From aradotso-trending-skills-37
Deploys ultra-lightweight Cloudflare WARP SOCKS5 proxy in Docker via kernel WireGuard and microsocks, using ~800KB RAM and 9MB image. For low-resource proxy setups with auto-registration.
npx claudepluginhub joshuarweaver/cascade-ai-ml-agents-misc-1 --plugin aradotso-trending-skills-37This skill uses the workspace's default tool permissions.
```markdown
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
---
name: microwarp-cloudflare-proxy
description: Ultra-lightweight Cloudflare WARP SOCKS5 proxy in Docker using kernel-level WireGuard and microsocks, consuming under 800KB RAM
triggers:
- set up cloudflare warp proxy docker
- lightweight warp socks5 container
- microwarp setup and configuration
- replace caomingjun warp with microwarp
- cloudflare warp wireguard docker low memory
- warp proxy with authentication docker
- bypass cloudflare warp regional blocks
- warp socks5 proxy under 1mb ram
---
# MicroWARP Cloudflare Proxy
> Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection.
MicroWARP is an ultra-lightweight Cloudflare WARP SOCKS5 proxy that runs inside Docker using Linux kernel-level WireGuard (`wg0`) and a pure-C `microsocks` server. It uses **~800KB RAM** and a 9MB image — compared to 150MB RAM and 201MB image for `caomingjun/warp`.
## Architecture
- **WireGuard kernel module** (`wg0`): handles WARP tunnel at kernel level, near-zero CPU
- **microsocks**: pure C SOCKS5 server, no Go/Rust overhead
- **Auto-registration**: fetches free WARP credentials from Cloudflare API on first run
- **Persistent volume**: saves WireGuard config to avoid re-registration on restart
## Installation
### Docker Compose (recommended)
```yaml
# docker-compose.yml
version: '3.8'
services:
microwarp:
image: ghcr.io/ccbkkb/microwarp:latest
container_name: microwarp
restart: always
ports:
- "1080:1080"
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
volumes:
- warp-data:/etc/wireguard
volumes:
warp-data:
docker compose up -d
docker compose logs -f # watch first-run registration
docker run -d \
--name microwarp \
--restart always \
-p 1080:1080 \
--cap-add NET_ADMIN \
--cap-add SYS_MODULE \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
-v warp-data:/etc/wireguard \
ghcr.io/ccbkkb/microwarp:latest
| Variable | Default | Description |
|---|---|---|
BIND_ADDR | 0.0.0.0 | SOCKS5 listen address |
BIND_PORT | 1080 | SOCKS5 listen port |
SOCKS_USER | (empty) | Auth username (empty = no auth) |
SOCKS_PASS | (empty) | Auth password |
ENDPOINT_IP | (auto) | Custom WARP endpoint IP:port (bypass DPI) |
version: '3.8'
services:
microwarp:
image: ghcr.io/ccbkkb/microwarp:latest
container_name: microwarp
restart: always
ports:
- "1080:1080"
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
environment:
- SOCKS_USER=${WARP_USER}
- SOCKS_PASS=${WARP_PASS}
volumes:
- warp-data:/etc/wireguard
volumes:
warp-data:
environment:
- BIND_ADDR=127.0.0.1 # localhost only
- BIND_PORT=9050
- SOCKS_USER=${WARP_USER}
- SOCKS_PASS=${WARP_PASS}
If Cloudflare's reserved bytes verification blocks your region, inject a clean endpoint IP:
environment:
- ENDPOINT_IP=162.159.193.10:2408
Scan for clean endpoints using tools like warp-endpoint-scanner and inject the best one.
ports:
- "127.0.0.1:1080:1080" # only accessible from host
environment:
- BIND_ADDR=0.0.0.0 # container listens on all interfaces
# Basic connectivity test
curl --socks5 127.0.0.1:1080 https://cloudflare.com/cdn-cgi/trace
# With authentication
curl --socks5-hostname 127.0.0.1:1080 \
--proxy-user "${WARP_USER}:${WARP_PASS}" \
https://cloudflare.com/cdn-cgi/trace
# Check your IP via WARP
curl --socks5 127.0.0.1:1080 https://ipinfo.io/json
import requests
proxies = {
"http": "socks5://127.0.0.1:1080",
"https": "socks5://127.0.0.1:1080",
}
# With auth
proxies_auth = {
"http": "socks5://user:pass@127.0.0.1:1080",
"https": "socks5://user:pass@127.0.0.1:1080",
}
resp = requests.get("https://ipinfo.io/json", proxies=proxies)
print(resp.json())
import { SocksProxyAgent } from 'socks-proxy-agent';
import fetch from 'node-fetch';
const agent = new SocksProxyAgent('socks5://127.0.0.1:1080');
// With auth: 'socks5://user:pass@127.0.0.1:1080'
const res = await fetch('https://ipinfo.io/json', { agent });
console.log(await res.json());
MicroWARP provides SOCKS5 only. Chain with gost for HTTP:
# Install gost
curl -fsSL https://github.com/go-gost/gost/releases/latest/download/gost_linux_amd64.tar.gz | tar xz
# Chain: HTTP :8081 → SOCKS5 microwarp :1080
# IMPORTANT: use socks5:// NOT socks5h:// to resolve DNS locally
nohup ./gost \
-F "socks5://${WARP_USER}:${WARP_PASS}@127.0.0.1:1080" \
-L "http://:8081" \
> /dev/null 2>&1 &
⚠️ Always use
socks5://notsocks5h://—socks5hdelegates DNS to the proxy, which can deadlock during WireGuard UDP handshake cold start causing503errors.
version: '3.8'
services:
warp-1:
image: ghcr.io/ccbkkb/microwarp:latest
ports: ["1080:1080"]
cap_add: [NET_ADMIN, SYS_MODULE]
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
volumes:
- warp-data-1:/etc/wireguard
warp-2:
image: ghcr.io/ccbkkb/microwarp:latest
ports: ["1081:1080"]
cap_add: [NET_ADMIN, SYS_MODULE]
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
volumes:
- warp-data-2:/etc/wireguard
volumes:
warp-data-1:
warp-data-2:
{
"outbounds": [
{
"tag": "warp",
"protocol": "socks",
"settings": {
"servers": [
{
"address": "127.0.0.1",
"port": 1080,
"users": [
{ "user": "admin", "pass": "yourpass" }
]
}
]
}
}
]
}
# /etc/proxychains4.conf
[ProxyList]
socks5 127.0.0.1 1080
proxychains4 telegram-desktop
# Check container resource usage
docker stats microwarp
# Expected output:
# CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM %
# 2fa58f84c517 microwarp 0.25% 800KiB / 967.4MiB 0.08%
# View logs (first-run registration)
docker logs microwarp
# Inspect WireGuard interface inside container
docker exec microwarp wg show
# Check if SOCKS5 port is listening
docker exec microwarp ss -tlnp | grep 1080
# Test from inside container
docker exec microwarp wget -qO- --timeout=10 \
-e "use_proxy=yes" \
-e "https_proxy=socks5://127.0.0.1:1080" \
https://cloudflare.com/cdn-cgi/trace
Error: WireGuard kernel module not found
Fix: Ensure host kernel has WireGuard support (Linux 5.6+ has it built-in):
# Check host kernel
uname -r
# Should be 5.6+
# Verify wireguard module
modprobe wireguard && echo "OK"
Add SYS_MODULE capability and the sysctl:
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
Fix: Inject a known-good WARP endpoint:
environment:
- ENDPOINT_IP=162.159.193.10:2408
Popular clean endpoints:
162.159.193.10:2408162.159.195.1:2408188.114.96.1:2408This is the WireGuard UDP handshake cold-start issue. Fix: Use socks5:// not socks5h:// in your client. The difference:
socks5:// — client resolves DNS, sends IP to proxy ✅socks5h:// — proxy resolves DNS, hits WireGuard during cold start ❌# Check volume contents
docker run --rm -v warp-data:/data alpine ls -la /data
# If empty after accidental volume deletion, container will re-register automatically
# Just restart and wait ~10 seconds
docker compose restart microwarp
Ensure you're pulling the multi-arch image correctly:
# Force arm64 pull
docker pull --platform linux/arm64 ghcr.io/ccbkkb/microwarp:latest
| Capability | Reason |
|---|---|
NET_ADMIN | Create/configure wg0 WireGuard interface |
SYS_MODULE | Load WireGuard kernel module if not already loaded |
net.ipv4.conf.all.src_valid_mark=1 | Required for WireGuard routing marks |
warp-cli, no Rust daemon — pure kernel WireGuard + C microsocks/etc/wireguard/wg0.conf inside the volume-plinux/amd64 and linux/arm64 supported natively