Automated Cloudflare Workers AI account provisioning toolkit. Handles the complete lifecycle — from temporary email generation and Turnstile challenge solving to API credential extraction — using CloakBrowser stealth automation with intelligent VPN rotation.
flowchart TB
subgraph Network["Network Layer"]
VG[VPN Gate<br/>Japan IPv4 Pool] --> OVPN[OpenVPN tun0]
WARP[WARP Proxy<br/>SOCKS5 :40000<br/>IPv6] --> TS[challenges.cloudflare.com<br/>Turnstile Backend]
PAC[PAC File] -->|*.challenges.cloudflare.com| WARP
PAC -->|everything else| OVPN
end
subgraph Browser["Browser Automation"]
CB[CloakBrowser<br/>stealth + humanize] --> CF[dash.cloudflare.com/sign-up]
CF --> FORM[Fill Email + Password]
FORM --> TURN[Solve Turnstile]
TURN --> SUB[Submit Signup]
SUB --> WAIT{Redirect to Dashboard?}
WAIT -->|Yes| EMAIL[Verify Email]
WAIT -->|No| RETRY[Re-fill + Re-solve Turnstile]
RETRY --> SUB
end
subgraph Credentials["Credential Extraction"]
TM[TempMail<br/>localhost:3000] -->|Poll verify link| EMAIL
EMAIL --> TOKEN[POST /api/v4/user/tokens]
TOKEN --> SAVE[Save to Output File]
end
subgraph Rotation["VPN Rotation"]
RCOUNT{Signups on IP >= N} -->|Yes| ROT[Rotate VPN Gate Server]
ROT --> CHECK{Network Healthy?}
CHECK -->|Yes| CONTINUE[Continue Next Account]
CHECK -->|No| SKIP[Skip Batch<br/>Wait + Retry]
end
# 1. Clone & install
git clone https://github.com/mifdlaldev/Geber-CF.git
cd Geber-CF
pip install httpx cloakbrowser
# 2. Set up WARP proxy mode (IPv6 for Turnstile)
warp-cli mode proxy
warp-cli --accept-tos connect
# 3. Set TempMail API key
export GEBER_CF_TEMPMAIL_KEY="your-tempmail-api-key"
# 4. Run
python geber_cf.py 5| Dependency | Purpose |
|---|---|
| Python 3.10+ | Runtime |
| CloakBrowser | Stealth Chromium automation with human-like behavior |
| WARP (Cloudflare) | IPv6 proxy for Turnstile challenge backend |
| OpenVPN / VPN Gate | IPv4 rotation for rate-limit avoidance |
| TempMail (self-hosted) | Temporary email service for account verification |
All configuration is done via environment variables:
| Variable | Default | Description |
|---|---|---|
GEBER_CF_TEMPMAIL_KEY |
— | Required. TempMail API key |
GEBER_CF_TEMPMAIL_URL |
http://localhost:3000 |
TempMail base URL |
GEBER_CF_OUTPUT |
./accounts.txt |
Password backup file |
GEBER_CF_OUTPUT_DIR |
./output |
Directory for structured credentials |
GEBER_CF_PAC_FILE |
./vpngate_pac.pac |
PAC file for WARP routing |
GEBER_CF_VPN_CONFIG |
./vpngate_fast.ovpn |
OpenVPN config path (auto-updated) |
GEBER_CF_SIGNUPS_PER_IP |
2 |
Max signups per IP before rotation |
SUDO_PASS |
— | Sudo password for VPN operations |
# Provision 10 accounts sequentially (stable)
python geber_cf.py 10
# Show browser window for debugging
python geber_cf.py 1 --visible
# Set parallelism and stagger delay
python geber_cf.py 20 --parallel 2 --stagger 30
# Specify TempMail key inline
GEBER_CF_TEMPMAIL_KEY="key" python geber_cf.py 5| File | Format | Content |
|---|---|---|
./accounts.txt |
email:password per line |
All attempted accounts (including partials) |
./output/credentials.txt |
N. email | password | account_id | api_token |
Successfully provisioned accounts with API tokens |
./debug/ |
Screenshots + logs | Auto-generated diagnostics on failure |
-
VPN Rotation — Connects to a Japan VPN Gate server via OpenVPN. After
SIGNUPS_PER_IPsuccessful signups, automatically rotates to a fresh IP. WARP proxy is never disconnected during rotation (ISP blocks MASQUE protocol outside the VPN tunnel). -
Browser Automation — CloakBrowser launches with stealth flags and humanized interactions. Fills the Cloudflare signup form with realistic delays. Solves the Turnstile managed challenge (widget loads dynamically after form fill).
-
Email Verification — TempMail generates a disposable address. The script polls for the verification email (cached locally to avoid upstream Worker CPU quota limits). Opens the verification link in the same browser session to preserve login cookies.
-
API Token Creation — Uses Playwright's API request context (shares browser cookies, bypasses CSRF) to
POST /api/v4/user/tokenswith the Workers AI Write permission group.
| Item | Detail |
|---|---|
| Version | v1.0.0 |
| Repo | PUBLIC — github.com/mifdlaldev/Geber-CF |
| Script | geber_cf.py (810 lines) |
| License | Pure MIT — no addendums |
| Legal | 24-section DISCLAIMER.md |
| Accounts harvested | 185 (#1–#185, data cleared for public safety) |
| All fixes applied | See .omo/agent-context.md (gitignored, AI context) |
- Managed challenge (NOT sitekey-based). Widget:
div[data-testid="challenge-widget-container"] - Token field:
input[name="cf_challenge_response"] - Widget appears dynamically after email+password fields are filled (wait up to 60s)
humanize=Truerequired (without it, Turnstile refuses to solve)- Click at
(x+20, y+height/2)of widget container. Token arrives in 2-10s. - Turnstile widget load can clear the email field — script auto re-fills via
page.type()+ re-solves Turnstile (token expires during re-fill delay)
page.fill()triggers React re-render that clears the field. Usepage.type(delay=15-50)instead- After Turnstile solve, email is verified and re-filled if empty
- Password via
page.type(delay=50). Click field first to focus - Submit: click
button[type="submit"]. Enter key is less reliable
- Success: redirect to
dash.cloudflare.com/<account_id>/home/overviewwithin 30s - Rate-limited: page stays on sign-up, empty form, no error message
- CAPTCHA error: "Please complete the CAPTCHA" — re-solve Turnstile and re-submit
- Email silently cleared: "An email address is required" on submit → re-fill + re-submit
- Uses
ctx.request.post()(Playwright API request context — shares browser cookies, bypasses CSRF) fetch()frompage.evaluate()→ 403 CSRF error- Permission group ID:
bacc64e0f6c34fc0883a1223f938a104(Workers AI Write) - Endpoint:
POST https://dash.cloudflare.com/api/v4/user/tokens - 30s timeout. Can ECONNRESET on rate-limited connections
- Link must open in same browser session as signup (needs login cookies)
- Format:
https://dash.cloudflare.com/email-verification?token=... - After opening, redirects to dashboard → extract account_id from URL
- TempMail polling: 25-35s interval, 180s timeout
- First successful poll cached to local SQLite (eliminates upstream Worker CPU quota exhaustion)
- Source:
http://www.vpngate.net/api/iphone/(CSV with base64-encoded .ovpn) - Japan-only rotation: 52 servers, speed > 500Mbps, ping < 200ms
- No auth required (
auth-user-passcommented out) SIGNUPS_PER_IP=2(tested max before Cloudflare 429 rate limit)- WARP never disconnected during rotation (ISP blocks MASQUE outside VPN tunnel)
| File | Lines | Purpose |
|---|---|---|
geber_cf.py |
810 | Main automation script |
README.md |
— | Documentation (this file) |
DISCLAIMER.md |
638 | 24-section legal agreement |
LICENSE |
21 | MIT license |
.gitignore |
76 | Ignore rules (covers .omo/, accounts.txt, proxies) |
.github/workflows/ci.yml |
23 | CI pipeline |
Geber-CF.png |
— | Project logo |
| Issue | Mitigation |
|---|---|
| Cloudflare rate-limits IPs after 2-3 signups | VPN rotation at SIGNUPS_PER_IP=2 |
| Some VPN Gate servers block MASQUE protocol | Auto-skip; script tries next server |
| Free-plan TempMail Worker has 10ms CPU quota | Local SQLite caching after first fetch |
| Turnstile widget can clear email input on load | Auto re-fill via page.type() + re-solve |
MIT — see LICENSE.
⚠️ WARNING — READ BEFORE USEThis project is strictly for educational and research purposes only. Any unauthorized or illegal use is strictly prohibited. By using this software, you accept all terms in the full disclaimer.
See DISCLAIMER.md for the complete 24-section legal agreement, including:
- §1 — Educational & research purpose only (10 explicit prohibitions)
- §5 — Maximum limitation of liability (complete exclusion)
- §6 — Indemnification and hold harmless
- §9 — Governing law (international + Indonesia + New York + SIAC)
- §10 — Binding arbitration, class action & jury trial waiver
- §15 — Assumption of Risk & Waiver of All Claims (user bears ALL risk)
- §16 — Covenant Not to Sue (user promises never to sue)
- §17 — Unconditional Release & Waiver of Unknown Claims (California CC §1542)
- §18 — Fee-Shifting / Loser Pays (user pays all legal fees if they sue and lose)
- §19 — No Agency / Independent Action (user acts independently)
- §21 — Acknowledgment of Independent Legal Counsel (user had chance to consult lawyer)
