Cloudflare WARP Setup: Free VPN That Works in Censored Countries

Quick Answer: Install the "1.1.1.1" app from your app store, open it, tap Connect. That's it — you now have a free VPN using Cloudflare's WireGuard-based network. If it doesn't connect in your country, you need custom WARP endpoints (see Part 4).

Need a VPS? Vultr (free credit), DigitalOcean ($200 free credit), or RackNerd (cheap annual deals).

What Is Cloudflare WARP?

WARP is a free VPN by Cloudflare that encrypts your internet traffic and routes it through Cloudflare's global network. It's built on the WireGuard protocol, which means it's fast and efficient.

Why WARP Is Special

Unlike commercial VPNs ($5-12/month), WARP is:

• Completely free (with optional WARP+ upgrade)
• No account required — install and connect, no signup
• No data limits on the free tier
• No speed throttling — uses Cloudflare's massive global network
• Built on WireGuard — fast, modern, low battery usage
• Available on all platforms — Android, iOS, Windows, macOS, Linux

How It Works

Your Device
    |
    | WireGuard tunnel (encrypted)
    |
    v
Cloudflare's Network (closest edge server)
    |
    | Routes your traffic through Cloudflare
    |
    v
Internet

Your ISP sees encrypted traffic going to a Cloudflare IP. They can't see what websites you visit or what data you send. Websites see a Cloudflare IP, not your real IP.

WARP vs Traditional VPN

Important limitation: WARP does NOT change your apparent country. Cloudflare routes you to the nearest edge server, so websites still see your region. It's for privacy and censorship bypass, not for geo-unblocking Netflix.

Part 1: Install WARP

Android

1. Install "1.1.1.1: Faster Internet" from Google Play
2. Open the app
3. Tap Accept on the privacy policy
4. Tap the big toggle to connect
5. Allow VPN permission when prompted
6. Done — connected

iOS

1. Install "1.1.1.1: Faster & Safer Internet" from the App Store
2. Open and tap Connect
3. Allow VPN configuration
4. Connected

Windows

1. Download from 1.1.1.1 — click "Download for Windows"
2. Install the .msi file
3. It runs in the system tray
4. Click the tray icon → toggle Connect
5. Connected

macOS

1. Download from 1.1.1.1 or the App Store
2. Install
3. Click the menu bar icon → Connect
4. Connected

Linux

# Debian/Ubuntu
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
# If lsb_release is missing: sudo apt install lsb-release -y
echo "deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
sudo apt update
sudo apt install cloudflare-warp -y

# Register (first time only)
warp-cli register

# Connect
warp-cli connect

# Check status
warp-cli status

# Disconnect
warp-cli disconnect

Verify It's Working

After connecting:

• Visit What's My IP — should show a Cloudflare IP, not your ISP's IP
• Visit 1.1.1.1/help — should show "Connected to WARP: Yes"

Part 2: WARP+ (Faster, Still Free)

WARP+ uses Cloudflare's optimized routing (Argo) for faster connections. It officially costs a subscription, but you can get unlimited WARP+ for free using community tools.

Method: WARP+ Key Generator

Several open-source tools generate WARP+ license keys with unlimited data:

# Clone a WARP+ keygen tool
# Search GitHub for "warp-plus" or "warp-key-generator"
# These generate valid WARP+ keys by referral credit stacking

How to apply a WARP+ key:

1. Open the 1.1.1.1 app
2. Go to Settings (gear icon) → Account → Key
3. Enter the WARP+ key
4. Restart the connection
5. The app now shows "WARP+" instead of "WARP"

Is WARP+ Actually Faster?

Actual Steps to Get WARP+

The most reliable method uses wgcf:

# Install wgcf
wget https://github.com/ViRb3/wgcf/releases/latest/download/wgcf_linux_amd64
chmod +x wgcf_linux_amd64
sudo mv wgcf_linux_amd64 /usr/local/bin/wgcf

# Register a free WARP account
wgcf register

# Generate WireGuard config
wgcf generate

# Output: wgcf-profile.conf (a standard WireGuard config)
# You can use this in any WireGuard client

To upgrade to WARP+, apply a WARP+ key in the generated config or in the 1.1.1.1 app settings.

In practice, the speed difference is noticeable on long-distance routes (e.g., Iran to US servers) but minimal for nearby edges. Free WARP is already fast for most users.

Part 3: Why WARP Gets Blocked (and How to Fix It)

The Problem

In countries like Iran and China, ISPs detect and block WireGuard connections (which WARP uses). The blocking methods:

1. UDP blocking — WireGuard uses UDP. Some ISPs throttle or block all UDP except DNS
2. IP blocking — Cloudflare WARP endpoint IPs get blacklisted
3. Port blocking — Default WARP port gets blocked
4. Protocol fingerprinting — DPI identifies WireGuard packet patterns

When WARP is blocked, the app shows "Connecting..." forever or connects but with zero speed.

Solution: Custom WARP Endpoints

Instead of connecting to Cloudflare's default endpoints (which are blocked), you connect to alternative IPs and ports that haven't been blocked yet. These are called "clean WARP endpoints."

Part 4: Finding Clean WARP Endpoints

What Is a WARP Endpoint?

A WARP endpoint is an IP:port combination that the WARP client connects to. The default is engage.cloudflareclient.com:2408. When this gets blocked, you need to find alternative Cloudflare IPs that still accept WireGuard connections.

