WARP outbound over WireGuard (Without warp-cli)

Setting Up WireGuard with Wgcf (Without `warp-cli`)

Overview

This guide explains how to configure WireGuard using Wgcf, without relying on warp-cli. This method is ideal for VPS, proxy nodes, and traffic routing through Cloudflare WARP.

Benefits of this method

No need to install warp-cli on every node.
Easily scalable across multiple services.

1. Download Wgcf

Go to: Releases · ViRb3/wgcf (GitHub)

Choose the version that matches your system. Example for Linux AMD64:

Download command

wget https://github.com/ViRb3/wgcf/releases/download/v2.2.26/wgcf_2.2.26_linux_amd64

2. Move file to system directory

Rename and move file

mv wgcf_2.2.26_linux_amd64 /usr/bin/wgcf

3. Make file executable

Set execution permissions

chmod +x /usr/bin/wgcf

4. Register account

This will generate a configuration file:

wgcf register

A file named wgcf-account.toml will be created.

5. Generate WireGuard profile

Generate config

wgcf generate

A file named wgcf-profile.conf will appear.

6. Extract keys from config

Open the generated file:

View config

cat wgcf-profile.conf

You’ll see two important fields:

PrivateKey
PublicKey

7. Configure outbound in XRAY

Add the following to your XRAY config under outbounds:

XRAY WireGuard outbound example
{
  "tag": "warp",
  "protocol": "wireguard",
  "settings": {
    "secretKey": "YOUR_PRIVATE_KEY_FROM_FILE",
    "DNS": "1.1.1.1",
    "kernelMode": false,
    "address": ["172.16.0.2/32"],
    "peers": [
      {
        "publicKey": "YOUR_PUBLIC_KEY_FROM_FILE",
        "endpoint": "engage.cloudflareclient.com:2408"
      }
    ]
  }
}

8. Full `outbounds` block example

Full outbound list with WARP
[
  {
    "tag": "DIRECT",
    "protocol": "freedom",
    "settings": {
      "domainStrategy": "ForceIPv4"
    }
  },
  {
    "tag": "warp",
    "protocol": "wireguard",
    "settings": {
      "secretKey": "MISEK000000000000000000vim6zWY=",
      "DNS": "1.1.1.1",
      "kernelMode": false,
      "address": ["172.16.0.2/32"],
      "peers": [
        {
          "publicKey": "bm00000000000000000Vo510h2wPfgyo=",
          "endpoint": "engage.cloudflareclient.com:2408"
        }
      ]
    }
  },
  {
    "tag": "BLOCK",
    "protocol": "blackhole"
  },
  {
    "tag": "IPv4",
    "protocol": "freedom",
    "settings": {
      "domainStrategy": "ForceIPv4"
    }
  }
]

9. Add routing rule for specific domains

To route certain domains through WARP, add the following to the routing section:

Routing rule example
{
  "outboundTag": "warp",
  "domain": [
    "geosite:google-gemini",
    "openai.com",
    "ipinfo.io",
    "spotify.com",
    "canva.com"
  ],
  "type": "field"
}

⚠️ Security Tip

Never publish your PrivateKey in public repositories or chat groups — it can compromise your connection.

Conclusion

Using WireGuard with Wgcf is a clean and scalable way to connect to Cloudflare WARP without installing warp-cli.

Setting Up WireGuard with Wgcf (Without warp-cli)​

Overview​

Benefits of this method​

1. Download Wgcf​

2. Move file to system directory​

3. Make file executable​

4. Register account​

5. Generate WireGuard profile​

6. Extract keys from config​

7. Configure outbound in XRAY​

8. Full outbounds block example​

9. Add routing rule for specific domains​

⚠️ Security Tip​

Conclusion​