Skip to main content

Virtual Setup Guide

SPR can run its services in a network namespace and expose Wireguard or DNS as services. This is helpful for running SPR in the cloud as a personal VPN, for example.

Cloud specific setups

If you plan to host SPR in the cloud check out the vendor-specific guides:

Quick Setup

sudo bash -c "$(curl -fsSL"

This will download the SPR repository and run The script will install dependencies, start all the containers and add one peer that can connect to the VPN. See the next section for a walkthrough of the script.

If you want to add another device, just run the setup script again:

cd super
sudo ./

Next setup a client to connect to SPR over VPN.

Host network configuration

Your source ip address need to be able to access the host running spr on port 51280/udp. For setup in the cloud, see the blog specific vendor guides for network configuration:

Manual configuration

What you need

  • A linux server running Ubuntu 22.04
  • If there is a firewall port 51280/udp needs to be open for incoming traffic
  • WireGuard (© Jason A. Donenfeld) installed on your client phone or desktop

Clone the super repository

git clone

Run install script

Note: if you prefer to do this manually, skip this section and continue with the manual setup.

Install all dependencies and start the containers but skip adding a vpn peer:


To see exactly what the script does either check the source or see here.

The services should now run and you can continue by signing in to the web ui.

Manual setup

Install dependencies

apt install -y curl git docker docker-compose jq qrencode iproute2 wireguard-tools

Note: docker compose install might differ depending on ubuntu release.


  1. Populate the configuration directory
cd super
cp -R base/template_configs/ configs/
  1. Enable virtual config in configs/base/
cp configs/base/ configs/base/

Example configuration:

  1. Set an api username and password for the web UI
echo "{\"admin\" : \"your password goes here\"}" > configs/auth/auth_users.json

Start the SPR Services

docker compose -f docker-compose-virt.yml up -d

Note: On MacOS you may need to modify docker-compose-virt.yml to disable the journald driver and enable the json-file driver instead.

Optional Copy the virtual config for easier control of the docker containers:

cp docker-compose-virt.yml docker-compose.yml

Now you can run docker compose restart in the super directory to restart all the containers.

Sign in to the Web UI

The API is setup to listen on localhost:8000 on the host. To access the service from your local machine, forward port 8000 using ssh:

ssh $HOST -N -L 8000:

Navigate to http://localhost:8000/

Sign in with the username and password assigned in step 3 of the configuration.

Add a VPN peer

In the SPR web UI, navigate to VPN and click Add peer, enable the lan group if you want to be able to connect to the admin interface over VPN.

Click Save and download the client config or scan the QR Code on your phone with the official WireGuard (© Jason A. Donenfeld) client.

Note SPR exposes port 51280 over UDP (see $WIREGUARD_PORT in on the host. If a firewall is present you will need to allow access to this port. Check the documentation for your hosting provider on how to do this.

Configure the VPN client on your device

Install WireGuard (© Jason A. Donenfeld):

apt install wireguard for ubuntu. Official clients for Windows, macOS, iOS, Android.

For iOS and Android

Scan the QR Code in the official WireGuard App (iOS, Android) to import your VPN profile.

Linux, macOS and Windows

Click "Add empty tunnel..." paste the config and set a name for the tunnel. Or, if you saved the config to a file:

  • Open your WireGuard client and click "Import tunnel(s) from file"
  • Select the wg.conf file
  • Click Activate

Admin interface

Make sure you're connected to the VPN endpoint & browse to to access the admin interface.

Login using the credentials shown in the output from the script or if you set the password manually (NOTE you can check the login info by running SKIP_VPN=1 ./

If you prefer to use curl:

$ curl -s -H "Authorization: Bearer $TOKEN"

Checkout the documentation to get started using the SPR API.

Modify Blocklists

In the admin interface you can enable more blocklists by clicking Blocklists/Ad-block under DNS:

SPR comes bundled with the hosts file from and the blocklists from the repository, including: redirect, ads, facebook, twitter, malware, porn, redirect, tracking, youtube, everything

If something is missing you can always add custom blocklists or block specific domains.

View traffic

Navigate to DNS Log in the DNS category, select the client to get a log of domains:

Here you can also add more blocks, domain overrides if you want to allow something temporarily, delete logs or disable them completely under Settings.

It is also possible to get more detail traffic for connections under Traffic:

Outro and random notes

You can remove lan from your device groups for a device but its needed to access the admin interface.

SPR is configured to use DNS over HTTPs when resolving domains. You can modify the Coredns configuration in the ui by navigating to DNS -> DNS Settings or by editing configs/dns/Corefile.

Virtual SPR Install Script info

Virtual SPR Install Script info

Run Virtual Installer

sudo bash -c "$(curl -fsSL"

What the script does

  • downloads the latest SPR repository from
  • downloads prebuilt docker images
  • generate default configs
  • setup admin password and auth token for API access
  • start SPR
  • add a VPN peer and output the WireGuard config

You can also download the script if you want to check it out or add blocklists for ads:

curl -s -O
chmod +x
sudo DNS_BLOCK=hosts,ads,tracking,redirects ./

See here for available blocklists.

Example to block DNS requests to adservers and social media:

sudo DNS_BLOCK=ads,tracking,facebook,tiktok ./

If you want to change the admin password you can edit the file configs/base/auth_users.json

Running the script you should see login info, a QR Code & the WireGuard client config. Example:

[+] WireGuard config: (save this as wg.conf & import in client)

PrivateKey = privkey
Address =

PublicKey = pubkey
AllowedIPs =, ::/0
Endpoint =
PersistentKeepalive = 25
PresharedKey = psk

If you want to connect to the VPN using a desktop client, save the config as wg.conf on your local computer.

Example to install all dependencies and start the containers but skip vpn setup: