Watching Disney+ in Asia on Android TV via Clash on the gateway

I've been watching Marvel movies recently on Disney+. I also have got a 4K UHD HDR monitor and a MiBox at home, which is exactly capable of handling 4K HDR content! So I thought why not give it a try to play Disney+ content on that box since Disney+ has got a native Android TV app.

The issue is that as of now Disney+ only serves Western customers, and I need to do some tricks in order to play content in Taiwan. Two things: TCP proxy and the so-called "Smart DNS". In short terms (and to my best knowledge), Smart DNS is basically a DNS proxy. You just need to resolve Disney+ domains through that proxy in order to bypass the regional restrictions.

There is tremendous amount of such services that offer both IP proxy and DNS proxy at the same time, often known as "airports" or Shadowsocks services in China. You can get them easily on the Internet. I'm not gonna cover that in here. I'd recommend Dler Cloud, though! (yes that's a referral link)

You'll need a Ubuntu machine, either a physical machine or a VM is ok, that will act as an another gateway on your LAN. We'll run on that, which will help us with DNS and IP proxying. It's a high performance proxy server that allows rule-based routing and a lot of proxy protocols.

First of all, install some packages and enable IPv4 and IPv6 forwarding.

apt install -y iptables-persistent net-tools curl wget vim
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.conf
sysctl -p

Get Clash for your platform. There are pre-built binaries for various platforms at

wget -O clash.gz
gzip -d clash.gz
chmod +x clash
mv clash /usr/bin
setcap cap_net_bind_service=+ep /usr/bin/clash
clash # this will create ~/.config/clash and an example config

Also get the Web Clash controller.

mv clash-dashboard-gh-pages/ ~/.config/clash/dashboard

Go to the Clash config directory, and download the so-called "subscription" or a managed configuration file from your service provider.

cd ~/.config/clash
wget -O managed-config.yaml
rm config.yaml # delete example config
cp managed-config.yaml config.yaml

Here is an example config for Disney+:

layout: layouts/post.njk
port: 7890 # HTTP proxy port
socks-port: 7891 # SOCKS5 proxy port
redir-port: 7892 # transparent proxy port
allow-lan: true # allow other devices to use Clash
mode: Rule # rule-based routing
log-level: info
external-controller: # for the web service
external-ui: dashboard # the relative path of web controller
ignore-resolve-fail: true
enable: true
ipv6: false
enhanced-mode: fake-ip
- ''
- ''
- ''
- ''
- name: "Azure US"
type: ss
port: 1234
cipher: aes-128-gcm
password: hello
udp: true
plugin: obfs
mode: tls
Proxy Group:
- name: DisneyPlus
type: select
- Azure US
- DOMAIN,,DisneyPlus
- DOMAIN,,DisneyPlus

Regarding the DNS part, we're using fake-ip mode here. Say we're connecting to

In the fake-ip mode, when you ask Clash DNS server for the A record of, it returns a "fake" IP address in the CIDR, say If a packet later sent to the Clash transparent port is destined for, Clash sends the hostname to the remote proxy server, and the real DNS resolution is performed there. This is how we'll do the "Smart DNS".

The rest of the configuration above is pretty self-explanatory. Here's an unofficial English documentation of Clash should you have any issues:

The last step is setting up iptables rules.


# Set up fake DNS server at that redirect all packets
# on port 53 to Clash DNS
iptables -t nat -N clash_dns

iptables -t nat -A PREROUTING -p tcp --dport 53 -d -j clash_dns
iptables -t nat -A PREROUTING -p udp --dport 53 -d -j clash_dns

iptables -t nat -A clash_dns -p udp --dport 53 -d -j DNAT --to-destination
iptables -t nat -A clash_dns -p tcp --dport 53 -d -j DNAT --to-destination

# Also hijack any packets to to Clash DNS
# since Chromecast or some Google Apps force using to resolve IPs
iptables -t nat -A clash_dns -p udp --dport 53 -d -j DNAT --to-destination
iptables -t nat -A clash_dns -p tcp --dport 53 -d -j DNAT --to-destination

# Clash IP proxy
iptables -t nat -N clash

iptables -t nat -A clash -d -j RETURN
iptables -t nat -A clash -d -j RETURN
iptables -t nat -A clash -d -j RETURN
iptables -t nat -A clash -d -j RETURN
iptables -t nat -A clash -d -j RETURN
iptables -t nat -A clash -d -j RETURN
iptables -t nat -A clash -d -j RETURN
iptables -t nat -A clash -d -j RETURN

iptables -t nat -A clash -p tcp -j REDIRECT --to-ports 7892

iptables -t nat -A PREROUTING -p tcp -j clash

At this point, run clash and our gateway should be ready to go. On your Android TV, set up static IP for Internet access. Set the gateway IP to your ubuntu machine's IP address. For DNS, set for DNS 1, leave DNS 2 empty.

Now open Disney+, you should be able to enjoy the movies! But we're not done yet. We need to make Clash a service. Kill Clash first, and then create the service:

vim /etc/systemd/system/clash.service

For the content:


ExecStart=/usr/bin/clash -d /root/.config/clash/


Then enable the service, which makes Clash run at startup. And finally launch Clash.

systemctl enable clash.service
systemctl start clash.service

If you want to access the web control interface, go to http://GATEWAY_IP:9090/ui. You can see logs and switch proxies there.