Skip to content

Instantly share code, notes, and snippets.

@daemonhorn

daemonhorn/Cloudflare-WARP_Wireguard.md

Last active November 10, 2025 10:31
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save daemonhorn/7e1886a10d0b2e63a4604f02bc937a93 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save daemonhorn/7e1886a10d0b2e63a4604f02bc937a93 to your computer and use it in GitHub Desktop.
Download ZIP
Cloudflare WARP tunnel via Wireguard client
Raw
Cloudflare-WARP_Wireguard.md

Cloudflare WARP tunnel via Wireguard client

This example provides a simple configuration for a Debian client to have a Cloudflare tunnel while not installing the official Cloudflare WARP client. Note: Tunnel transport outbound to engage.cloudlflare.com on udp/2408 is default, with a dynamic listening udp port and a fwmark for packet matching by wireguard. Any applicable firewall rules may need to be adjusted.

Install dependancies

sudo apt install openresolv wireguard-tools golang git

Get the latest client from Github and build using go

git clone https://github.com/ViRb3/wgcf.git
cd wgcf
go build -buildvcs=false

Register new endpoint account and generate Wireguard configuration

  1. Create a registration record using Cloudflare API and save account to file:wgcf-account.toml
./wgcf register
  1. Generate a generic wireguard configuration file:wgcf-profile.conf from the registration file
./wgcf generate
  1. Setup ipv4/ipv6 static routes as needed for ensuring services you want to be reachable outside the tunnel (e.g. ssh) go via the non-CF network path
  • This needs to point to the existing gateway (gw) and interface to ensure clarity of network path
  route add -host 151.200.27.234 gw 64.176.70.1 dev enp1s0
  route -6 add 2001:db8:4005:f800::/56 gw fe80::fc00:4ff:fedc:c302 dev enp1s0

Initiate Wireguard tunnel connection using wg-quick

wg-quick up ./wgcf-profile.conf

Validate that WARP tunnel is working

Check the ipv4/ipv6 routes defined after the network is up

netstat -rn46

Check the output of the wgcf trace command and make sure that warp=on is in output

./wgcf trace

Check wireguard status and active configuration

wg show
ifconfig wgcf-profile

Check ip address using curl (for both IPv6 and IPv4)

curl -6 https://ipconfig.io
curl -4 https://ipconfig.io

Check cdn trace using curl (for both IPv6 and IPv4) similar to ./wgcf trace

curl -6 https://www.cloudflare.com/cdn-cgi/trace/
curl -4 https://www.cloudflare.com/cdn-cgi/trace/

Optional

  • Adjust MTU to 1460 instead of 1280 in wgcf-profile.conf for better performance (in non-degraded MTU environments)
  • Adjust Address = configuration to remove either ipv4 or ipv6 transport lines (if not needed) for outside the tunnel
  • Adjust AllowedIPs = configuration if default route(/0) is not needed
@daemonhorn
Copy link
Author

daemonhorn commented Sep 13, 2024

is it possible to excluding SMTP port to be proxy in wireguard ?

Easiest way to exclude something is by adding a more specific route for that endpoint, but you can also do fancy things to perform specific tcp port redirects using either iptables or standalone utilities like netcat just for the SMTP port. Wireguard supports both PreUp and PostUp configurations directly in the wireguard wg-quick(8) config file. See:

@shiwildy
Copy link

shiwildy commented Sep 13, 2024

do you have example ?
i have try ip rule but its fail

@shiwildy
Copy link

shiwildy commented Sep 13, 2024

my config
[Interface]
PrivateKey = myprivatekey
Address = address
MTU = 1400

PostUp = ip -4 rule add from myserverip lookup main
PostDown = ip -4 rule delete from myserverip lookup main

Table = 1234
PostUp = ip rule add ipproto tcp dport 25 table 1234
PreDown = ip rule delete ipproto tcp dport 25 table 1234

[Peer]
PublicKey = bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myendpoint

@shiwildy
Copy link

shiwildy commented Sep 13, 2024

i can access to vps [incoming]
but in the vps i access out to 25 [ outgoing has blocked by vpn vendor ]

so i want to exclude port 25 to being proxy in outgoing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment