Xray server with Cloudflare WARP outbound
This configuration is for scenarios where you want to reach destination websites from a Cloudflare IP address, rather than from your Xray server's IP address.
Prepare server
Prepare server:
apt update && apt upgrade -y && apt autoremove -y
apt install curl -y
Generate Cloudflare WARP profile
Download wgcf, an unofficial command-line interface for Cloudflare WARP. You can find precompiled binaries on the releases page at https://github.com/ViRb3/wgcf/releases. For example, for version 2.2.23:
curl -L https://github.com/ViRb3/wgcf/releases/download/v2.2.23/wgcf_2.2.23_linux_amd64 -o wgcf
chmod +x wgcf
Register with Cloudflare WARP:
./wgcf register
Press Enter to agree to the Cloudflare terms of service.
The new account information is saved in a file named wgcf-account.toml. To generate your WireGuard profile, run the following command:
./wgcf generate
The WireGuard profile is saved in a file named wgcf-profile.conf. Display the WireGuard profile:
cat wgcf-profile.conf
Sample output:
[Interface] PrivateKey = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Address = 172.16.0.2/32, 2606:4700:1111:2222:3333:4444:5555:6666/128 DNS = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001 MTU = 1280 [Peer] PublicKey = bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = engage.cloudflareclient.com:2408
Install Xray on server
Install Xray-core:
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
Generate parameters for Xray
Generate a UUID:
xray uuid
Sample output:
283b0027-3453-476b-b96d-1628f994725b
Generate a public-private key pair:
xray x25519
Sample output:
Private key: gLmwCbRIfGthe87Rn1Q5KmN0rZs38jyHBF6CHANKOC0
Public key: jFq9ARuj5zWfAzNVl_XjMYieW0aaLgdN8KnWXhfiFTk
Generate a shortId:
openssl rand -hex 8
Sample output:
df6a0b7349299d01
Configure Xray on server
Edit /usr/local/etc/xray/config.json using the example below as a model. Configure the VLESS inbound using your generated parameters. Configure the WireGuard outbound using the Cloudflare WARP parameters.
{
"log": {
"loglevel": "debug"
},
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"ip": ["geoip:private"],
"outboundTag": "block"
}
]
},
"inbounds": [
{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "283b0027-3453-476b-b96d-1628f994725b",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"dest": "www.speedtest.net:443",
"serverNames": [
"www.speedtest.net"
],
"privateKey": "gLmwCbRIfGthe87Rn1Q5KmN0rZs38jyHBF6CHANKOC0",
"shortIds": [
"df6a0b7349299d01"
]
}
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls",
"quic"
],
"routeOnly": true
}
}
],
"outbounds": [
{
"protocol": "wireguard",
"settings": {
"secretKey": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"address": [
"172.16.0.2/32",
"2606:4700:1111:2222:3333:4444:5555:6666/128"
],
"peers": [
{
"publicKey": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
"allowedIPs": [
"0.0.0.0/0",
"::/0"
],
"endpoint": "engage.cloudflareclient.com:2408"
}
],
"reserved":[0, 0, 0],
"mtu": 1280
},
"tag": "wireguard"
},
{
"protocol": "blackhole",
"tag": "block"
}
]
}
Restart Xray server
Restart Xray with your new configuration:
systemctl restart xray
systemctl status xray
Configure Xray client
You can use any CLI or GUI client, provided your Xray client configuration matches your Xray server configuration. For example, if you use the Xray-core binary directly, then create a file config.json in the same folder as the binary using this template as a model:
{
"log": {
"loglevel": "warning"
},
"routing": {
"rules": [
{
"ip": [
"geoip:private"
],
"outboundTag": "direct"
}
]
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 10808,
"protocol": "socks"
},
{
"listen": "127.0.0.1",
"port": 10809,
"protocol": "http"
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "YOUR.SERVER.IP.ADDRESS",
"port": 443,
"users": [
{
"id": "283b0027-3453-476b-b96d-1628f994725b",
"encryption": "none",
"flow": "xtls-rprx-vision"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"fingerprint": "chrome",
"serverName": "www.speedtest.net",
"publicKey": "jFq9ARuj5zWfAzNVl_XjMYieW0aaLgdN8KnWXhfiFTk",
"shortId": "df6a0b7349299d01"
}
},
"tag": "proxy"
},
{
"protocol": "freedom",
"tag": "direct"
}
]
}
Run Xray client
Run the Xray client with this configuration. For example, if you use the Xray-core binary on Windows:
cd Xray-windows-64
xray.exe -c config.json
Configure client to use proxy
Either set your system-wide proxy to use the Xray client, or configure an individual browser to use the Xray client.