A lightweight Docker image, designed for easy connection to CloudFlare WARP, exposing
socks5
proxy all together.
Multi-platform: linux/amd64
, linux/arm64
, linux/arm
, linux/ppc64le
, linux/s390x
and linux/riscv64
;
- The
v2
version will be kept and available atmonius/docker-warp-socks:v2
. - The
v3
version will soon be released and available atmonius/docker-warp-socks:v3
and default inmonius/docker-warp-socks
. - The
Referral
programme will be concluded on Nov 1st from Cloudflare, thePlus
flag inv3
will be unavaible due to it. - According to the new policy, see
sliver=005-tier1
forplus
user andsiliver=none
for free account. - The
v3
version will be based onalpine 3.20
.
- Support for mixed protocols on the default port
9091
. (#15) - Networking between containers. (#16)
- More secure Bootstrap without
privileged
acquisition in docker container. - Light start without
NET_ADMIN
,SYS_MODULE
,/lib/modules
, and extranet
deps. - Migration of core components from
Dante
andViRb3/wgcf
toSagerNet/sing-box
. - Support
linux/ppc64le
andlinux/riscv64
in addition. - Used call
Gemini-2.0-flash-thinking-exp-1219
API. - Used call
OpenAI-o1-pro
API. - Used call
Anthropic Claude 3.5 Sonnet v2
API.
Quick start from:
docker run --restart=always -itd \
--name warp_socks_v3 \
-p 9091:9091 \
monius/docker-warp-socks:v3
Then, verify on host with:
curl -x "socks5h://127.0.0.1:9091" -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
curl -x "http://127.0.0.1:9091" -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
Tip
- To use
plus
license, now calledsiliver
, add-e WARP_LICENSE=$WARP_LICENSE
. - To use customized
port
, set-e NET_PORT=$NET_PORT
. - To use Tunnel Encryption with
user
andpasswd
, set-e SOCK_USER=$USER
and-e SOCK_PWD=$PASSWD
.
docker run --restart=always -itd \
--name warp_socks_plus \
-e WARP_LICENSE=$WARP_LICENSE \
-e NET_PORT=9091 \
-p 9091:9091 \
monius/docker-warp-socks:v3
Check if both siliver=xxx-xxx
and warp=on
shown from:
curl -x "socks5h://127.0.0.1:9091" -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
curl -x "http://127.0.0.1:9091" -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
The official warp-cli
only support amd64 machines, and its guide is prone to causing potential connection loss risks on remote machines. It is recommended to experiment with fresh installations within a docker container, or you have to reboot it via the panel.
With any existed running proxy service, it acts just like a plugin that helps unlock public content such as OpenAI Sora
, OpenAI GPT-3.5
,OpenAI GPT-4
, OpenAI GPT-4V
, OpenAI GPT-4o
, OpenAI GPT-4o-mini
, , Claude
, Claude 2
Claude 3 Opus
, Claude 3.5 Sonnet
, , Google Bard
, Google Gemini
, Google Gemini Pro Vision
Google Gemini Advanced
, Google Gemini 1.5 PRO
, Google Gemini 1.5 Flash
, Google PaLM2 API
Google Vertex API
, Google Scholar
, and Netflix
. No necessary to have any knowledge of CloudFlare
, Warp
, WireGuard
, and WGCF
before using this image.
The v1
image is built on debian:bookworm
aka debian:12
, we recently migrate from v1
to v2
, which based on a more lighter container alpine:3.19
. The main line will transition within a month, with minimal impact on the user side. As a contingency plan, users can revert to monius/docker-warp-socks:v1
if needed.
Please follow the EXAMPLES 1.1
and 2.1
To Get Start !
# in case, you have no docker-ce installed;
curl -fsSL "https://get.docker.com" | sudo bash
# to avoid `sudo` calling
sudo usermod -aG docker ${USER}
# or check https://docs.docker.com/engine/security/rootless
# if required a rootless install with `dockerd-rootless-setuptool.sh install`
# in case, using Centos/RedHatEL
sudo systemctl enable docker && sudo systemctl start docker
Run the following commands in your terminal:
docker run --privileged --restart=always -itd \
--name warp_socks \
--cap-add NET_ADMIN \
--cap-add SYS_MODULE \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
-v /lib/modules:/lib/modules \
-p 9091:9091 \
monius/docker-warp-socks
The above command will create a background service that allows the entire container network to join the dual-stack cloudflare network pool without disconnecting from the host.
docker run --privileged --restart=always -itd \
--name warp_socks_plus \
-e WGCF_LICENSE_KEY=yourpluslicense \
--cap-add NET_ADMIN \
--cap-add SYS_MODULE \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
-v /lib/modules:/lib/modules \
-p 9091:9091 \
monius/docker-warp-socks
Run, curl -x "socks5h://127.0.0.1:9091" -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
;
See plus
means WARP Plus License Key applied success.
Updates: Since the policy changes, there will be no such plus
flag when check with https://www.cloudflare.com/cdn-cgi/trace
.
See sliver=xxx-tier1
means sucess for now.
Run the following commands in your terminal:
docker run --privileged --restart=always -itd \
--name warp_socks_passwd \
-e SOCK_USER=monius \
-e SOCK_PWD=passwd \
--cap-add NET_ADMIN \
--cap-add SYS_MODULE \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
-v /lib/modules:/lib/modules \
-p 9091:9091 \
monius/docker-warp-socks
The above command will add a little encryption to the existed socks connection, just a little~
Run, curl -U "monius:passwd" -x "socks5h://127.0.0.1:9091" -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
to go 🤗
Run the following commands in your terminal:
docker run --privileged --restart=always -itd \
--name warp_socks_passwd \
-e NET_PORT=8091 \
--cap-add NET_ADMIN \
--cap-add SYS_MODULE \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
-v /lib/modules:/lib/modules \
-p 8091:8091 \
monius/docker-warp-socks
Run, curl -x "socks5h://127.0.0.1:8091" -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
to go 🤗
To use your prepared config:
docker run --privileged --restart=always -itd \
--name warp_socks \
-e SOCK_USER=monius \
-e SOCK_PWD=cool \
--cap-add NET_ADMIN \
--cap-add NET_RAW \
--cap-add SYS_MODULE \
--device=/dev/net/tun \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
-p 127.0.0.1:9091:9091 \
-v /lib/modules:/lib/modules \
-v ~/wireguard/:/opt/wireguard/:ro \
monius/docker-warp-socks
It will also recognize the prepared wgcf-profile.conf
and danted.conf
if they are located in ~/wireguard/
.
Use -v ~/wireguard/:/opt/wireguard/:ro
to map the directory.
And, -p 127.0.0.1:9091:9091
will create a localhost(127.0.0.1
) access-only 9091
port to secure the connection.
To output the network test log:
# Host
curl -x "socks5h://127.0.0.1:9091" -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
# See`warp=on` means success.
docker-compose.yml
could replace some args in a file to run a container.
If you don't have Docker-Compose installed, following this:
sudo curl -fsSL <https://github.com/docker/compose/releases/download/v2.17.2/docker-compose->`uname -s`-`uname -m` > /usr/bin/docker-compose
sudo chmod +x /usr/bin/docker-compose
#start
curl -fsSL https://bit.ly/docker-warp-socks-compose | docker-compose -f - up -d --wait && curl --proxy socks5h://127.0.0.1:9091 "https://www.cloudflare.com/cdn-cgi/trace"
#stop
curl -fsSL https://bit.ly/docker-warp-socks-compose | docker-compose -f - down
Click the CLOSE button, Replace the $IP with the given one on the top side, then run:
curl -x "socks5h://$IP:9091" -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
To use Docker Stack
, first perform the Swarm Initialized by:
# create
docker swarm init
# leave
docker swarm leave --force
# create
curl -fsSL https://bit.ly/docker-warp-socks-compose | docker stack deploy -c - TEST
# remove
docker stack rm TEST
docker info
docker node ls
docker network ls
docker stack ps TEST
docker stack services TEST
docker service ls
docker service logs TEST_warp-socks
docker service inspect TEST_warp-socks
# in swarm mode, the ip addr is random
TID=`docker ps -aqf "name=^TEST_warp-socks"`
IF=`docker exec $TID sh -c "ip route show default" | awk '{print $5}'`
TIP=`docker exec $TID sh -c "ifconfig $IF" | awk '/inet /{print $2}' | cut -d' ' -f2`
curl -x "socks5h://127.0.0.1:9091" -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
echo y | warp-cli registration new
warp-cli registration license "$LICENSE_KEY"
warp-cli mode proxy
warp-cli proxy port 9091
warp-cli connect
curl -x "socks5h://127.0.0.1:9091" -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
For those who has amd64
remote machine and don't need to use docker
to secure network connection, I suggest to use the official warp-cli
as following:
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg \
| sudo gpg --yes --dearmor --output /etc/apt/trusted.gpg.d/cloudflare-warp.gpg
echo "deb https://pkg.cloudflareclient.com $(lsb_release -cs) main" \
| sudo tee /etc/apt/sources.list.d/cloudflare-warp.list > /dev/null
sudo apt-get -qq update && sudo apt-get -qq install cloudflare-warp
echo y | warp-cli register
warp-cli set-mode proxy
warp-cli set-proxy-port 9091
warp-cli connect
# test
curl -x "socks5h://127.0.0.1:9091" -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
# See`warp=on` means success.
Prepare WGCF_LICENSE_KEY="xxxxxxx"
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg \
| sudo gpg --yes --dearmor --output /etc/apt/trusted.gpg.d/cloudflare-warp.gpg
echo "deb https://pkg.cloudflareclient.com $(lsb_release -cs) main" \
| sudo tee /etc/apt/sources.list.d/cloudflare-warp.list > /dev/null
sudo apt-get -qq update && sudo apt-get -qq install cloudflare-warp
echo y | warp-cli registration new && warp-cli registration license "$WGCF_LICENSE_KEY"
warp-cli mode proxy
warp-cli proxy port 9091
warp-cli connect
# test
curl -x "socks5h://127.0.0.1:9091" -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
# Instead of `warp=plus`, see `sliver=005-tier1` means success.
For those who are ooold enough for Linux network management, try it for a global proxy mode, keep in mind that you have already back up or have second way or third way to save your remote VM's network!!!
CF_WARP="https://pkg.cloudflareclient.com/pubkey.gpg"
_WARP="deb https://pkg.cloudflareclient.com $(lsb_release -cs) main"
echo "$_WARP" | sudo tee /etc/apt/sources.list.d/cloudflare-warp.list > /dev/null
curl -fsSL "$CF_WARP" | sudo gpg --yes --dearmor --output /etc/apt/trusted.gpg.d/cloudflare-warp.gpg
sudo apt-get -qq update && sudo apt-get -qq install cloudflare-warp
GATEWAY=$(ip route show default | awk '/default/ {print $3}')
IFACE=$(ip route get 8.8.8.8 | sed -n 's/.*dev \([^\ ]*\).*/\1/p' | head -n 1)
_IPv4=$(ip addr show dev "$IFACE" | awk '/inet /{print $2}' | cut -d' ' -f2)
_IPv6=$(ip addr show dev "$IFACE" | awk '/inet6 /{print $2}' | cut -d' ' -f2)
# Setting for VPC ip structure
_VPC=$(curl -fsSL https://www.cloudflare.com/cdn-cgi/trace | grep 'ip' | sed 's/ip=//')
echo y | warp-cli registration new
# Setting for VPC internal
warp-cli add-excluded-route "$_IPv4"
warp-cli add-excluded-route "$_IPv6"
warp-cli add-excluded-route "$_VPC"
# Setting for external ssh
echo "$SSH_CONNECTION" | sed 's/ .*//' | sed 's/[0-9]*$/0\/24/' | xargs warp-cli add-excluded-route
warp-cli connect
# Whole network in WARP proxy, `warp=on` means success.
# Check `/var/log/cloudflare-warp/cfwarp_service_log.txt` for logs details
Plz be aware that the VMs still has possibility to be lost due to the IP
can still be changed after reboot
!!!
DONT USE warp-cli tunnel ip add
to exclude ip for now!!!
