This project is aimed to provide a user panel to access FREE, SECURE and PRIVATE VLESS, Trojan and Warp configs, It ensures connectivity even when domains or Warp services are blocked by ISPs, offering two deployment options:
\ud83c\udf1f If you found BPB Panel valuable, Your donations make all the difference \ud83c\udf1f
USDT (BEP20)0xbdf15d41C56f861f25b2b11C835bd45dfD5b792F\nIf you enabled Routing rules and the VPN doesn't connect, the only reason is that the Geo assets are not updated. In the v2rayN(G) client menu, go to the Asset files section and tap the cloud or download icon to update. Note that it takes a while to update, you have to wait to see success for all files. If the update fails, it won't connect. If you tried everything and it still doesn't update, download the two files below from the links and instead of updating, tap the add button and import these two files: GeoIP
https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat\nhttps://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat\nTo use these configs, disable Mux in the settings of whichever app you\u2019re using. Also set remote DNS to DOH, DoT or TCP: DoH
https://8.8.8.8/dns-query\ntls://8.8.8.8 \ntcp://8.8.8.8 \nBPB tries adapting new cores' features ASAP, meanwhile some developers just upgrade cores to the latest version regardless of full features adaption and optimizations. So you should communicate such issues with their own developers.
Why Fragment configs speed is slow on my ISP?Each ISP has its own prefered Fragment settings. Most are fine with the panel defaults, but these values may work well on yours. You may need to change Fragment profile to Medium, High or even manually change settings in Custom profile to achieve better results. Also MahsaNG is recommended to connect to fragment configs.
There are many public IPs and some of them might be unstable. You need to test to find a good one.
It worked when I set a proxy IP, but now it's not working!If you use a single IP, it may stop working after some time and many sites won\u2019t open. You need to redo the steps. Preferably, if you're not doing anything that needs a static IP, just use the panel default and don't use a single proxy IP.
Why do I get an error when I go to thepanel/ address? Follow the installation guide or use Wizard; KV, UUID or Trojan password are not properly configured.
I deployed it but Cloudflare returns error 1101!Your Cloudflare account has likely been flagged. Create a new Cloudflare account with an official email like Gmail and. Also, make sure the project name doesn't include the word \"bpb\". It is recommended to use Wizard for installation.
Can I use this for trading?If your Cloudflare IP is located in Germany (which it usually is), using a single Germany proxy IP should be fine. But preferably use the Chain Proxy method to stabilize the IP.
Why I can't see non-TLS ports in panel?To use non-TLS configs, you must deploy via Workers method and without a custom domain.
Why doesn\u2019t the Best Fragment config connect or work properly?Turn off Prefer IPv6 in settings.
Cloudflare can't properly handle the UDP traffic. There is currently no effective solution. Use Warp configs instead.
Why won't ChatGPT open?Because the panel's default proxy IPs are public and many might appear suspicious to ChatGPT. Set a single clean Proxy IP regarding instructions or enable the Bypass ChatGPT option in the routing section of the panel.
Go to your Cloudflare dashboard, find the KV created for Worker or Pages, click view, go to the KV Pairs section. In the table, you\u2019ll see a pwd key \u2014 the value next to it is your password.
From version 2.7.7 onward, setting these two parameters is mandatory and the panel won\u2019t run without them.
I used the Pages upload method but I get a 404.Cloudflare takes about 4\u20135 minutes to register Pages domains. Give it time, refresh, and it should work.
Why doesn\u2019t the panel show the Block Ads checkbox?Extensions like uBlock, AdGuard or even some browsers with built-in ad-block settings, can hide it. Disable them for the panel.
The wizard app lacks Code signing certificate and has to download worker.js on you PC, customize it and deploy to Cloudflare which is a suspicious behaviour to Anti Viruses, known as Trojan/Downloader. So you have to temporarily disable Windows defender or any other Anti Virus program.
Right now v2rayN is experiencing some issues with custom configs and BPB panel configs are all custom. No worries, just enable config and use it. You also have Best Ping config in all subscriptions which connects to best IP automatically, so you don't need to test all configs everytime.
Why sing-box throws error while importing subscription?BPB only supports sing-box 1.12.0 or higher
"},{"location":"configuration/","title":"Settings Configuration","text":"Tip
Please don't worry about incorrect configurations. There's a Reset Settings button next to the Apply Settings button that will reset the panel to default settings.
Info
You must update your subscriptions after making any changes.
Common
Configure shared settings across all protocols and subscriptions.
Getting started
VLESS - Trojan
Configure general VLESS and Trojan settings such as DNS Servers, Clean IPs, Ports, and more.
Getting started
Fragment
Configure Fragment settings to mitigate ISP or regional disruptions.
Getting started
Warp
Common Warp settings for Warp and Warp PRO subscriptions, including Endpoints, Scanner, IPv6, etc.
Getting started
Warp PRO
PRO settings designed to bypass Warp blockage by your ISP.
Getting started
Routing Rules
Add routing rules to bypass local websites, block Ads, block unwanted content, and more.
Getting started
This section provides shared settings between all subscriptions and protocols.
"},{"location":"configuration/common/#local-dns","title":"Local DNS","text":"The local DNS is mainly used for routing bypass rules. By default the local DNS server is set to Google DNS.
Many DNS servers are available to use as Local DNS in shape of IP, however you can use localhost which uses your ISP DNS server which is fine for routing purposes.
"},{"location":"configuration/common/#fake-dns","title":"Fake DNS","text":"You may enable Fake DNS to reduce DNS query latency, but use caution, it may be incompatible with some applications or interfere with system DNS. If you're unsure about its functionality, avoid enabling it.
"},{"location":"configuration/common/#anti-sanction-dns","title":"Anti Sanction DNS","text":"This DNS server is used for Sanction Rules explained here. The default DNS server is Shecan (for iranian users). You should check whether it supports your desired domains before setting routing rules.
Info
DNS server can be in shape of an IP (UDP DNS), TCP DNS, DOT or DoH.
"},{"location":"configuration/common/#enabling-ipv6","title":"Enabling IPv6","text":"The panel provides IPv6 VLESS/Trojan configs by default. If your ISP doesn\u2019t support IPv6, disable it to reduce the number of configs and also optimize DNS and routing settings for VLESS, Trojan and Warp configs.
"},{"location":"configuration/common/#allow-connections-from-lan","title":"Allow connections from LAN","text":"If you enable this feature, others in you network (for example WiFi network) can use your proxy by knowing your device local IP. They can set a socks proxy on their device, set your local IP as address and these ports based on which client you are using:
Please note that this can be risky to use in office or public networks.
"},{"location":"configuration/common/#log-level","title":"Log Level","text":"Specifies the level of client logs. Normally it's \"warning\" which is enough to debug issues, however you may need to change it to submit issues in Github or check your proxy activity.
"},{"location":"configuration/fragment/","title":"Fragment settings","text":"Fragment solution almost solves Clean IP issue for Cloudflare CDN by hiding SNI from MitM, however, settings should be obtained based on ISP. Also please note that Fragment can be enabled for sing-box, however sing-box does not use fragment settings and has its own default settings.
By default settings are:
You can also switch Fragment modes and test based on network situation. Usually default or Low mode should be ok. Please note that by switching to Medium, High or Severe profiles, handshake ping goes higher but it can result in better and more stable connection in high situations. The Best Fragment config is always the best and smart solution, just connect and wait for at least 30 seconds.
You can set the parameters based on your ISP's situation.
Info
Packets have multiple modes. However, tlshello only applies to TLS configurations; ports like 80, 8080, etc., are not affected.
Tip for Iranians
Currently, fragment performance is significantly more efficient on clients using the Xray Knocker core, specifically MahsaNG and v2rayN PRO clients. This core was developed and customized for conditions in Iran.
Tip
If you cannot find the optimum fragment settings for your ISP, there is a Best fragment configuration available in the subscription. Simply connect to it and wait a short while; it tests nearly all valid fragment settings and automatically connects to the best one.
Note
Fragment values have maximum limits. The Length cannot exceed 500, and the Interval cannot exceed 30ms.
Warning
Max Split feature is recently added to Xray core and is a little bit tricky, so please read Xray documents first before setting any value.
"},{"location":"configuration/routing-rules/","title":"Routing Rules","text":""},{"location":"configuration/routing-rules/#predefined-rules","title":"Predefined rules","text":"Using predefined routing rules, you can apply these settings to configs:
Direct access to local addresses like 127.0.0.1 is set by default on configs and there's no need to manually add them.
Warning
v2ray users should change Geo Assets to Chocolate4U and download assets if they wanna use Malware, Phishing and Cryptominers rules, otherwise configs won't connect.
Warning
If you enable routing rules and the client does not connect, the primary reason is that the Geo asset is not updated. Go to the Geo assets settings in the v2rayNG menu and click the cloud or download icon to update them. If the update process is unsuccessful, you will not be able to connect. If you have tried everything and it still does not update, download the two files from the links below, and instead of clicking the update button, click the add button and import these two files:
GeoIPhttps://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat\nhttps://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat\nThere are cases which predefined rules cannot help. For example, if you have blocked porn contents but a specific website was not on the list and is not blocked, you will need to use custom rules.
You can use three different formats in this section i.e. Domain, IP and IP/CIDR.
Please be aware that if you enter google.com, all of its subdomains will also be blocked or routed directly, such as drive.google.com or mail.google.com. Examples:
google.com\n192.168.1.1\n2606:4700::6810:85e5\n192.168.1.1/32\n2606:4700::6810:85e5/128\nIn case you need some websites to just bypass sanctions and connect directly (without proxy), you can use this section. You can set your desired DNS server in common settings (which should be a transparent proxy also) and choose preset rules or fill in custom addresses. you can even use configs like WorkerLess which do not use any proxy and access sanctioned websites.
Info
Please be aware that if you enter google.com in custom rules, all of its subdomains will also be routed directly, such as drive.google.com or mail.google.com.
Note
When these rules are activated, you should make sure the DNS supports domain, for example if you activate Microsoft rule and the DNS does not support it, you will fail to connect to Microsoft domains. Please check DNS catalogue and make sure your target rule or domain is supported.
By default, the remote DNS is Google DNS over HTTPS (DoH). However, you can use other DoH or DoT servers, except Cloudflare DNS servers:
Well known DOH and DOT servers
https://dns.google/dns-queryhttps://dns.adguard-dns.com/dns-queryhttps://dns.quad9.net/dns-querytls://dns.googleAs noted, a Proxy IP fixes the IP for Cloudflare target addresses, but node IPs may differ for other targets. A Chain Proxy ensures a consistent IP for all targets. You can use a free config here, even if it\u2019s blocked by your ISP, to permanently fix your IP to the Chain Proxy IP.
"},{"location":"configuration/vless-trojan/#supported-protocols","title":"Supported protocols","text":"Note
The Chain Proxy config must not be a worker itself, or the final IP will still change.
Info
Socks and http configs should have username and password, Xray does not support raw configs.
Info
Shadowsocks cannot have any transport like websocket, grpc... and cannot have TLS.
Warning
VLESS, VMess and Trojan configs with randomized ALPN values are incompatible with Clash due to lack of Fingerprint
This setting applies to Normal and Fragment subscriptions. After applying, update the subscription. The chained configs will be added alongside original configs using \ud83d\udd17 icon. This way, when Chain Proxy stops working, you still have access to original configs.
"},{"location":"configuration/vless-trojan/#clean-ipdomains","title":"Clean IP/Domains","text":"For non-Normal subscription, you may want to use clean IPs. The panel includes a scanner, downloadable as a zip file for your operating system. Run the CloudflareScanner, and results will be saved in result.csv, allowing you to select IPs based on delay and download speed. Windows is recommended for this process, and ensure your VPN is disconnected during the test. For advanced scanning, refer to this guide.
Tip for Iranian Users
On ISPs supporting IPv6 (e.g., Rightel, Irancell, Asiatech), enable IPv6 on your SIM card, activate the Prefer IPv6 option in client settings, and use the last two or first default configs. IPv6 IPs generally perform better.
Tip
When using Fragment, Clean IPs do not play a significant role, but some ISPs, like Rightel, may still require them.
To add custom configs alongside default ones, enter clean IPs or domains as shown in the section image and click Apply. Updated subscription will import these new configs, which are also added to Best Ping and Best Fragment configs.
"},{"location":"configuration/vless-trojan/#protocol-selection","title":"Protocol Selection","text":"Enable either or both VLESS and Trojan protocols.
"},{"location":"configuration/vless-trojan/#port-selection","title":"Port Selection","text":"Select the required ports. TLS ports offer more secure configs, but during TLS disruptions or when Fragment underperforms, non-TLS configs can be a viable alternative.
Note
Non-TLS configs require the panel to be deployed using the Workers method. HTTP ports will not appear in the panel if the Pages method is used or you set a custom domain.
Info
Non-TLS configs are only added to Normal subscription.
"},{"location":"configuration/vless-trojan/#fingerprint","title":"Fingerprint","text":"Here you can select TLS fingerprint, default to randomized.
"},{"location":"configuration/vless-trojan/#best-interval","title":"Best Interval","text":"By default, Best configs test every 30 seconds to identify the optimal config or Fragment value. For low-speed networks during activities like video streaming or gaming, this may cause lag. Adjust the interval between 10 and 90 seconds as needed.
"},{"location":"configuration/vless-trojan/#tcp-fast-open","title":"TCP Fast Open","text":"If your device supports TCP Fast Open and your ISP does not interfere with TFO, you can enable the feature to enhance your connections. Please note that Linux users have to enable TFO before activating this feature.
"},{"location":"configuration/vless-trojan/#ech-encrypted-client-hello","title":"ECH (Encrypted Client Hello)","text":"As you may know there are several techniques to obfuscate connection SNI to bypass firewall. Fragment hides SNI, Custom domain changes SNI and finally ECH can change SNI to Cloudflare default ECH domain. The problem is that Cloudflare uses a default domain named cloudflare-ech.com for all CDN and Worker domains, so the blockage is easy for ISPs. This option will not be activated on Fragment subscription.
If you leave this field empty, the ECH config will be queried from your worker domain. however, if your worker domain is blocked, you can use another domains which have enabled ECH on Cloudflare CDN. To check this, visit here and resolve your desired domain, you should see an ech value in Answer field.
Warning
Please note that ECH Server Name option is available in Xray for a while, however sing-box supports this feature from 1.13.0 and Clash supports it from v1.19.20. So if your client doesn't meet these versions, please leave it empty.
Starting with version 3.4.2 you can choose to use Proxy IP or NAT64 Prefix for connecting to Cloudflare CDN addresses.
"},{"location":"configuration/vless-trojan/#proxy-ips-domains","title":"Proxy IPs / Domains","text":"You can change the Proxy IP via the panel by applying the change and updating the subscription. However, setting the Proxy IP through the Cloudflare dashboard or using wizard is recommended because:
Note
Changing the Proxy IP via the panel requires updating the subscription if the IP stops working. This can disrupt donated configs, as users without an active subscription cannot update them. Use this method only for personal usage. Other methods don\u2019t require subscription updates.
You can check available Proxy IPs by clicking the icon beside this field in panel or visiting /proxy-ip in browser, which lists IPs by region and ISP.
Info
To use multiple Proxy IPs, fill in them below each other.
