Skip to content

Instantly share code, notes, and snippets.

@ndzn

ndzn/cobalt-cf-warp.md

Last active March 1, 2025 11:59
Show Gist options
  • Save ndzn/47afb39e42956435aaa603dd29690b76 to your computer and use it in GitHub Desktop.
Save ndzn/47afb39e42956435aaa603dd29690b76 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cobalt-cf-warp.md

cobalt Docker with Cloudflare Warp networking

Warning

Disclaimer: This is very experimental. Use at your own risk. (for cloudflare and google to not get mad)

Step 1

  1. Download the latest release of wgcf.
  2. Generate a Cloudflare Warp account and Wireguard config.
  3. Save the credentials.
These can be seemingly be reused, not sure what hard limit is

Step 2

  1. Add the Gluetun container to your Docker stack for Wireguard. More info here.

  2. Populate environment variables for Wireguard with the generated Warp config.

  3. Example modified cobalt Compose + Gluetun service with cobalt specifics (Modify to your needs):

    cobalt-api:
    image: ghcr.io/imputnet/cobalt:10
    restart: unless-stopped
    container_name: cobalt-api
    read_only: true
    # Add cobalt to gluetun networking
    network_mode: "service:gluetun"
    init: true
    # Port exposure not here because Gluetun handles port exposure
    environment:
        API_URL: ${API_URL}
        TURNSTILE_SITEKEY: ${TURNSTILE_SITEKEY}
        TURNSTILE_SECRET: ${TURNSTILE_SECRET}
        DURATION_LIMIT: ${DURATION_LIMIT}
        JWT_SECRET: ${JWT_SECRET}
    labels:
        - com.centurylinklabs.watchtower.scope=cobalt
    # can remove if causes issues
    depends_on:
        gluetun:
            condition: service_healthy
            restart: true

gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - WIREGUARD_ENDPOINT_IP=${WIREGUARD_ENDPOINT_IP} # For the endpoint, using the A record of engage.cloudflareclient.com worked for me (currently 162.159.192.1)
      - WIREGUARD_ENDPOINT_PORT=${WIREGUARD_ENDPOINT_PORT}
      - WIREGUARD_PUBLIC_KEY=${WIREGUARD_PUBLIC_KEY}
      - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY}
      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES} # Using 172.16.0.2/32 from the warp config worked for me
    ports:
      - 9000:9000/tcp # For cobalt port forwarding, see https://github.com/qdm12/gluetun-wiki/blob/main/setup/port-mapping.md
    
    # can remove if causes issues
    healthcheck:
      test: ["CMD", "nc", "-z", "127.0.0.1", "9999"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s

  4. tldr:

    • Add network_mode: "service:gluetun" to the cobalt service.
    • Remove port docker handling from cobalt.
    • Add the Gluetun service with the Wireguard custom provider type.
    • Add environment variables from the generated cf warp Wireguard config.
    • Add cobalt-specific Docker port exposure to Gluetun.
    • Should get a Geolocated cloudflare IP near the server for cobalt.

Notes/Quirks

  • IPv6-only connectivity doesn't seem to work with my testing :(
  • If Gluetun is restarted after cobalt is running, cobalt will also need to be restarted aswell for port exposure to work again.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment