AmneziaWG + Xray + WARP
- WARP is a free VPN from Cloudflare that allows you to hide your public IP (for bypassing Gemini blocking or for security purposes). You can operate in SOCKS5 mode, proxying only selected traffic.
- Xray is a smart routing core that directs traffic to the SOCKS5 WARP proxy according to specified rules (in the case of our DNS).
For Debian-based OS, update packages and install basic utilities:
sudo apt update && sudo apt upgrade -y
sudo apt install -y curl gnupg lsb-release
Install WARP:
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
sudo apt update && sudo apt install cloudflare-warp -y
Register with WARP and run SOCKS5 proxy:
warp-cli registration new
warp-cli mode proxy
warp-cli proxy port 40000
warp-cli connect
# Check functionality, should return an IP address from Cloudflare
curl --socks5 127.0.0.1:40000 ifconfig.me
Install Xray:
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
Replace the file /usr/local/etc/xray/config.json with the contents:
{
"log": {
"loglevel": "warning"
},
"inbounds": [
{
"tag": "transparent",
"port": 12345, // Port where AmneziaWG will forward traffic
"protocol": "dokodemo-door",
"settings": {
"network": "tcp", // UDP will be intercepted by iptables
"followRedirect": true
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
}
],
"outbounds": [
{
"tag": "direct",
"protocol": "freedom",
"settings": {}
},
{
"tag": "warp-socks",
"protocol": "socks",
"settings": {
"domainStrategy": "UseIPv4",
"servers": [
{
"address": "127.0.0.1", // WARP SOCKS5 proxy address and port
"port": 40000
}
]
}
}
],
"routing": {
"domainStrategy": "AsIs",
"rules": [
{
"type": "field",
"domain": [
"geosite:google",
"geosite:google-gemini",
"domain:2ip.io", // To check functionality
],
"outboundTag": "warp-socks"
},
{
"type": "field",
"network": "tcp,udp",
"outboundTag": "direct" // Everything else is direct
}
]
}
}
Restart the service and add it to startup:
sudo systemctl restart xray
sudo systemctl enable xray
Add additional iptables rules:
# Forward all AmneziaWG traffic to port 12345
sudo iptables -t nat -I PREROUTING 1 -i amn0 -p tcp -j REDIRECT --to-ports 12345
# Disable UDP for HTTPS (QUIC) for amn0 (SOCKS5 only supports TCP)
sudo iptables -I FORWARD -i amn0 -p udp --dport 443 -j DROP
# Block port 12345 on the interface with a white IP address (you can find it with the command ip -c -br a)
sudo iptables -I INPUT -i ens1 -p tcp --dport 12345 -j DROP
To make iptables rules persist across reboots:
sudo apt install iptables-persistent
# During installation, you will be prompted to save the current rules, but you can do so with a separate command.
sudo netfilter-persistent save
You can check if your Geosite DNS is working by going to 2ip.io; the site should display Cloudflare’s IP address.
To install the latest Geosite DNS:
sudo curl -L -o /usr/local/share/xray/geosite.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat
AmneziaWG + WARP
For a simpler configuration, you can use the script https://github.com/isultanov99/amnezia-warp-host-routing. This will route all AmneziaWG traffic through WARP.
sudo apt install git
git clone https://github.com/isultanov99/amnezia-wg-warp-host-routing/blob/master/deploy_amnezia_warp_host.sh
cd amnezia-wg-warp-host-routing/
chmod +x deploy_amnezia_warp_host.sh
# Run script
./deploy_amnezia_warp_host.sh
# Functionality check
sudo systemctl status amnezia-warp-routing@v2.service