Table of Contents
WARP 网络 Zero-Trust 1.1.1.1 是什么
WARP is a new form of Wireguard
Zero-Trust is the best version of WARP
如何安装 WARP
指引: guide
如何区分 WARP, WARP+, Zero Trust
WARP : 1G
WARP+: Medium plan
Zero Trust: Business plan
下载 WARP client APP
官方网址: https://one.one.one.one
远端服务器部署Zero-Trust注册
以Linux为例,按照这个网址进行服务器端应用的下载。
对于使用甲骨文Oracle Cloud部署WireGuard服务的教学请参考《甲骨文服务器配置指南Oracle Cloud WireGuard》
然后执行以下命令
warp-cli registration new orbitmoonalphaWARNING1: $ warp-cli teams-enroll error: unrecognized subcommand ‘teams-enroll’
WARNING2: Teams registration run as root is not supported.
Please re-run command as a regular user.
注意,提交组织注册时,不要使用root。用以下命令退出:
exit
提示信息如下:
Your organization is using Cloudflare for Teams, a security platform that makes
connections to the Internet and applications faster and safer.
What information is available to administrators of my organization?
The following information may be viewed by administrators from your
organization:
* the websites you visit
* the times you visited them
More information is available at:
– https://www.cloudflare.com/application/terms/
– https://www.cloudflare.com/application/privacypolicy/
Accept Terms of Service and Privacy Policy? [y/N] y
A browser window should open at the following URL:
https://orbitmoonalpha.cloudflareaccess.com/warpIf the browser fails to open, please visit the URL above directly in your browser.
然后页面打开完成邮箱验证码提交后,提取蓝色按钮里的jwt:
稍微注意下,单引号内部的完整字符串才是jwt
然后按以下格式提交WARP API验证:
warp-cli registration token + com.cloudflare.warp://[组织名].cloudflareaccess.com/auth?token= + [token]比如:
warp-cli registration token com.cloudflare.warp://orbitmoonalpha.cloudflareaccess.com/auth?token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjhkOWIwOTgyNTY3MDYyMWM0N2E3OWQ3MWU2OTFkMTY2MmE2ZTg5ZGUxMmI3YTliZGVlMDczOGE2YWIxNDMxMTMifQ.eyJhdWQiOlsiZTExM2Q4MmU1YzJlMTExZGY5YWY5ZWNlNGZmMTdiNTk5ZjJlYTZkY2U3M2Q3NzU1MDczMmE1MTRlNDRkMDgwOCJdLCJlbWFpbCI6Imh完成Team,即现在的Zero Trust注册
常见命令:
warp-cli account这个将返回:
Account type: Team
Device ID:
Public key:
Account ID:
Organization: orbitmoonalpha
warp-cli tunnel ip add [排除IP]请正确设置排除IP,确保源服务器的ssh连接维持正常,避免服务器失联。
若设置不当,服务器在执行warp-cli connect后可能导致你再也无法连接到源服务器。
WARP服务器Zero-Trust的私钥Private Key在哪里
/var/lib/cloudflare-warp# cat reg.json这个路径下的reg.json记录了:
{“registration_id”:[“”,null],”api_token”:””,”secret_key”:””,”public_key”:””,”override_codes”:{“disable_for_time”:{“seconds”:86400,”secret”:””}}}root@WG-US:/var/lib/cloudflare-warp#
由于WARP使用的底层技术就是WireGuard,这个json文件里提供的公钥和密钥就是WG配对用的。
新协议推出 MASQUE : Cloudflare WARP New Tunnel Protocol
MASQUE网络协议的特点
MASQUE是一种创新的协议,扩展了HTTP/3的功能,并利用QUIC传输协议的独特特性,高效地代理IP和UDP流量,同时不牺牲性能或隐私。随着对零信任架构需求的增加,MASQUE提供的功能和解决方案变得尤为重要。用户希望其网络流量表现得像HTTPS,以避免被防火墙检测和阻止,同时许多用户还需要符合FIPS标准的加密。MASQUE技术在其他领域已被验证有效,因此将其集成到零信任架构中,使其能够以极高的速度提供服务。这一技术的应用将为用户带来更安全、更高效的网络体验。
MASQUE WARP 协议如何使用
目前可以通过服务器及APP切换Tunnel协议。
常见问题
warp-cli registration new遇到无法提交、旧注册未完成等死循环,warp-cli registration delete无法删除
A: 尝试删除warp-cli重新安装
sudo apt-get remove cloudflare-warp注册Zero Trust时warp-cli register遇到Error: Failed to contact the WARP API.
A:在提交服务器验证API的时候如果报错,则在浏览器返回warp token页面,自动会刷新jwt,获取新的jwt后再次提交就会注册成功:
能否在服务器进行Zero Trust的WARP connect然后本地Wireguard连接?
实践证明是可以的。主要原理是在warp-cli connect之后,将ifconfig里的CloudflareWARP流量全部通过Wireguard转发。本地wg连接后得到IP就是CloudflareWARP的IP。
如何在服务器设置优选IP?
Force the client to connect to the specified IP:PORT endpoint (Zero Trust customers must run this command as a privileged user)
warp-cli tunnel endpoint set + IP:Port需要root权限:
ipv4的tunnel endpoint设置方法:
ipv6的tunnel endpoint设置方法:
warp-cli tunnel endpoint set “[2606:4700:d1:0:c654:d69d:4c77:4cf0]:943”
请实现确保服务器拥有对外ipv6地址才启用,否则应至少确定可以通过console cli使用以下命令远程rest tunnel endpoint,不然服务器将失联!
重设优选ip:
warp-cli tunnel endpoint resetwarp-cli connect导致服务器失联,如何恢复
进入Cloudflare ZERO TRUST 控制台,WARP Clients进入当前使用的Device settings,比如:
将WARP Mode切换至proxy模式,稍等api更新即可恢复连接服务器,然后将warp-cli disconnect
Cloudflare 无法连接 Unable to Connect HAPPY EYEBALLS MITM FAILURE
Status: Unable to Connect
Error reason: Happy Eyeballs Failure
Error code: CF_HAPPY_EYEBALLS_MITM_FAILURE
Error description: Unable to establish WARP connection. Confirm if this device’s firewall allows WARP Ingress and/or UDP traffic.
什么是 HAPPY EYEBALLS ?
HAPPY EYEBALL可以简单理解为:一种让你的 电脑或者手机在上网时,能够同时尝试走这两条路(IPv4和IPv6),看哪条路更快、更顺畅,然后选择最快的那条路来上网。
近期中国大陆出现无法连接情形涵盖warp, warp+及zero trust,似乎主要是由于firewall因素导致。
Zero-Trust如何启用MASQUE协议
三步启用 Cloudflare MASQUE protocol in Zero-Trust:
第一步:Cloudflare Zero-Trust Console — Settings — WARP settings — Profile setting — Default
第二步:Enable “Device tunnel protocol” MASQUE , and SAVE profile
第三步: Back to WARP Client — Global settings — Enable “Override local interface IP“
MacOS :
不需要在终端进行任何协议模式切换的命令。
MASQUE连接后,ISP信息显示为:AS13335 Cloudflare, Inc.
ip地址的ISP、地区等信息查询:
https://orbitmoonalpha.com/ip/
warp-cli tunnel -h
Configure tunnel settings
Usage: warp-cli tunnel <COMMAND>
Commands:
dump Get split tunnel routing dump. For include-only mode, this shows routes NOT included
host Configure split tunnel hosts
ip Configure split tunnel IP ranges
stats Retrieve the stats for the current tunnel connection
rotate-keys Generate a new key-pair, keeping the current registration
endpoint Force the client to connect to the specified IP:PORT endpoint (Zero Trust customers must run this command as a privileged user)
help Print this message or the help of the given subcommand(s)Linux:
warp-cli mdm -h
MDM configs
Usage: warp-cli mdm <COMMAND>
Commands:
get-configs Show information about current MDM configurations
set-config Apply config from configs found in MDM file
help Print this message or the help of the given subcommand(s)如何验证 WARP MASQUE 协议是否生效
warp-cli settings listWARP tunnel protocol: MASQUE 意味着已启用
warp-cli settings list
Merged configuration:
(derived) Always On: true
(network policy) Switch Locked: false
(network policy) Mode: WarpWithDnsOverHttps
(network policy) WARP tunnel protocol: MASQUE
(network policy) Disabled for Wifi: false
(network policy) Disabled for Ethernet: false
(user set) qlog logging: Enabled
(default) Onboarding: true
(network policy) Exclude mode, with hosts/ips:
(Not set) Daemon Teams Auth: false
(network policy) Disable Auto Fallback: false
(network policy) Captive Portal: 0
(network policy) Support URL:
(network policy) Organization: orbitmoonalpha
(network policy) Allow Mode Switch: true
(network policy) Allow Updates: false
(network policy) Allowed to Leave Org: false
(network policy) Profile ID: defaulterror: unrecognized subcommand ‘teams-enroll’
改用 warp-cli registration new + 组织名