"},{"location":"configuration/vless-trojan/#nat64-prefixes","title":"NAT64 Prefixes","text":"You can change the Proxy IP mode and fill in NAT64 Prefixes via the panel by applying the changes and updating the subscription. However, setting the NAT64 prefixes through the Cloudflare dashboard or using wizard is recommended because:
Note
Changing the NAT64 Prefixes via the panel requires updating the subscription if the IP stops working. This can disrupt donated configs, as users without an active subscription cannot update them. Use this method only for personal usage. Other methods don\u2019t require subscription updates.
You can find available NAT64 Prefixes in here, which lists IPs by region and ISP.
Info
To use multiple Prefixes, fill them in below each other.
"},{"location":"configuration/vless-trojan/#custom-cdn","title":"Custom CDN","text":"Use a Custom CDN (e.g., Fastly, Gcore) to mask your Worker domain. Configure the following three sections:
"},{"location":"configuration/vless-trojan/#addresses","title":"Addresses","text":"These are the IPs or clean IPs specific to the CDN. You must use the CDN\u2019s own IPs, not Cloudflare\u2019s. Enter domains, IPv4, or IPv6 addresses as shown, with IPv6 addresses enclosed in brackets, e.g., [2a04:4e42:200::731].
The host defined in the CDN that points to your Worker, such as a fake domain in Fastly.
"},{"location":"configuration/vless-trojan/#sni","title":"SNI","text":"A fake domain or a site on the same CDN, e.g., speedtest.net (without www) for Fastly.
After configuring these fields, related configs will be added to Normal subscription, tagged with a C flag to distinguish them.
Info
Only ports 443 and 80 are supported for these configs.
"},{"location":"configuration/warp-pro/","title":"Warp Pro settings","text":"This section applies exclusively to the Warp Pro subscription, as detailed here.
"},{"location":"configuration/warp-pro/#definitions","title":"Definitions","text":"Several common terms are used across all implementations of Warp noise (fake packets). Most cores, including Xray, Xray Knocker, and Amnezia, share at least two parameters:
"},{"location":"configuration/warp-pro/#mode","title":"Mode","text":"Each Warp noise implementation has a specific mode that determines in which shape noise is sent to the server to obfuscate the connection.
"},{"location":"configuration/warp-pro/#count","title":"Count","text":"The number of noise packets sent by the client to the server.
"},{"location":"configuration/warp-pro/#size","title":"Size","text":"The size of each noise packet, measured in bytes.
"},{"location":"configuration/warp-pro/#delay","title":"Delay","text":"The interval between sending noise packets.
"},{"location":"configuration/warp-pro/#mahsang","title":"MahsaNG","text":""},{"location":"configuration/warp-pro/#mahsang-mode","title":"MahsaNG Mode","text":"fe09ad5600bc...).This section applies to Amnezia, WG Tunnel, and Clash-Mihomo core clients, which share the same settings. You specify the number of noise packets and their minimum and maximum sizes. In the Warp Pro subscription table, you can also download a zip file for Amnezia and WG Tunnel configs, in addition to the subscriptions.
These settings are determined experimentally for each ISP through trial and error.
"},{"location":"configuration/warp-pro/#v2rayng-and-v2rayn","title":"v2rayNG and v2rayN","text":""},{"location":"configuration/warp-pro/#v2ray-modes","title":"v2ray Modes","text":"Four modes are available for v2rayNG and v2rayN clients: base64, string, hex, and random. In the Noise Count section, you can specify how many noise packets to include in the config. Multiple noises with different types can be added; they do not need to be uniform.
"},{"location":"configuration/warp-pro/#noise-packet","title":"Noise Packet","text":"The packet value must correspond to the selected mode:
Example:
Base64NTUyMjU0NjItN2I4MC00YWFmLWE3NDgtNjZiYWZiNjlmNmQ2\nsalamchetori123\n10-30\n01d800f9373b2c418713aafde43021004ac3b89f\nTip
Specifies which type of IPs the noise apply to. The default is IP which applies to both IPv4 and v6.
"},{"location":"configuration/warp/","title":"Warp General settings","text":"These settings apply to both Warp and Warp Pro subscriptions.
"},{"location":"configuration/warp/#remote-dns","title":"Remote DNS","text":"Warp remote DNS can be only of type IPv4 for performance and compatibility. The default DNS is Cloudflare public DNS which is a perfect candidate. It's highly recommended to use Cloudflare DNS servers if you insist on changing it, which have most compatibility and efficiency when used with Cloudflare Warp, like:
Endpoints for Warp function similarly to Clean IPs for VLESS and Trojan. The panel provides a scanner that you can run on Termux (Android), Windows, macOS or Linux and input the results here. Note that the results are not 100% reliable, so testing is necessary. Please note that you have to exit any proxy app before testing, if you use v2rayN, you should completely exit it from taskbar, clearing proxy is not enough.
Info
IPv4
123.45.8.6:1701\n[2a06:98c1:3120::3]:939\nengage.cloudflareclient:2408\nYou can enable Fake DNS for Warp configs to reduce DNS latency. However, use caution, as it may be incompatible with some applications or interfere with system DNS. If you're unsure about its functionality, avoid enabling it.
"},{"location":"configuration/warp/#enabling-ipv6","title":"Enabling IPv6","text":"If your ISP does not support IPv6, disable it to optimize DNS and proxy performance.
"},{"location":"configuration/warp/#best-interval","title":"Best Interval","text":"Warp and Warp Pro subscriptions include Best Ping configs. By default, these test configs every 30 seconds to identify the optimal config or Endpoint for connection. On slower networks, this interval may cause lag during activities like video streaming or gaming. You can adjust the interval between 10 and 90 seconds.
"},{"location":"configuration/warp/#warp-accounts","title":"Warp Accounts","text":"Updating the accounts retrieves new Warp accounts from Cloudflare. This process does not affect connection speed or other settings.
"},{"location":"installation/pages-manual/","title":"Pages manual installation (Direct Upload)","text":"It is highly recommended to use Wizard installation to avoid Cloudflare 1101 error, user errors and also save time to setup panel.
"},{"location":"installation/pages-manual/#steps","title":"Steps","text":""},{"location":"installation/pages-manual/#1-create-cloudflare-account","title":"1. Create Cloudflare Account","text":"If you don\u2019t have a Cloudflare account, create one from here. You only need an email for registration. Due to Cloudflare\u2019s restrictions, use a reputable email provider like Gmail.
"},{"location":"installation/pages-manual/#2-create-pages-project","title":"2. Create Pages Project","text":"Download the Worker zip file from here.
In your Cloudflare account, navigate to the Developer Platform section, click Create application, select Pages tab and then Use direct upload > Get started.
Enter a Project Name, which will form your panel\u2019s domain.
Danger
Choose a name that does not include the word bpb, as this may trigger Cloudflare\u2019s detection and result in a 1101 error.
Click Create Project and then Upload the downloaded zip file by clicking Select from computer, selecting Upload zip.
Now click Deploy site and then Continue to project.
Your project is created but not yet functional. From the Deployment page, in the Production section, click Visit.
Warning
Cloudflare may take up to 5 minutes to set up the Pages domain. Don\u2019t worry if the URL isn\u2019t immediately accessible.
You\u2019ll encounter an error indicating that the UUID and Trojan Password must be set. A link will be provided; open it in your browser and save it for the next step.
"},{"location":"installation/pages-manual/#3-create-kv","title":"3. Create KV","text":"From the left menu, go to Storage and Databases > KV:
Click Create, assign a desired name, and click Add.
Return to the Workers & Pages section and open your Pages project. Go to the Binding section, as shown below:
In the Bindings section, click Add and select KV Namespace. Set the Variable name to kv (exactly as shown) and select the KV created earlier for KV namespace. Click Save.
The KV setup is now complete.
"},{"location":"installation/pages-manual/#4-set-uuid-trojan-password-and-subscription-path","title":"4. Set UUID, Trojan password and Subscription path","text":"Click Copy all from the Secrets generator page provided earlier, In Cloudflare dashboard go to Settings section, locate the Variables and Secrets section. Click Add and paste into the Variable name field and click Save. This will automatically add these 3 parameters to panel.
Click Create deployment at the top of the page and upload the same zip file again, as done previously.
Return to the Deployments page, click Visit in the Production section, append panel/ to the URL, and access the panel.
Additional configuration and tips are available in the main guide. The installation is complete, and the following advanced settings are optional.
"},{"location":"installation/pages-manual/#advanced-configuration-optional","title":"Advanced configuration (Optional)","text":""},{"location":"installation/pages-manual/#fixing-the-proxy-ip","title":"Fixing the Proxy IP","text":"By default, the code uses multiple Proxy IPs randomly, assigning a new random IP for each connection to Cloudflare addresses (covering much of the web). This IP rotation may cause issues, particularly for traders. From version 2.3.5 onward, you can change the Proxy IP via the panel and update the subscription. However, the method below is recommended:
Note
Changing the Proxy IP via the panel requires updating the subscription if the IP stops working, which can disrupt donated configurations, as users without an active subscription cannot update them. Use this method only for personal use. Other methods don\u2019t require subscription updates.
In the project\u2019s Settings section, open Variables and Secrets:
Click Add and enter PROXY_IP (in capital letters) in the first box. You can check available Proxy IPs by clicking the icon beside Proxy IPs / Domains field in the panel or visiting /proxy-ip in browser, which lists IPs by region and ISP.
Info
To use multiple Proxy IPs, fill them comma-separated. Example
151.213.181.145, 5.163.51.41, bpb.yousef.isegaro.com\nEnter the IPs in the Value field and click Save. Click Create deployment at the top of the page and upload the zip file again. The changes will take effect.
By default, the code uses multiple NAT64 prefixes randomly, assigning a new random prefix for each connection to Cloudflare addresses (covering much of the web). This IP rotation may cause issues, particularly for traders. From version 3.4.2 onward, you can change the prefixes via the panel and update the subscription. However, the method below is recommended:
Note
Changing the NAT64 prefixes via the panel requires updating the subscription if the IP stops working, which can disrupt donated configurations, as users without an active subscription cannot update them. Use this method only for personal use. Other methods don\u2019t require subscription updates.
In the project\u2019s Settings section, open Variables and Secrets, click Add and enter NAT64_PREFIX (in capital letters) in the first box. Obtain IPs from the following link, which lists IPs from various regions and ISPs:
https://github.com/bia-pain-bache/BPB-Worker-Panel/blob/main/NAT64Prefixes.md\nInfo
To use multiple IPs, fill them comma-separated. Example
[2602:fc59:b0:64::], [2602:fc59:11:64::]\nEnter the IPs in the Value field and click Save. Click Create deployment at the top of the page and upload the zip file again. The changes will take effect.
By default, accessing the main Pages domain redirects to the Cloudflare speed test site. To change this, follow the same steps as for the Proxy IP, but set the variable name to FALLBACK and provide a domain (without https:// or http://) as the value, e.g., www.speedtest.net or npmjs.org.
The default subscription link path uses the same UUID as VLESS. For increased privacy, you can change this. Follow the same steps as above, but set the variable name to SUB_PATH. The secrets page or Secrets generator provides a Random Subscription URI path value, which you can use or replace with a custom value (using allowed characters).
In your Cloudflare dashboard, navigate to Compute (Workers) > Workers & Pages and select your panel. In the Custom domains tab, click Set up a custom domain. Enter a domain (you must own and have activated it on the same account). For example, if you own bpb.com, you can use the domain itself or a subdomain like xyz.bpb.com. Click Continue and then Activate domain.
In your domain zone, add a CNAME DNS Record for xyz.bpb.com pointing to your Pages domain. Cloudflare will connect the Pages to your domain after a short period. You can then access your panel via https://xyz.bpb.com/panel and retrieve new subscriptions.
To update your panel, download the new zip file from here. In your Cloudflare account, go to Compute (Workers) > Workers & Pages, select your Pages project, click Create deployment, and upload the new zip file.
To simplify the setup process and prevent user mistakes during creation, the BPB Wizard project was launched. It supports both Workers and Pages methods and is highly recommended to use.
"},{"location":"installation/wizard/#1-cloudflare-account","title":"1. Cloudflare account","text":"To use this method, all you need is a Cloudflare account. You can sign up here, and don\u2019t forget to check your email afterward to verify your account.
"},{"location":"installation/wizard/#2-install-bpb-panel","title":"2. Install BPB Panel","text":"Warning
If you're connected to a VPN, disconnect it.
"},{"location":"installation/wizard/#windows-linux-macos","title":"Windows - Linux - macOS","text":"Based on your operating system, download the ZIP file, unzip it, and run the program.
"},{"location":"installation/wizard/#android","title":"Android","text":"Android users who have Termux installed on their phone can install the BPB Panel by just copying this code into Termux:
Termux - Linuxbash <(curl -fsSL https://raw.githubusercontent.com/bia-pain-bache/BPB-Wizard/main/install.sh)\nWarning
Be sure to download and install Termux only from its official source. Installing via Google Play might cause issues.
The first question asks whether you want to create a new panel or modify existing panels in the account.
Then logs into your Cloudflare account, Asks for your permission, returns to the terminal and asks you a series of questions.
If you choose option 1, it will ask a series of configuration questions. You can use the default values or input your own. In the end, it opens the panel for you in your browser \u2014 that\u2019s it.
Note
For each setting it asks about, it has already generated a secure, personal value for you. You can simply press Enter to accept it and move on to the next question, or input your own values.
If you choose option 2, it lists deployed Workers and Pages projects and you can choose which one to modify.
"},{"location":"installation/wizard/#updating-panel","title":"Updating Panel","text":"Just run wizard and select option 2 for the first question. It will show you a list of project names in your account \u2014 you can choose any to update or delete.
"},{"location":"installation/workers-manual/","title":"Workers manual installation","text":"It is highly recommended to use Wizard installation to avoid Cloudflare 1101 error, user errors and also save time to setup panel.
"},{"location":"installation/workers-manual/#installation","title":"Installation","text":""},{"location":"installation/workers-manual/#1-create-cloudflare-account","title":"1. Create Cloudflare Account","text":"If you don\u2019t have a Cloudflare account, create one from here. You only need an email for registration. Due to Cloudflare\u2019s restrictions, use a reputable email provider like Gmail.
"},{"location":"installation/workers-manual/#2-create-worker","title":"2. Create worker","text":"First, download the Worker code from from here.
In your Cloudflare account, navigate to the Developer Platform tab and click Create application, from Workers tab find Start with Hello World! and Get started.
Enter a desired name, which will form your panel\u2019s domain and Deploy.
Danger
Choose a name that does not include the word bpb, as this may trigger Cloudflare\u2019s detection and result in a 1101 error.
Then click Edit code here. In the left sidebar, delete the worker.js file and upload the new one. If it gives an error, delete the package-lock.json file too. Since the code has become large, copying and pasting on mobile is difficult \u2014 refer to the image below and upload it properly. On mobile, open the side menu, long-press the Explorer, and click Upload....
Finally, Deploy the Worker.
Tip
Note that the panel update process is exactly the same \u2014 you delete the old files, upload the new ones, and deploy. Previous settings remain safe, only the panel gets updated.
First, at the top of the dashboard, click Visit. You\u2019ll see an error saying you need to set the UUID and Trojan Password first. It includes a link (Secrets generator) \u2014 open it in your browser and keep it open for the next step.
