This example provides a simple configuration for a Debian client to have a Cloudflare tunnel while not installing the official Cloudflare WARP client. Note: Tunnel transport outbound to engage.cloudlflare.com on udp/2408 is default, with a dynamic listening udp port and a fwmark for packet matching by wireguard. Any applicable firewall rules may need to be adjusted.
- Top-level GitHub project to convert cloudflare endpoint to generic wireguard configuration file: https://github.com/ViRb3/wgcf
sudo apt install openresolv wireguard-tools golang git
git clone https://github.com/ViRb3/wgcf.git
cd wgcf
go build -buildvcs=false
- Create a registration record using Cloudflare API and save account to file:
wgcf-account.toml
./wgcf register
- Generate a generic wireguard configuration file:
wgcf-profile.conffrom the registration file
./wgcf generate
wg-quick up ./wgcf-profile.conf
Check the output of the wgcf trace command and make sure that warp=on is in output
./wgcf trace
Check wireguard status and active configuration
wg show
ifconfig wgcf-profile
Check ip address using curl (for both IPv6 and IPv4)
curl -6 https://ipconfig.io
curl -4 https://ipconfig.io
Check cdn trace using curl (for both IPv6 and IPv4) similar to ./wgcf trace
curl -6 https://www.cloudflare.com/cdn-cgi/trace/
curl -4 https://www.cloudflare.com/cdn-cgi/trace/
- Adjust MTU to 1460 instead of 1280 in
wgcf-profile.conffor better performance (in non-degraded MTU environments) - Adjust
Address =configuration to remove either ipv4 or ipv6 transport lines (if not needed) for outside the tunnel - Adjust
AllowedIPs =configuration if default route(/0) is not needed