Download Latest Version ws-server-windows.zip (6.4 MB)
Email in envelope

Get an email when there's a new version of UDP Warp+/WebSocket + CDN

Home
Name Modified Size InfoDownloads / Week
warp-ws-CDN-client 2026-06-16
142 142 weekly downloads
warp-ws-CDN-forwarder-vps 2026-06-12
32 32 weekly downloads
Illustrative device-share comparison.png 2026-06-12 94.4 kB
2 2 weekly downloads
README.md 2026-06-12 7.8 kB
2 2 weekly downloads
vpn_websocket_cdn_architecture.png 2026-06-12 104.8 kB
1 1 weekly downloads
Totals: 5 Items   207.0 kB 179

Warp-over-WebSocket-CDN

Bypass ISP throttling and DPI by tunneling Cloudflare Warp traffic over WebSocket with Host Header spoofing through major CDN networks (CloudFront / Cloudflare / Akamai).

Platform Protocol Tunnel License

What It Does

Many ISPs throttle or block VPN traffic using Deep Packet Inspection (DPI). Warp-over-WebSocket-CDN wraps WireGuard UDP inside a WebSocket connection with a spoofed Host header, routing traffic through major CDN edge networks (CloudFront, Cloudflare, or Akamai). To any firewall or DPI system, the traffic looks like a legitimate WebSocket upgrade to a CDN-hosted domain.

Result: Full Cloudflare Warp speed and privacy, even on heavily restricted networks — including campus, corporate, and ISP-level DPI systems.

Why WebSocket + CDN over plain SNI Tunneling?

Technique How DPI sees it Weakness
Raw WireGuard UDP to known IP:2408 Easily fingerprinted and blocked
TLS/SNI tunnel TLS to spoofed SNI domain IP-based blocking still possible; no CDN relay
WebSocket + CDN (this project) WebSocket upgrade to trusted CDN domain CDN IP ranges are whitelisted by most ISPs

The CDN relay is the key upgrade: your traffic exits through Cloudflare, AWS CloudFront, or Akamai edge nodes — IP ranges that ISPs almost never block because doing so would break huge portions of the internet.

Architecture Overview

[Android App]
    └─► WireGuard (Warp+ config)
          └─► Tunnel client (WebSocket encapsulation)
                └─► Host: <CDN-hosted domain> (spoofed Host header)
                      └─► CDN Edge Node (CloudFront / Cloudflare / Akamai)
                            └─► [Your VPS — tunnel server]
                                  └─► Cloudflare Warp endpoint 162.159.192.1:2408

The Host header names a real domain served by the CDN. The CDN routes the connection to your origin VPS. ISP DPI sees only a standard WebSocket handshake to a CDN IP — indistinguishable from normal app traffic.

Features

Feature Description
Anti-DPI WireGuard traffic hidden inside WebSocket frames
CDN Relay Traffic exits via CloudFront / Cloudflare / Akamai IP ranges (rarely blocked)
Host Header Spoofing Appears as a WebSocket upgrade to a trusted CDN domain
HTTP/HTTPS support Works on port 80 (ws://) and port 443 (wss://)
Domain Fronting CDN routes by Host header — survives SNI-based filtering
Double Encryption WebSocket TLS layer on top of WireGuard native encryption
No Root Required Runs entirely in Android user-space
Cloudflare Speed Preserves Warp/1.1.1.1 performance and DNS privacy

Requirements

  • Android: 7.0 or higher
  • VPS: Ubuntu 20.04+, public IP, port 80 and/or 443 open
  • CDN: Domain registered and proxied through CloudFront, Cloudflare, or Akamai
  • Apps:
  • WireGuard for Android (Play Store / F-Droid)
  • Tunnel client APK from Releases

Quick Start

1. CDN Setup

Point a domain (or subdomain) at your VPS IP using CloudFront, Cloudflare proxy, or Akamai. Make sure the CDN passes WebSocket upgrades to your origin.

Cloudflare example:

  • DNS A record: tunnel.yourdomain.com → your VPS IP, Proxied (orange cloud)
  • SSL/TLS mode: Full
  • WebSockets: Enabled (Network tab)

2. Server Setup

chmod +x setup-server.sh && ./setup-server.sh

Configures the WebSocket tunnel server on port 80 (and optionally 443), forwarding decapsulated WireGuard UDP to 162.159.192.1:2408.

3. Android Setup

  1. Install WireGuard for Android
  2. Install tunnel-client.apk from the Releases page
  3. Import warp.conf into WireGuard
  4. Configure the tunnel client (see tunnel.conf template in configs/)
  5. Start tunnel client first, then enable WireGuard

4. Verify

Visit 1.1.1.1/help — you should see an active Cloudflare Warp connection.

Host Header Presets

These are real CDN-hosted domains. The Host header tells the CDN which origin to route to; your own domain sits behind the same CDN so routing works correctly.

Host Header Domain CDN Use Case
support.appsflyer.com Cloudflare Default — general use
d1qq0afxwtfi6m.cloudfront.net AWS CloudFront Campus / corporate networks
ms.mw.cloud.front.net Azure CDN Microsoft-whitelisted environments
a104-98-96-10.deploy.static.akamaitechnologies.com Akamai Enterprise ISPs
zoom.us Cloudflare Video-call whitelisted networks

Custom host headers can be set in the tunnel client config file. The domain must resolve to the same CDN you are routing through.

Traffic Flow (Packet-Level)

Android WireGuard → UDP 127.0.0.1:51820
    ↓
Tunnel client encapsulates in WebSocket frame
    ↓
TCP to CDN IP:80 (or :443)
Host: support.appsflyer.com        ← ISP/DPI sees this
Upgrade: websocket
    ↓
CDN edge node routes to your VPS (by Host header)
    ↓
Tunnel server strips WebSocket framing
    ↓
UDP → 162.159.192.1:2408           ← Cloudflare Warp endpoint

ISP DPI sees: TCP → [CDN IP]:80, Host: support.appsflyer.com, Upgrade: websocket
Actual payload: Encrypted WireGuard frames inside WebSocket binary frames.

Troubleshooting

Issue Fix
WebSocket connection refused Check CDN WebSocket passthrough is enabled; try port 443
301 redirect loop CDN SSL mode set to "Flexible" — change to "Full"
Frequent drops Switch Host to a more stable CDN domain (e.g. CloudFront subdomain)
High latency Choose a CDN with an edge node close to your location; move VPS closer
Tunnel client won't start Disable WireGuard first; re-grant VPN permissions
ISP still blocking Try port 443 (wss://); rotate Host header to a different CDN domain
101 Switching Protocols but no traffic Verify tunnel server UDP forward reaches 162.159.192.1:2408

Project Structure

warp-over-ws-cdn/
├── README.md
├── ARCHITECTURE.md             ← Detailed architecture & data flow
├── setup-server.sh             ← VPS setup script
├── configs/
│   ├── warp.conf               ← WireGuard config template
│   └── tunnel.conf             ← Tunnel client config template
└── releases/
    └── tunnel-client.apk       ← Bundled Android tunnel client

Differences from SNI Tunnel Version

SNI Tunnel WebSocket + CDN (this project)
Transport TLS with spoofed SNI WebSocket with spoofed Host header
Relay Direct to VPS Via CDN edge (CloudFront/Cloudflare/Akamai)
IP blocking resistance Moderate High (CDN IPs are globally whitelisted)
Port 443 80 or 443
ISP fingerprinting TLS ClientHello SNI HTTP Upgrade headers
Setup complexity Low Medium (CDN setup required)

License

Server-side components: MIT License
Tunnel client APK: Proprietary — personal, non-commercial use only

Use only where permitted by local laws and your ISP's terms of service.
Source: README.md, updated 2026-06-12