Return to the Worker dashboard and follow these steps:
From here, go to the KV page:
In the KV section, click Create, give it a name (e.g., Test), and click Add.
Again, go to the Developer Platform section, open the Worker you just created, go to Bindings. Click Add binding and choose KV Namespace. From the dropdown, select the KV you just created (e.g., Test). What\u2019s important is the first field \u2014 it must be set to kv. Then click Deploy.
Click Copy all from the Secrets generator page provided earlier, In Cloudflare dashboard go to Settings section, locate the Variables and Secrets section. Click Add and paste into the Variable name field and click Deploy. This will automatically add these 3 parameters to panel.
Again click Visit in your worker dashboard, you see speedtest in browser, just add /panel to the end of address and see your panel:
It will ask you to set a new password and log in \u2014 that\u2019s it. Installation is complete; the rest of the information below may not be needed by everyone. For settings tutorials and tips, refer to the main guide.
"},{"location":"installation/workers-manual/#advanced-configuration-optional","title":"Advanced configuration (Optional)","text":""},{"location":"installation/workers-manual/#fixing-the-proxy-ip","title":"Fixing the Proxy IP","text":"By default, the code uses multiple Proxy IPs randomly, assigning a new random IP for each connection to Cloudflare addresses (covering much of the web). This IP rotation may cause issues, particularly for traders. From version 2.3.5 onward, you can change the Proxy IP via the panel and update the subscription. However, the method below is recommended:
Note
Changing the Proxy IP via the panel requires updating the subscription if the IP stops working, which can disrupt donated configurations, as users without an active subscription cannot update them. Use this method only for personal use. Other methods don\u2019t require subscription updates.
To change the Proxy IP, go to Workers & Pages, open your Worker, then go to Settings \u2192 Variables and Secrets:
Click Add, write PROXY_IP (uppercase) as the Variable name. You can check available Proxy IPs by clicking the icon beside Proxy IPs / Domains field in the panel or visiting /proxy-ip in browser, which lists IPs by region and ISP.
Info
To use multiple Proxy IPs, enter them comma-separated. Example
151.213.181.145, 5.163.51.41, bpb.yousef.isegaro.com\nEnter the IPs in the Value field and click Deploy.
By default, the code uses multiple NAT64 prefixes randomly, assigning a new random prefix for each connection to Cloudflare addresses (covering much of the web). This IP rotation may cause issues, particularly for traders. From version 3.4.2 onward, you can change the prefixes via the panel and update the subscription. However, the method below is recommended:
Note
Changing the NAT64 prefixes via the panel requires updating the subscription if the IP stops working, which can disrupt donated configurations, as users without an active subscription cannot update them. Use this method only for personal use. Other methods don\u2019t require subscription updates.
In the project\u2019s Settings section, open Variables and Secrets, click Add and enter NAT64_PREFIX (in capital letters) in the first box. Obtain IPs from the following link, which lists IPs from various regions and ISPs:
https://github.com/bia-pain-bache/BPB-Worker-Panel/blob/main/NAT64Prefixes.md\nInfo
To use multiple IPs, fill them comma-separated. Example
[2602:fc59:b0:64::], [2602:fc59:11:64::]\nEnter the IPs in the Value field and click Deploy.
By default, accessing the main Worker domain redirects to the Cloudflare speed test site. To change this, follow the same steps as for the Proxy IP, but set the variable name to FALLBACK and provide a domain (without https:// or http://) as the value, e.g., www.speedtest.net or npmjs.org.
The default subscription link path uses the same UUID as VLESS. For increased privacy, you can change this. Follow the same steps as above, but set the variable name to SUB_PATH. The Secrets generator at /secrets provides a Random Subscription URI path value, which you can use or replace with a custom value (using allowed characters).
Go to your Cloudflare dashboard, open your Worker from Compute (Workers) > Workers & Pages. Go to Settings and at the top, you\u2019ll see Domains & Routes. Click Add +, then choose Custom domain.
Enter a domain (you must own and have activated it on the same account).
Suppose your domain is bpb.com. You can enter the main domain or a subdomain, like xyz.bpb.com, then click Add domain.
Cloudflare will connect the Worker to your domain (this might take a while \u2014 they say up to 24 hours).
Then click Add + again, but this time select Route. Choose your domain from the Zone section, and in the Route section, enter it like this:
*bpb.com/*\nYou can then access your panel via https://xyz.bpb.com/panel and retrieve new subscriptions.
Tip
To update your panel, download the new worker.js file from here. In your Cloudflare account, go to Compute (Workers) > Workers & Pages, select your Worker project, edit it, delete old worker, upload new one and Deploy.
First, update your client to the latest version or refer to the table below. These are the tested and verified clients officially supported by the BPB project. You may use other clients at your own risk.
Client Version Fragment support Warp Pro support v2rayNG 1.10.11 or higher MahsaNG 14 or higher v2rayN 7.14.6 or higher v2rayN-PRO 1.9 or higher Sing-box 1.12.0 or higher Streisand 1.6.60 or higher Clash Meta Clash Verge Rev FLClash AmneziaVPN WG TunnelWarp and Warp Pro subscriptions which provide WireGuard configs, need scanning some endpoints first. You can refer to this guide to learn how to scan some endpoints.
Normal
Connect to VLESS and Trojan configs with fully bundled configurations, no need to configure manually.
Getting started
Fragment
Connect even if your domain is blocked with fully bundled configurations.
Getting started
Raw
Connect to Raw VLESS and Trojan configs which don't include panel settings.
Getting started
Warp
Connect to Cloudflare Warp servers after scanning some endpoints.
Getting started
Warp Pro
Connect to Cloudflare Warp even if Warp is blocked in your region.
Getting started
DNS over HTTPS
Set DoH in your browser or use in DNS based clients like Intra.
Getting started
As most of famous public DoH servers are blocked by firewalls, we can use domain fronting to successfully use them. BPB DoH only supports RFC 8484 standard DoH servers which typically are in https://domain/dns-query format. For example Google has two types of DoH https://dns.google/dns-query which is RFC 8484 and https://dns.google/resolve which is JSON API. BPB only supports the first type.
To change underlying DoH you can set an environment variable named DOH_URL in worker settings and set your desired DoH.
Warning
Avoid using BPB DoH for remote DNS, otherwise you will waste your worker requests. It's better be use in browsers or DoH based clients like Intra, Rethink...
Benefits of Fragment configs
This applies to clients using the Xray core, such as v2rayNG, MansaNG, and v2rayN PRO. Imported configs are marked with an F flag in their names. This subscription provides the same number of configs as the Normal subscription, enhanced with fragment settings adjustable in the panel, plus Best Fragment and Workerless configs. Any panel setting changes are applied to all configs upon subscription update.
The Workerless config unblocks many restricted websites and applications (e.g., YouTube, Twitter, Google Play...) without using a Worker. Note that this config does not change your local IP, so avoid using it for activities requiring security or anonymity. Fragment setting changes apply to this config, except for Chain Proxy.
What is the Best Fragment config?The Best Fragment config tests 18 different fragment settings, selecting the fastest based on your ISP\u2019s performance. These modes are designed to cover all primary scenarios, with the config testing all modes every 30s and connecting to the optimal one. Advanced fragment settings are explained here.
"},{"location":"usage/fragment/#fragment-for-sing-box","title":"Fragment for sing-box","text":"Starting from version 1.12.0 sing-box core and related clients support fragment, you can use this sub by official sing-box client like husi or v2rayN which has sing-box core embeded.
"},{"location":"usage/my-ip/","title":"My IP","text":"After connecting to the proxy, refresh this section and check it to view your IPs. The table displays two rows:
Warning
Disable extensions like uBlock or AdGuard, Otherwise this section won't work properly.
This subscription applies all optimal VLESS and Trojan settings, DNS servers, routing rules etc., minimizing user errors. It also includes a Best Ping config.
What is the Best Ping config?This config aggregates all panel configs and checks every 30 seconds to identify and connect to the fastest one. If you\u2019ve added Clean IPs, enabled the Trojan protocol, or selected additional ports, these are included in the Best Ping config too. This feature is also available in Fragment and Warp subscriptions.
With routing settings applied, this subscription blocks approximately 90% of Iranian and foreign ads, bypasses Iranian, Chinese, and Russian websites (eliminating the need to disable the VPN for payment gateways), bypasses LAN, blocks porn and QUIC protocol, and for Sing-box and Clash subscriptions, effectively blocks phishing and malware content.
"},{"location":"usage/raw/","title":"Raw subscription","text":"The Normal subscription is strongly recommended over this subscription, as it automatically applies all panel settings without requiring manual configuration. Note that almost all of panel settings are not applied to this subscription and must be configured manually in the client.
Warning
Raw configs consume more Worker requests compared to Normal configs and have more worker errors.
Warning
You must set the remote DNS to a DoH, DoT, or TCP DNS server in your client, otherwise, this subscription\u2019s configs will not work. Examples: DoH
https://8.8.8.8/dns-query\ntls://8.8.8.8 \ntcp://8.8.8.8 \nRecent advancements by the GFW-Knocker on Xray, Xray itself and Mihomo cores have enabled Warp unblocking, resulting in applications like MahsaNG and v2rayN-PRO. These developments optimize Warp connections for specific conditions in Iran, similar to efforts by the Oblivion team. The Warp Pro subscription has been added to the panel, with customizable settings.
Optimal values for each ISP are determined experimentally and may vary over time, like fragment settings. The default values are tested and currently effective; you only need to scan and set clean Endpoints.
You can download Warp Pro configs as a zip file for use in the WG Tunnel client. In the client, click + and import the zip file; no additional settings are required for the configs to connect. For Amnezia, the process is similar, but Amnezia does not import zip files correctly. Extract the zip file first, then import each desired config into Amnezia and connect.
This subscription includes:
By default, there is one Warp and one WoW config. Editing the Endpoints in the Warp General settings adds additional Warp and WoW configs based on the specified Endpoints.
You can download Warp WireGuard configs as a zip file to import into WireGuard clients. Note that most ISPs normally block Warp, so use this only if your ISP permits WireGuard protocol.
For optimal performance, use a scanner to identify Endpoints suitable for your ISP. The scanner script is available in the panel; copy and run it in Termux on Android or Linux terminal. The Normal Warp subscription may perform well on some operators like MTN-Irancell, but for others, use the Warp Pro subscription.
"}]}