Skip to content

Instantly share code, notes, and snippets.

@daemonhorn

daemonhorn/Cloudflare-WARP_Wireguard.md

Last active September 13, 2024 22:56
Show Gist options
  • Save daemonhorn/7e1886a10d0b2e63a4604f02bc937a93 to your computer and use it in GitHub Desktop.
Save daemonhorn/7e1886a10d0b2e63a4604f02bc937a93 to your computer and use it in GitHub Desktop.
Download ZIP
Cloudflare WARP tunnel via Wireguard client
Raw
Cloudflare-WARP_Wireguard.md

Cloudflare WARP tunnel via Wireguard client

This example provides a simple configuration for a Debian client to have a Cloudflare tunnel while not installing the official Cloudflare WARP client. Note: Tunnel transport outbound to engage.cloudlflare.com on udp/2408 is default, with a dynamic listening udp port and a fwmark for packet matching by wireguard. Any applicable firewall rules may need to be adjusted.

Install dependancies

sudo apt install openresolv wireguard-tools golang git

Get the latest client from Github and build using go

git clone https://github.com/ViRb3/wgcf.git
cd wgcf
go build -buildvcs=false

Register new endpoint account and generate Wireguard configuration

  1. Create a registration record using Cloudflare API and save account to file:wgcf-account.toml
./wgcf register
  1. Generate a generic wireguard configuration file:wgcf-profile.conf from the registration file
./wgcf generate
  1. Setup ipv4/ipv6 static routes as needed for ensuring services you want to be reachable outside the tunnel (e.g. ssh) go via the non-CF network path
  • This needs to point to the existing gateway (gw) and interface to ensure clarity of network path
  route add -host 151.200.27.234 gw 64.176.70.1 dev enp1s0
  route -6 add 2001:db8:4005:f800::/56 gw fe80::fc00:4ff:fedc:c302 dev enp1s0

Initiate Wireguard tunnel connection using wg-quick

wg-quick up ./wgcf-profile.conf

Validate that WARP tunnel is working

Check the ipv4/ipv6 routes defined after the network is up

netstat -rn46

Check the output of the wgcf trace command and make sure that warp=on is in output

./wgcf trace

Check wireguard status and active configuration

wg show
ifconfig wgcf-profile

Check ip address using curl (for both IPv6 and IPv4)

curl -6 https://ipconfig.io
curl -4 https://ipconfig.io

Check cdn trace using curl (for both IPv6 and IPv4) similar to ./wgcf trace

curl -6 https://www.cloudflare.com/cdn-cgi/trace/
curl -4 https://www.cloudflare.com/cdn-cgi/trace/

Optional

  • Adjust MTU to 1460 instead of 1280 in wgcf-profile.conf for better performance (in non-degraded MTU environments)
  • Adjust Address = configuration to remove either ipv4 or ipv6 transport lines (if not needed) for outside the tunnel
  • Adjust AllowedIPs = configuration if default route(/0) is not needed
@wildy5588
Copy link

is it possible to excluding SMTP port to be proxy in wireguard ?

@daemonhorn
Copy link
Author

is it possible to excluding SMTP port to be proxy in wireguard ?

Easiest way to exclude something is by adding a more specific route for that endpoint, but you can also do fancy things to perform specific tcp port redirects using either iptables or standalone utilities like netcat just for the SMTP port. Wireguard supports both PreUp and PostUp configurations directly in the wireguard wg-quick(8) config file. See:

@wildy5588
Copy link

do you have example ?
i have try ip rule but its fail

@wildy5588
Copy link

my config
[Interface]
PrivateKey = myprivatekey
Address = address
MTU = 1400

PostUp = ip -4 rule add from myserverip lookup main
PostDown = ip -4 rule delete from myserverip lookup main

Table = 1234
PostUp = ip rule add ipproto tcp dport 25 table 1234
PreDown = ip rule delete ipproto tcp dport 25 table 1234

[Peer]
PublicKey = bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myendpoint

@wildy5588
Copy link

i can access to vps [incoming]
but in the vps i access out to 25 [ outgoing has blocked by vpn vendor ]

so i want to exclude port 25 to being proxy in outgoing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment