problem is ipv4 messes ip netflix’s geolocation.

  70. Andrew, I don’t think this is for HAProxy to decide. Native IPv6 is preferred over IPv4 if the DNS response includes AAAA records – and the server is IPv6-ready.


  71. Hi Jan,

    is there a way to force haproxy to use ipv6 when getting the content from say netflix?


  72. Thanks Jan I tried this it runs some code then comes back something went wrong with that request.I also don’t see the 3 files generated.

  73. Thanks for your comment Jan

    Can you give me a command line to run the generator file to output the 3 files



  74. As I mentioned in my post, it’s not possible for me to come up with a tutorial for the non-SNI approach. There are too many variables. I’ll have to leave this up to some more gifted tutorial writer ;-)


  75. I think we are confused with all 3 posts and approaches. Is there a chance that we can get a clear step by step tutorial from beginning for non-sni solution?
    I appreciate all the information/effort and understand to one point, but I must admit that I’m lost.

    DD-Wrt would be nice option instead of having additional linux server.

  76. Hey guys,
    How to run the script? The command is shown in the post. I don’t know if this works on a DD-WRT router (I don’t have one). However, a commenter on Github said it would. Since this is the only script I have released, I’m not sure what you mean with the 3rd question.


  77. HI Jan

    Thanks for the post

    I have a couple of questions

    (1) How do I open the generator script on my Linux box?
    (2) Will this work on a ddwrt router on the clients side instead of a local Linux box?
    (3) Do I add this to your existing script or is this a new script ?


  78. Peter, I was under the assumption that Nintendo didn’t support SNI in the Wii but it may have changed at some point in the past.


  79. Oh and I forgot, thanks so much for the previous guide and this one obviously, I was looking for exactly this when unlocator was no longer free.

  80. Jan, with your previous tutorial I was using the Nintendo Wii just fine with the US netflix, any idea how that’s possible?

Comments are closed.