Exploring Netflix’s Proxy Detection

Last updated 2019-08-01

A map of the world with all countries shaded red except China, North Korea, and Syria

While I was living in China, Netflix called a press conference and announced “Netflix Everywhere”. Unfortunately, “everywhere” did not include China. At the same time, Netflix rolled out a proxy/VPN detection system that blocked users originating from anything other than a normal ISP in a non-blocked country.

The Great Firewall blocks mainland Chinese IPs from accessing many foreign services, such as Google, YouTube, Netflix, Twitter, Facebook, and Dropbox. Expats in China regularly use VPNs to circumvent this, but this new Netflix policy effectively shut out expats from Netflix.

Circumvention Attempts

Personal VPN on a cloud provider

I tried routing all my traffic through a VM on several different cloud providers, including GCP, AWS, Digital Ocean, and Linode. Netflix was able to detect all of these as a VPN and blocked access.

Personal VPN on a Residential ISP

This worked.

My current configuration is:

  • Raspberry Pi at a US residential address, running a Wireguard server and a DNS server.
  • A router that runs Wireguard (I use Ubiquiti Edge Router Lite with the vyatta-wireguard package installed).
  • A policy-based routing rule that forwards traffic from my Chromecast to the Raspberry Pi.
  • A Wireguard client on a mobile that I turn on when I want to launch Netflix on the Chromecast.

Because all the traffic, including DNS, goes through the US residential IP, Netflix does not detect this traffic as coming through a VPN.