GATEWAY=$(ip route show default | awk '/default/ {print $3}')
IFACE=$(ip route get 8.8.8.8 | sed -n 's/.*dev \([^\ ]*\).*/\1/p' | head -n 1)
_IPv4=$(ip addr show dev "$IFACE" | awk '/inet /{print $2}' | cut -d' ' -f2 | sed 's/\([0-9.]*\)\/.*/\1/')
_IPv6=$(ip addr show dev "$IFACE" | awk '/inet6 /{print $2}' | cut -d' ' -f2 | sed 's/\([0-9.]*\)\/.*/\1/')
warp-cli tunnel ip add "$_IPv4"
warp-cli tunnel ip add "$_IPv6"
warp-cli tunnel ip add "$_VPC"
echo "$SSH_CONNECTION" | sed 's/ .*//' | sed 's/[0-9]*$/0\/24/' | sed 's/\([0-9.]*\)\/.*/\1/' | xargs warp-cli tunnel ip add
- Go to
https://$TEAM.cloudflareaccess.com/warp
and authenticate. - On the ‘Success’ page in the browser, right click and ‘Inspect’ the blue ‘Open Cloudflare WARP’ button. Copy the long url start with
com.cloudflare.warp://
that’s shown linked to the button. - Assume you store it inside
$TOKEN_URL
- Go to
one.dash.cloudflare.com
- Find -> Setting -> WARP Client -> Device settings
- Click Default -> Configure -> Split Tunnels -> Manage, then add exclude IPs which is same as
warp-cli add-excluded-route
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg \
| sudo gpg --yes --dearmor --output /etc/apt/trusted.gpg.d/cloudflare-warp.gpg
echo "deb https://pkg.cloudflareclient.com $(lsb_release -cs) main" \
| sudo tee /etc/apt/sources.list.d/cloudflare-warp.list > /dev/null
sudo apt-get -qq update && sudo apt-get -qq install cloudflare-warp
TOKEN_URL="com.cloudflare.warp://xxx.cloudflareaccess.com/auth?token=xxxxx"
echo y | warp-cli registration token $TOKEN_URL
warp-cli connect
curl -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
curl --proxy socks5h://127.0.0.1:9011 https://www.cloudflare.com/cdn-cgi/trace
curl -x "socks5h://127.0.0.1:9091" -fsSL "https://www.cloudflare.com/cdn-cgi/trace"
Debug commands for quick troubleshooting
docker rm -f $(docker ps -a -q) && docker rmi -f $(docker images -a -q)
docker run --privileged --restart=always -itd \
--name warp_debug \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
--cap-add NET_ADMIN --cap-add SYS_MODULE \
-p 9091:9091 \
-v /lib/modules:/lib/modules \
monius/docker-warp-socks:meta
docker exec -it warp_debug /bin/bash
IFACE=$(ip route show default | grep default | awk '{print $5}')
IPv4=$(ifconfig "$IFACE" | awk '/inet /{print $2}' | cut -d' ' -f2)
IPv6=$(ifconfig "$IFACE" | awk '/inet6 /{print $2}' | cut -d' ' -f2)
TAR="https://api.github.com/repos/Mon-ius/Docker-Warp-Socks/releases/latest"
ARCH=$(dpkg --print-architecture)
URL=$(curl -fsSL ${TAR} | grep 'browser_download_url' | cut -d'"' -f4 | grep linux | grep "${ARCH}")
curl -LSs "${URL}" -o ./wgcf && chmod +x ./wgcf && mv ./wgcf /usr/bin
wgcf register --accept-tos && wgcf generate && mv wgcf-profile.conf /etc/wireguard/warp.conf
sed -i "/\[Interface\]/a PostDown = ip -6 rule delete from ${IPv6} lookup main" /etc/wireguard/warp.conf
sed -i "/\[Interface\]/a PostUp = ip -6 rule add from ${IPv6} lookup main" /etc/wireguard/warp.conf
sed -i "/\[Interface\]/a PostDown = ip -4 rule delete from ${IPv4} lookup main" /etc/wireguard/warp.conf
sed -i "/\[Interface\]/a PostUp = ip -4 rule add from ${IPv4} lookup main" /etc/wireguard/warp.conf
wg-quick up warp
curl "https://www.cloudflare.com/cdn-cgi/trace"
curl --interface eth0 "https://www.cloudflare.com/cdn-cgi/trace"
curl --interface warp "https://www.cloudflare.com/cdn-cgi/trace"
- CentOS/RedHat/Rocky Linux as Host, see https://github.com/uzairali001/docker-wireguard-rhel
- WireGuard
- Mon-ius/Docker-Warp-Socks
- Cloudflare WARP
- SagerNet/sing-box
- ViRb3/wgcf
- Neilpang/wgcf-docker
- Wireguard-Socks-Proxy
- WARP exlude config
We are not affiliated, associated, authorized, endorsed by, or in any way officially connected with Cloudflare, or any of its subsidiaries or its affiliates. The official Cloudflare website can be found at https://www.cloudflare.com.