How to Find Clean Cloudflare IPs for Censorship Bypass (cfray Guide)

Quick Answer: In censored countries, ISPs throttle or block Cloudflare IP ranges. "Clean" IPs are Cloudflare IPs that still work at full speed. Use cfray to scan and find them: it tests Cloudflare IPs against your specific config and returns the fastest ones.

Need a VPS? Vultr (free credit), DigitalOcean ($200 free credit), or RackNerd (cheap annual deals).

What Are "Clean" Cloudflare IPs?

When you use a proxy behind Cloudflare CDN (VLESS+WebSocket, VMess+WebSocket), your traffic flows through Cloudflare's network before reaching your server. The censor sees traffic going to a Cloudflare IP, not your server's real IP.

Your Device → Cloudflare IP (CDN) → Your Server → Internet
Censor sees: traffic to Cloudflare (can't block without breaking the internet)

The problem: censors in countries like Iran and China have started selectively throttling Cloudflare IP ranges. They can't block all of Cloudflare (it would break millions of websites), but they can slow down specific IP ranges to make proxies unusable.

A "clean" IP is a Cloudflare IP address that:

• Is NOT throttled or blocked by your ISP
• Has low latency from your location
• Can carry your proxy traffic at usable speeds

These IPs change constantly as ISPs update their throttling lists. What works today might be slow tomorrow. That's why you need a scanner.

How Cloudflare CDN Bypass Works

The Setup

To use Cloudflare CDN for censorship bypass, you need:

1. A VPS with Xray/V2Ray running VLESS+WebSocket or VMess+WebSocket
2. A domain on Cloudflare with the proxy (orange cloud) enabled
3. A client app (v2rayNG, Nekobox, Hiddify, Clash) configured with a Cloudflare IP instead of your domain

Why Use an IP Instead of the Domain?

When you connect to proxy.yourdomain.com, your device does a DNS lookup that returns a Cloudflare IP. But in censored countries:

• DNS responses can be poisoned (ISP returns a wrong IP)
• The DNS lookup itself reveals you're accessing proxy.yourdomain.com
• Specific domains can be blocked even on Cloudflare

By using a direct Cloudflare IP with the SNI/Host header set to your domain, you skip DNS entirely. This avoids DNS poisoning and DNS-based logging. The censor still sees your domain in the TLS SNI (it's sent in plaintext during the handshake), but they see it going to a generic Cloudflare IP rather than your server's real IP.

Normal (domain):  DNS lookup (can be poisoned) → gets CF IP → connects
Clean IP method:  Skip DNS entirely → connect to specific CF IP → same TLS handshake
                  Advantage: no DNS poisoning, no DNS logging, IP isn't associated with your domain
                  Note: SNI (your domain name) is still visible to DPI in the TLS handshake

Important: The clean IP method does NOT hide your domain name from DPI. The SNI is visible in plaintext. The advantage is bypassing DNS blocks and connecting through IPs that aren't throttled. For full SNI hiding, you'd need ECH (Encrypted Client Hello), which Cloudflare is rolling out but isn't universally available yet.

The Traffic Flow

Your Device
    |
    | TLS connection to Cloudflare IP (e.g., 104.18.32.47)
    | SNI: proxy.yourdomain.com
    | Inside: WebSocket carrying VLESS/VMess data
    |
    v
Cloudflare Edge Server (the "clean" IP)
    |
    | Cloudflare reads the Host header, finds your domain
    | Routes to your origin server
    |
    v
Your VPS (Xray/V2Ray)
    |
    | Decrypts VLESS/VMess, forwards to internet
    |
    v
Destination

Why IPs Get "Dirty"

ISPs in Iran and China use several techniques:

1. IP range throttling — slow down entire /24 or /16 Cloudflare subnets to 10-50 Kbps (unusable for proxy but technically "not blocked")
2. Active probing — detect proxy-like traffic patterns on specific IPs and add them to a throttle list
3. SNI-based filtering — some ISPs inspect the SNI in the TLS handshake (Cloudflare IPs + suspicious SNI = throttle)
4. Time-based blocking — IPs work fine at 3 AM but get throttled during peak hours
5. Geographic targeting — an IP might be clean in Tehran but dirty in Isfahan

This is why finding clean IPs is an ongoing process, not a one-time setup.

Part 1: Install cfray

cfray is a Cloudflare IP scanner that:

• Tests Cloudflare IP ranges for latency and speed
• Tests against YOUR specific proxy config (not just ping)
• Returns the fastest working IPs sorted by performance
• Supports custom IP ranges and exclusion lists

Install

# Download latest release
# Check https://github.com/SamNet-dev/cfray/releases for your platform

# Linux (amd64)
wget https://github.com/SamNet-dev/cfray/releases/latest/download/cfray-linux-amd64
chmod +x cfray-linux-amd64
sudo mv cfray-linux-amd64 /usr/local/bin/cfray

# Or build from source
git clone https://github.com/SamNet-dev/cfray.git
cd cfray
go build -o cfray .
sudo mv cfray /usr/local/bin/

Verify

cfray --version

Part 2: Scan for Clean IPs

Basic Scan

# Scan default Cloudflare ranges, test latency
cfray

This scans Cloudflare's IP ranges and returns the fastest IPs by ping time.

Scan with Your Proxy Config

For the most accurate results, test IPs against your actual proxy:

# Test with your VLESS/VMess config
cfray --addr proxy.yourdomain.com:443 --sni proxy.yourdomain.com

This doesn't just ping — it actually establishes a TLS connection through each IP to verify it works with your specific setup.

Custom IP Ranges

# Scan specific Cloudflare ranges
cfray --range 104.16.0.0/16,104.17.0.0/16

# Exclude known-dirty ranges
cfray --exclude 104.16.0.0/24,104.17.128.0/24

Output

cfray outputs results sorted by speed:

IP              Latency    Speed     Status
104.18.32.47    45ms       12.5MB/s  OK
104.18.45.12    52ms       10.2MB/s  OK
172.67.182.1    68ms       8.1MB/s   OK
104.18.78.200   120ms      2.3MB/s   SLOW
104.16.55.8     timeout    -         BLOCKED

Take the top IPs and use them in your client config.

Part 3: Use Clean IPs in Your Client

v2rayNG / Nekobox (Android)

1. Open your existing VLESS+WS or VMess+WS config
2. Change the Address field from proxy.yourdomain.com to the clean IP (e.g., 104.18.32.47)
3. Make sure SNI is still proxy.yourdomain.com
4. Make sure Host header (in WS settings) is still proxy.yourdomain.com
5. Connect

Clash Meta / Mihomo

proxies:
  - name: "vless-cdn-clean"
    type: vless
    server: 104.18.32.47          # Clean Cloudflare IP
    port: 443
    uuid: your-uuid-here
    network: ws
    tls: true
    servername: proxy.yourdomain.com    # SNI = your domain
    ws-opts:
      path: /your-ws-path
      headers:
        Host: proxy.yourdomain.com      # Host = your domain

Hiddify

Hiddify has built-in clean IP scanning — go to Settings → Clean IP and enter your preferred ranges.

Key Points

• Server/Address: Use the clean Cloudflare IP
• SNI/ServerName: Keep your actual domain
• Host header: Keep your actual domain
• Port: 443 (HTTPS) for Cloudflare proxy

The clean IP replaces only the connection target. All other settings stay the same.

Part 4: Automate IP Rotation

Clean IPs go dirty over time. Automate the scanning:

Cron Job (Linux)

# Scan every 6 hours, save best IPs
cat > /opt/cfray-update.sh << 'EOF'
#!/bin/bash
BEST=$(cfray --addr proxy.yourdomain.com:443 --top 5 --format ip 2>/dev/null | head -1)
if [ -n "$BEST" ]; then
    echo "$BEST" > /opt/current-clean-ip.txt
    echo "$(date): Best IP is $BEST" >> /var/log/cfray.log
fi
EOF
chmod +x /opt/cfray-update.sh

# Run every 6 hours
(crontab -l 2>/dev/null; echo "0 */6 * * * /opt/cfray-update.sh") | crontab -

Share Updated IPs

If you manage users, you can update a subscription endpoint with the latest clean IP:

# Generate updated client configs with the best IP
# Then serve via your web server for client auto-update

Part 5: Cloudflare IP Ranges

Cloudflare publishes their IP ranges at cloudflare.com/ips. The main ranges:

IPv4

173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22

Not all of these are equally useful. In practice, the 104.16.0.0/13 and 172.64.0.0/13 ranges tend to have the most clean IPs in most regions.

Part 6: Troubleshooting

Tips for Iran Specifically

• Irancell and MCI throttle different ranges — scan from each carrier separately
• Late night (2-6 AM) usually has less throttling — good time to find IPs that also work during the day
• HTTPS ports 2053, 2083, 2087, 2096, 8443 are Cloudflare-supported alternatives to 443 for TLS connections. If 443 is throttled, try these (do NOT use HTTP-only ports like 2082, 2086, 2095 — they won't work for TLS proxy connections)
• Use gRPC transport instead of WebSocket — some ISPs throttle WS patterns but not gRPC

Tips for China Specifically

• Focus on 104.16.0.0/13 range
• Use WebSocket with a common path like /ws or /chat
• Change SNI to a popular Cloudflare-hosted domain if your domain gets flagged (requires testing)
• Scan frequently — GFW updates aggressively

Related Guides

• Every Way to Bypass Internet Censorship — all methods compared
• 3X-UI Panel Setup — set up VLESS+WS behind Cloudflare
• Xray Routing Guide — route traffic, block ads/torrents
• Cloudflare Setup — configure Cloudflare for your domain
• Hysteria2 Setup — fastest protocol (non-CDN alternative)
• Complete Proxy Guide — every protocol explained
• SOCKS5 Proxy Setup — simpler proxy option
• MTProto Proxy Setup — Telegram-specific
• DNS Tunneling Guide — last-resort bypass
• Fortify Server Hardening — secure your proxy server

SamNet Open Source Tools

Related Tools

• VPN Leak Test — verify proxy is working
• Port Scanner — check if ports are open
• What's My IP — verify IP changed
• DNS Toolbox — check DNS records
• SSL Certificate Checker — verify TLS config