Last active
November 10, 2025 16:37
-
-
Save Noltari/3a14be7d15e7c74e92a175309ecc6421 to your computer and use it in GitHub Desktop.
OpenWrt Cloudflare (WARP)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Step 1 -> get wgcf (cli for Cloudflare WARP) | |
| https://github.com/ViRb3/wgcf/releases | |
| # Step 2 -> create account -> wgcf-account.toml | |
| wgcf register | |
| # Step 3 -> generate WireGuard profile -> wgcf-profile.conf | |
| wgcf generate | |
| # Step 4 -> extract values from wgcf-profile.conf | |
| [Interface] | |
| PrivateKey = WARP_PRIV_KEY | |
| Address = WARP_IP_V4/32, WARP_IP_V6/128 | |
| DNS = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001 | |
| MTU = 1280 | |
| [Peer] | |
| PublicKey = WARP_PUB_KEY | |
| AllowedIPs = 0.0.0.0/0, ::/0 | |
| Endpoint = engage.cloudflareclient.com:2408 | |
| # Step 5 -> install WireGuard on OpenWrt | |
| opkg update | |
| opkg install kmod-wireguard wireguard-tools luci-proto-wireguard |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/config/network | |
| # Warning: adding "option metric 512" to "config interface wan" is recommended. | |
| config interface 'cloudflare' | |
| option proto 'wireguard' | |
| option private_key 'WARP_PRIV_KEY' | |
| list addresses 'WARP_IP_V4/32' | |
| list addresses 'WARP_IP_V6/128' | |
| list dns '1.1.1.1' | |
| list dns '1.0.0.1' | |
| list dns '2606:4700:4700::1111' | |
| list dns '2606:4700:4700::1001' | |
| option mtu '1280' | |
| config wireguard_cloudflare | |
| option public_key 'WARP_PUB_KEY' | |
| option endpoint_host 'engage.cloudflareclient.com' | |
| option endpoint_port '2408' | |
| option description 'warp' | |
| list allowed_ips '0.0.0.0/0' | |
| list allowed_ips '::0/0' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/config/firewall | |
| config zone | |
| option name 'wan' | |
| option input 'REJECT' | |
| option output 'ACCEPT' | |
| option forward 'REJECT' | |
| option masq '1' | |
| option mtu_fix '1' | |
| list network 'wan' | |
| list network 'cloudflare' | |
| list network 'wan6' | |
| config nat | |
| option name 'cloudflare-v6' | |
| option family 'ipv6' | |
| option src 'wan' | |
| option target 'MASQUERADE' | |
| list proto 'all' | |
| option device 'cloudflare' | |
| # Gather the routes for the blocked IPs from: https://github.com/Noltari/laliga-isp-blocks/blob/master/data/laliga-openwrt-routes.config | |
| # The data is scraped from https://hayahora.futbol/, which is updated as soon as new IPs are blocked. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://github.com/ViRb3/wgcf | |
| https://openwrt.org/docs/guide-user/services/vpn/wireguard/client | |
| https://github.com/Noltari/laliga-isp-blocks | |
| https://hayahora.futbol/ | |
| https://whois.ipip.net/ | |
| https://www.whois.com/whois | |
| https://www.cloudflare.com/ips | |
| https://www.cloudflare.com/ips-v4 | |
| https://www.cloudflare.com/ips-v6 | |
| https://1.1.1.1/ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Route all Cloudflare traffic through WARP VPN interface. | |
| # These CIDRs can be added as route configs in /etc/config/network. | |
| # Warning: Cloudflare is no longer the only datacenter blocked and therefore routing all its traffic isn't needed anymore. | |
| # We need to constantly update the blocked IPs list from sites like https://hayahora.futbol/ instead. | |
| config route | |
| option interface 'cloudflare' | |
| option target '103.21.244.0/22' | |
| config route | |
| option interface 'cloudflare' | |
| option target '103.22.200.0/22' | |
| config route | |
| option interface 'cloudflare' | |
| option target '103.31.4.0/22' | |
| config route | |
| option interface 'cloudflare' | |
| option target '104.16.0.0/13' | |
| config route | |
| option interface 'cloudflare' | |
| option target '104.24.0.0/14' | |
| config route | |
| option interface 'cloudflare' | |
| option target '108.162.192.0/18' | |
| config route | |
| option interface 'cloudflare' | |
| option target '131.0.72.0/22' | |
| config route | |
| option interface 'cloudflare' | |
| option target '141.101.64.0/18' | |
| config route | |
| option interface 'cloudflare' | |
| option target '162.158.0.0/15' | |
| config route | |
| option interface 'cloudflare' | |
| option target '172.64.0.0/13' | |
| config route | |
| option interface 'cloudflare' | |
| option target '173.245.48.0/20' | |
| config route | |
| option interface 'cloudflare' | |
| option target '188.114.96.0/20' | |
| config route | |
| option interface 'cloudflare' | |
| option target '190.93.240.0/20' | |
| config route | |
| option interface 'cloudflare' | |
| option target '197.234.240.0/22' | |
| config route | |
| option interface 'cloudflare' | |
| option target '198.41.128.0/17' | |
| config route6 | |
| option interface 'cloudflare' | |
| option target '2400:cb00::/32' | |
| config route6 | |
| option interface 'cloudflare' | |
| option target '2606:4700::/32' | |
| config route6 | |
| option interface 'cloudflare' | |
| option target '2803:f800::/32' | |
| config route6 | |
| option interface 'cloudflare' | |
| option target '2405:b500::/32' | |
| config route6 | |
| option interface 'cloudflare' | |
| option target '2405:8100::/32' | |
| config route6 | |
| option interface 'cloudflare' | |
| option target '2a06:98c0::/29' | |
| config route6 | |
| option interface 'cloudflare' | |
| option target '2c0f:f248::/32' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment