https://github.com/ercindedeoglu/cloudflare-warp
Dockerized Cloudflare WARP client with SOCKS5 & HTTP proxy support. Features authentication, rate limiting, IP whitelisting, and dual-mode routing (WARP or direct exit). Perfect for privacy, geo-bypass, and secure browsing.
https://github.com/ercindedeoglu/cloudflare-warp
cloudflare docker gost privacy proxy socks5 vpn warp zero-trust
Last synced: about 1 month ago
JSON representation
Dockerized Cloudflare WARP client with SOCKS5 & HTTP proxy support. Features authentication, rate limiting, IP whitelisting, and dual-mode routing (WARP or direct exit). Perfect for privacy, geo-bypass, and secure browsing.
- Host: GitHub
- URL: https://github.com/ercindedeoglu/cloudflare-warp
- Owner: ErcinDedeoglu
- License: other
- Created: 2025-11-29T10:04:15.000Z (7 months ago)
- Default Branch: v1.0
- Last Pushed: 2026-05-21T00:47:30.000Z (about 1 month ago)
- Last Synced: 2026-05-21T07:19:05.662Z (about 1 month ago)
- Topics: cloudflare, docker, gost, privacy, proxy, socks5, vpn, warp, zero-trust
- Language: Shell
- Homepage: https://hub.docker.com/r/dublok/cloudflare-warp
- Size: 24.8 MB
- Stars: 12
- Watchers: 1
- Forks: 3
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Cloudflare WARP
[](https://github.com/ErcinDedeoglu/cloudflare-warp/actions/workflows/build-test-push.yml)
[](https://hub.docker.com/r/dublok/cloudflare-warp)
[](https://hub.docker.com/r/dublok/cloudflare-warp)
[](https://github.com/ErcinDedeoglu/cloudflare-warp)
[](https://github.com/ErcinDedeoglu/cloudflare-warp/blob/v1.0/LICENSE)
Run [Cloudflare WARP](https://1.1.1.1/) in Docker. Provides SOCKS5 and HTTP proxies that route traffic through Cloudflare's network. Supports multiple WARP instances in a single container for IP rotation.
## Quick Start
```yaml
services:
warp:
image: dublok/cloudflare-warp:latest
container_name: warp
restart: always
ports:
- "1080:1080" # SOCKS5 proxy
# - "8080:8080" # HTTP proxy
volumes:
- warp-data:/var/lib/cloudflare-warp
volumes:
warp-data:
```
```bash
docker compose up -d
# Test SOCKS5 proxy
curl --socks5-hostname 127.0.0.1:1080 https://cloudflare.com/cdn-cgi/trace
# Test HTTP proxy (if port 8080 exposed)
curl -x http://127.0.0.1:8080 https://cloudflare.com/cdn-cgi/trace
```
If working, you'll see `warp=on` in the output.
## Environment Variables
| Variable | Description | Default |
|----------|-------------|---------|
| `WARP_INSTANCES` | Number of WARP instances. Each gets a unique Cloudflare IP. Traffic is round-robined across all instances. No extra capabilities required | `1` |
| `WARP_LICENSE_KEY` | WARP+ license key. Comma-separated for multiple keys — tries each in order, skips any that fail | - |
| `WARP_ORG` | Zero Trust team name. Enables automatic enrollment via service token (see [Zero Trust](#zero-trust-free-warp-routing) section). Mutually exclusive with `WARP_LICENSE_KEY` | - |
| `WARP_AUTH_CLIENT_ID` | Service token Client ID (required when `WARP_ORG` is set) | - |
| `WARP_AUTH_CLIENT_SECRET` | Service token Client Secret (required when `WARP_ORG` is set) | - |
| `WARP_CONNECT_TIMEOUT` | Max seconds to wait for WARP daemon | `30` |
| `PROXY_USER` | Proxy authentication username | - |
| `PROXY_PASS` | Proxy authentication password | - |
| `PROXY_ALLOWED_IPS` | IP whitelist (comma-separated CIDRs) | - |
| `PROXY_MAX_CONN` | Max concurrent connections per IP | `10` |
| `PROXY_MAX_RPS` | Max requests per second per IP | `10` |
| `SS_METHOD` | Shadowsocks encryption method | `chacha20-ietf-poly1305` |
## With Authentication
```yaml
services:
warp:
image: dublok/cloudflare-warp:latest
ports:
- "1080:1080" # SOCKS5 proxy
- "8080:8080" # HTTP proxy
environment:
- PROXY_USER=myuser
- PROXY_PASS=mypassword
volumes:
- warp-data:/var/lib/cloudflare-warp
volumes:
warp-data:
```
```bash
# SOCKS5 with auth
curl --socks5-hostname myuser:mypassword@127.0.0.1:1080 https://cloudflare.com/cdn-cgi/trace
# HTTP with auth
curl -x http://myuser:mypassword@127.0.0.1:8080 https://cloudflare.com/cdn-cgi/trace
```
## Direct Proxy (Bypass WARP)
Direct proxies are always available that exit through Docker's network without routing through WARP. Useful when you need your real IP for certain services.
| Port | Protocol | Route |
|------|----------|-------|
| 1080 | SOCKS5 | Through WARP (Cloudflare IP) |
| 1081 | SOCKS5 | Direct (real IP) |
| 8080 | HTTP | Through WARP (Cloudflare IP) |
| 8081 | HTTP | Direct (real IP) |
```yaml
services:
warp:
image: dublok/cloudflare-warp:latest
ports:
- "1080:1080" # SOCKS5 WARP proxy
- "1081:1081" # SOCKS5 Direct proxy
- "8080:8080" # HTTP WARP proxy
- "8081:8081" # HTTP Direct proxy
environment:
- PROXY_USER=myuser
- PROXY_PASS=mypassword
volumes:
- warp-data:/var/lib/cloudflare-warp
volumes:
warp-data:
```
```bash
# SOCKS5 through WARP (Cloudflare IP)
curl --socks5-hostname myuser:mypassword@127.0.0.1:1080 https://ifconfig.me
# SOCKS5 direct exit (your real IP)
curl --socks5-hostname myuser:mypassword@127.0.0.1:1081 https://ifconfig.me
# HTTP through WARP (Cloudflare IP)
curl -x http://myuser:mypassword@127.0.0.1:8080 https://ifconfig.me
# HTTP direct exit (your real IP)
curl -x http://myuser:mypassword@127.0.0.1:8081 https://ifconfig.me
```
## Multi-Instance (IP Rotation)
Set `WARP_INSTANCES=N` to run multiple WARP daemons in a single container, each with a unique Cloudflare IP. Traffic is round-robined across all instances on the same ports — no extra capabilities required.
```yaml
environment:
- WARP_INSTANCES=10 # each request exits through a different IP
```
Each instance uses ~50-100 MB RAM and starts 2 seconds apart. If an instance fails, GOST skips it after 3 failures and retries after 30s.
## Zero Trust (Free WARP+ Routing)
Enroll devices into Cloudflare Zero Trust using service tokens for free WARP+ equivalent routing — no browser needed. See the **[Zero Trust setup guide](docs/zero-trust.md)** for configuration and usage.
## Mobile VPN (Shadowsocks)
Connect your mobile devices using Shadowsocks apps - works as a system-wide VPN without requiring special Docker privileges. **Shadowsocks is always enabled** on ports 8388/8389.
### Supported Apps
| Platform | App | Price |
|----------|-----|-------|
| Android | [Shadowsocks](https://play.google.com/store/apps/details?id=com.github.shadowsocks) | Free |
| Android | [v2rayNG](https://play.google.com/store/apps/details?id=com.v2ray.ang) | Free |
| iOS | [Shadowrocket](https://apps.apple.com/app/shadowrocket/id932747118) | ~$3 |
| iOS | [Potatso Lite](https://apps.apple.com/app/potatso-lite/id1239860606) | Free |
### Setup
```yaml
services:
warp:
image: dublok/cloudflare-warp:latest
ports:
- "8388:8388" # Shadowsocks WARP (Cloudflare IP)
- "8389:8389" # Shadowsocks Direct (real IP)
environment:
- PROXY_PASS=your-secure-password # Optional: sets password for all protocols
volumes:
- warp-data:/var/lib/cloudflare-warp
volumes:
warp-data:
```
### Mobile App Configuration
| Setting | Value |
|---------|-------|
| Server | Your server IP or domain |
| Port | `8388` (WARP) or `8389` (Direct) |
| Password | Your `PROXY_PASS` or `cloudflare-warp` (default) |
| Method | `chacha20-ietf-poly1305` (default) |
### Available Encryption Methods
**Recommended (AEAD):**
- `chacha20-ietf-poly1305` (default, recommended for mobile)
- `aes-256-gcm`
- `aes-128-gcm`
**Shadowsocks 2022 (newest, requires base64 key as password):**
- `2022-blake3-aes-128-gcm`
- `2022-blake3-aes-256-gcm`
- `2022-blake3-chacha20-poly1305`
**Other:**
- `xchacha20-ietf-poly1305`
- `chacha20-poly1305`
### Port Reference
| Port | Protocol | Route |
|------|----------|-------|
| 8388 | Shadowsocks | Through WARP (Cloudflare IP) |
| 8389 | Shadowsocks | Direct (real IP) |
## License
CC-BY-NC-4.0 - Non-commercial use only with attribution.