Scanning for Endpoints

Use endpoint scanner tools to find working IPs:

# Several open-source WARP endpoint scanners exist on GitHub
# They test Cloudflare IP ranges for WireGuard connectivity
# and return the fastest working endpoints

# Example output:
# 162.159.192.1:2408    45ms
# 162.159.195.5:1701    52ms
# 188.114.96.3:939      68ms

Common Working Endpoints

These Cloudflare IP ranges typically have working WARP endpoints:

162.159.192.0/24
162.159.193.0/24
162.159.195.0/24
188.114.96.0/24
188.114.97.0/24

Common ports: 500, 854, 859, 864, 878, 880, 890, 891, 894, 903, 908, 928, 934, 939, 942, 943, 945, 946, 955, 968, 987, 988, 1002, 1010, 1012, 1018, 1070, 1074, 1180, 1387, 1701, 1843, 2371, 2408, 2506, 3138, 3476, 3581, 3854, 4177, 4198, 4233, 4500, 5279, 5956, 7103, 7152, 7156, 7281, 7559, 8319, 8742, 8854, 8886

Apply Custom Endpoints

Android (1.1.1.1 app):

The official app doesn't support custom endpoints directly. Use a WireGuard-compatible client instead:

1. Generate a WARP WireGuard config (see Part 5)
2. Import into WireGuard app or Hiddify
3. Change the endpoint IP and port to a working one

Linux:

# Set custom endpoint
warp-cli set-custom-endpoint 162.159.192.1:2408
# Note: warp-cli command syntax varies by version. If this fails, try: warp-cli tunnel endpoint set IP:PORT

# Or reset to default
warp-cli clear-custom-endpoint

# Then connect
warp-cli connect

Windows/macOS:

The desktop WARP client supports custom endpoints via the GUI: Settings → Advanced → Connection Options → Custom Endpoint

iOS:

The official 1.1.1.1 iOS app does not support custom endpoints. Workaround:

1. Generate a WARP WireGuard config using wgcf (see Part 5)
2. Change the Endpoint line to a working IP:port
3. Import the config into the WireGuard iOS app
4. Connect through WireGuard instead of the 1.1.1.1 app

Part 5: WARP as WireGuard Config

You can extract your WARP configuration as a standard WireGuard config file. This lets you use WARP with any WireGuard client, not just the official app.

Generate WARP WireGuard Config

Use community tools to generate the config:

# Tools like "wgcf" or "warp2wireguard" generate WireGuard configs from WARP
# The output looks like a standard WireGuard config:

[Interface]
PrivateKey = YOUR_PRIVATE_KEY
Address = 172.16.0.2/32
Address = fd01:5ca1:ab1e:xxxx::1/128
DNS = 1.1.1.1

[Peer]
PublicKey = bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = 162.159.192.1:2408

Import this into any WireGuard client. Change the Endpoint to a working IP:port if the default is blocked.

Part 6: WARP as Xray Outbound (Clean IP)

This is an advanced use case: route your Xray/V2Ray proxy traffic through WARP on the server side. This gives your proxy a "clean" Cloudflare IP instead of your VPS's data center IP.

Why?

Some websites and services (Google, ChatGPT, Netflix) block or captcha VPS IP ranges. By routing outbound traffic through WARP, these services see a Cloudflare IP instead of your VPS IP — much cleaner.

User → Your Xray Proxy → WARP → Internet
                          ↑
                    Websites see a clean Cloudflare IP
                    instead of your VPS datacenter IP

Setup on Your VPS

# Install WARP on your VPS
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
# If lsb_release is missing: sudo apt install lsb-release -y
echo "deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
sudo apt update && sudo apt install cloudflare-warp -y

# Register
warp-cli register

# Set WARP to proxy mode (SOCKS5 on localhost)
warp-cli set-mode proxy

# Connect
warp-cli connect

# Verify — WARP SOCKS5 proxy is now at 127.0.0.1:40000
curl --proxy socks5h://127.0.0.1:40000 ifconfig.me
# Should show a Cloudflare IP

Configure Xray Outbound

In 3X-UI: Xray Configs → Outbounds → Add Outbound:

{
  "tag": "warp",
  "protocol": "socks",
  "settings": {
    "servers": [
      {
        "address": "127.0.0.1",
        "port": 40000
      }
    ]
  }
}

Then add routing rules to send specific traffic through WARP:

{
  "outboundTag": "warp",
  "domain": [
    "google.com",
    "googleapis.com",
    "openai.com",
    "chatgpt.com",
    "netflix.com"
  ]
}

Now Google, ChatGPT, and Netflix see a clean Cloudflare IP

IPv4 vs IPv6: WARP assigns both IPv4 and IPv6. Some services behave differently. To force IPv4 in your Xray routing, add "domainStrategy": "ForceIPv4" to the outbound. To force IPv6 (useful for some services), use "ForceIPv6". while everything else goes directly from your VPS.

Part 7: WARP vs Other Free Options

WARP is best when: You want a quick, free, fast VPN without setting up servers. It works well in many censored countries with the right endpoints.

WARP is NOT enough when: Your country aggressively blocks WireGuard (even with custom endpoints), or you need to change your apparent location, or you need guaranteed bypass. In those cases, use Hysteria2, VLESS+Reality, or paqctl.

Troubleshooting

Check Connection Status

# Linux
warp-cli status
warp-cli settings

# All platforms
# Visit https://1.1.1.1/help
# Should show: Connected to WARP: Yes

Related Guides

• What Is a VPN — VPN basics explained
• WireGuard Setup — self-hosted VPN
• Hysteria2 Setup — when WARP isn't enough
• 3X-UI Panel Setup — full proxy server
• Clean Cloudflare IPs — find working Cloudflare IPs
• Proxy Client Setup — configure client apps
• Every Way to Bypass Censorship — all methods compared
• VPN Leak Guide — prevent leaks
• Tor Explained — anonymity alternative
• paqctl Setup — heavy censorship bypass

Related Tools

• VPN Leak Test — verify WARP is working
• What's My IP — check your IP
• Speed Test — test WARP speed
• DNS Toolbox — verify DNS through WARP