Skip to content

Instantly share code, notes, and snippets.

@daemonhorn

daemonhorn/Cloudflare-WARP_Wireguard.md

Last active February 27, 2025 00:40
Show Gist options
  • Save daemonhorn/7e1886a10d0b2e63a4604f02bc937a93 to your computer and use it in GitHub Desktop.
Save daemonhorn/7e1886a10d0b2e63a4604f02bc937a93 to your computer and use it in GitHub Desktop.
Download ZIP
Cloudflare WARP tunnel via Wireguard client
Raw
Cloudflare-WARP_Wireguard.md

Cloudflare WARP tunnel via Wireguard client

This example provides a simple configuration for a Debian client to have a Cloudflare tunnel while not installing the official Cloudflare WARP client. Note: Tunnel transport outbound to engage.cloudlflare.com on udp/2408 is default, with a dynamic listening udp port and a fwmark for packet matching by wireguard. Any applicable firewall rules may need to be adjusted.

Install dependancies

sudo apt install openresolv wireguard-tools golang git

Get the latest client from Github and build using go

git clone https://github.com/ViRb3/wgcf.git
cd wgcf
go build -buildvcs=false

Register new endpoint account and generate Wireguard configuration

  1. Create a registration record using Cloudflare API and save account to file:wgcf-account.toml
./wgcf register
  1. Generate a generic wireguard configuration file:wgcf-profile.conf from the registration file
./wgcf generate
  1. Setup ipv4/ipv6 static routes as needed for ensuring services you want to be reachable outside the tunnel (e.g. ssh) go via the non-CF network path
  • This needs to point to the existing gateway (gw) and interface to ensure clarity of network path
  route add -host 151.200.27.234 gw 64.176.70.1 dev enp1s0
  route -6 add 2001:db8:4005:f800::/56 gw fe80::fc00:4ff:fedc:c302 dev enp1s0

Initiate Wireguard tunnel connection using wg-quick

wg-quick up ./wgcf-profile.conf

Validate that WARP tunnel is working

Check the ipv4/ipv6 routes defined after the network is up

netstat -rn46

Check the output of the wgcf trace command and make sure that warp=on is in output

./wgcf trace

Check wireguard status and active configuration

wg show
ifconfig wgcf-profile

Check ip address using curl (for both IPv6 and IPv4)

curl -6 https://ipconfig.io
curl -4 https://ipconfig.io

Check cdn trace using curl (for both IPv6 and IPv4) similar to ./wgcf trace

curl -6 https://www.cloudflare.com/cdn-cgi/trace/
curl -4 https://www.cloudflare.com/cdn-cgi/trace/

Optional

  • Adjust MTU to 1460 instead of 1280 in wgcf-profile.conf for better performance (in non-degraded MTU environments)
  • Adjust Address = configuration to remove either ipv4 or ipv6 transport lines (if not needed) for outside the tunnel
  • Adjust AllowedIPs = configuration if default route(/0) is not needed
@shiwildy
Copy link

i can access to vps [incoming]
but in the vps i access out to 25 [ outgoing has blocked by vpn vendor ]

so i want to exclude port 25 to being proxy in outgoing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment