S-UI + Cloudflare WARP in one command. Deploy a multi-protocol proxy server with clean Cloudflare IP exit in under 2 minutes.
bash <(curl -sL https://raw.githubusercontent.com/iPythoning/SUIWARP/main/setup.sh)SUIWARP automates the entire setup of a production-ready proxy server:
- Installs S-UI — sing-box management panel with 6 proxy protocols
- Registers free Cloudflare WARP — via wgcf
- Routes traffic through WARP — via wireproxy (userspace WireGuard, ~4MB RAM)
- Configures firewall, swap, DNS — hardened and OOM-proof
Standard mode (WARP exit):
Client ──→ Your Server (S-UI / sing-box)
│
├─ VLESS Reality Vision :443/tcp
├─ TUIC v5 :443/udp
├─ Hysteria2 :8443/udp
├─ VLESS Reality gRPC :2053/tcp
├─ Trojan Reality :8880/tcp
├─ VLESS Reality WS :2083/tcp
├─ VLESS CDN WS :2052/tcp ← CF CDN relay
├─ ShadowTLS v3+SS2022 :9443/tcp ← anti-DPI
├─ VLESS HTTPUpgrade :10443/tcp ← stealth HTTP
└─ Hysteria2 PortHop :20000-40000/udp
│
▼
wireproxy (SOCKS5, ~4MB)
│
▼
Cloudflare WARP → Exit IP: Cloudflare (AS13335)
--no-warp mode (direct exit — for residential IPs):
Client ──→ Your Server (S-UI / sing-box)
│
└─ [all protocols]
│
▼
Exit IP: Your server's residential IP (direct)
| VPS/Datacenter | Residential IP (--no-warp) |
|---|---|
| Datacenter IP easily flagged | Residential IP already clean |
| Use WARP for Cloudflare exit | Skip WARP — exit directly |
| +4MB RAM (wireproxy) | No wireproxy needed |
- OS: Ubuntu 20.04+ / Debian 11+ (x86_64 or ARM64)
- RAM: 1GB minimum (512MB usable after OS)
- Access: Root SSH
Standard (WARP exit — for datacenter/VPS IPs):
bash <(curl -sL https://raw.githubusercontent.com/iPythoning/SUIWARP/main/setup.sh)Direct exit — for static residential IPs (no WARP needed):
bash <(curl -sL https://raw.githubusercontent.com/iPythoning/SUIWARP/main/setup.sh) --no-warpUse
--no-warpwhen your server already has a clean residential IP. WARP is skipped entirely — traffic exits directly via your server IP, saving ~4MB RAM and a registration step.
After installation, find your client links at:
cat /root/suiwarp-client-links.txtOr visit the S-UI panel:
http://YOUR_IP:2095/app/
Default: admin / admin ← change immediately!
Import the links into your preferred client:
| Platform | Recommended Client |
|---|---|
| Windows | v2rayN |
| macOS | V2Box |
| iOS | Shadowrocket, Stash |
| Android | v2rayNG, NekoBox |
| Linux | nekoray |
| # | Protocol | Port | Transport | Best For |
|---|---|---|---|---|
| 1 | VLESS Reality Vision | 443/tcp | TCP | Daily use (most covert) |
| 2 | TUIC v5 | 443/udp | QUIC | Gaming (low latency) |
| 3 | Hysteria2 | 8443/udp | QUIC | Streaming (max speed) |
| 4 | VLESS Reality gRPC | 2053/tcp | gRPC | Multiplexing (stable) |
| 5 | Trojan Reality | 8880/tcp | TCP | Classic fallback |
| 6 | VLESS Reality WS | 2083/tcp | WebSocket | CDN/firewall bypass |
| 7 | VLESS CDN WS | 2052/tcp | WS + CF CDN | IP hidden behind Cloudflare |
| 8 | ShadowTLS v3 + SS2022 | 9443/tcp | ShadowTLS | Anti-DPI, looks like normal TLS |
| 9 | VLESS HTTPUpgrade | 10443/tcp | HTTPUpgrade + Reality | Stealth HTTP, lighter than WS |
| 10 | Hysteria2 Port Hopping | 20000-40000/udp | QUIC | Anti-QoS, port randomization |
Hides your server IP behind Cloudflare CDN. Even if the VPS IP is blocked, the CDN relay still works.
Setup: Add a Cloudflare DNS A record pointing to your server (Proxied/orange cloud), then use the generated link with your CF domain.
Performs a real TLS handshake with a legitimate site (e.g., www.microsoft.com), making traffic indistinguishable from normal HTTPS. The most DPI-resistant protocol available.
Client: Requires sing-box based clients (NekoBox, sing-box CLI). Config saved to /root/suiwarp-extra-links.txt.
Lighter than WebSocket — uses HTTP Upgrade mechanism with Reality TLS. Lower overhead, harder to fingerprint than standard WS.
Server uses iptables DNAT to redirect UDP ports 20000-40000 to the Hysteria2 listener. Client randomly hops between ports, defeating QoS throttling and port-based blocking.
Cloudflare automatically enables ECH for proxied domains. When using CDN relay (Protocol 7) with sw.your-domain.com, SNI is encrypted end-to-end on supported clients (Chrome 130+, Firefox 128+). No server config needed.
| Component | RAM | Description |
|---|---|---|
| S-UI (sing-box) | ~50MB | Panel + 8 protocol inbounds |
| sing-box (extra) | ~6MB | ShadowTLS v3 + HTTPUpgrade |
| wireproxy | ~4MB | WARP tunnel |
| Total | ~60MB | Fits on 512MB VPS |
# Service status
systemctl status s-ui
systemctl status wireproxy-warp
# View logs
journalctl -u s-ui -f
journalctl -u wireproxy-warp -f
# Restart services
systemctl restart s-ui
systemctl restart wireproxy-warp
# Check WARP exit IP
curl -x socks5h://127.0.0.1:40000 ifconfig.me
# Check direct IP
curl ifconfig.mebash <(curl -sL https://raw.githubusercontent.com/iPythoning/SUIWARP/main/uninstall.sh)Or if you have the repo cloned:
bash uninstall.shThe key insight is using wireproxy — a userspace WireGuard implementation that exposes a local SOCKS5 proxy. This avoids:
- Kernel WireGuard module dependency
- TUN device permissions
- sing-box WireGuard compilation flags
- Heavy
warp-clidaemon (~100MB RAM)
Instead, wireproxy runs a ~4MB process that tunnels traffic through Cloudflare WARP and exposes 127.0.0.1:40000 as a SOCKS5 proxy. S-UI's sing-box is configured to route all outbound traffic through this SOCKS5 proxy, making all client traffic exit through Cloudflare's network.
| Port | Protocol | Service |
|---|---|---|
| 443/tcp | TCP | VLESS Reality Vision |
| 443/udp | UDP | TUIC v5 |
| 8443/udp | UDP | Hysteria2 |
| 2053/tcp | TCP | VLESS Reality gRPC |
| 8880/tcp | TCP | Trojan Reality |
| 2083/tcp | TCP | VLESS Reality WS |
| 2052/tcp | TCP | VLESS CDN WS (CF relay) |
| 9443/tcp | TCP | ShadowTLS v3 + SS2022 |
| 10443/tcp | TCP | VLESS HTTPUpgrade |
| 20000-40000/udp | UDP | Hysteria2 Port Hopping |
| 2095/tcp | TCP | S-UI Panel |
| 2096/tcp | TCP | Subscription Server |