Cloudflare WARP Zero-Trust 如何开通、部署及使用1.1.1.1 MASQUE

What is WARP, Zero-Trust

WARP is a new form of Wireguard

Zero-Trust is the best version of WARP

How to deploy WARP

Follow this guide, pretty simple.

Difference between WARP, WARP+, Zero Trust

WARP : 1G

WARP+: Medium plan

Zero Trust: Business plan

Download WARP client APP

the official download site of WARP: https://one.one.one.one

远端服务器部署Zero-Trust注册

以Linux为例,按照这个网址进行服务器端应用的下载。

对于使用甲骨文Oracle Cloud部署WireGuard服务的教学请参考《Oracle Cloud WireGuard Setup Complete Guide 甲骨文服务器配置指南》

然后执行以下命令

warp-cli registration new orbitmoonalpha

WARNING1: $ warp-cli teams-enroll error: unrecognized subcommand ‘teams-enroll’

WARNING2: Teams registration run as root is not supported.
Please re-run command as a regular user.

注意,提交组织注册时,不要使用root。用以下命令退出:

exit

NOTICE:

Your organization is using Cloudflare for Teams, a security platform that makes

connections to the Internet and applications faster and safer.

What information is available to administrators of my organization?

The following information may be viewed by administrators from your

organization:

* the websites you visit

* the times you visited them

More information is available at:

– https://www.cloudflare.com/application/terms/

– https://www.cloudflare.com/application/privacypolicy/

Accept Terms of Service and Privacy Policy? [y/N] y

A browser window should open at the following URL:

https://orbitmoonalpha.cloudflareaccess.com/warp

If the browser fails to open, please visit the URL above directly in your browser.

然后页面打开完成邮箱验证码提交后,提取蓝色按钮里的jwt:

然后按以下格式提交WARP API验证:

warp-cli registration token + com.cloudflare.warp://[组织名].cloudflareaccess.com/auth?token= + [token]

比如:

warp-cli registration token com.cloudflare.warp://orbitmoonalpha.cloudflareaccess.com/auth?token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjhkOWIwOTgyNTY3MDYyMWM0N2E3OWQ3MWU2OTFkMTY2MmE2ZTg5ZGUxMmI3YTliZGVlMDczOGE2YWIxNDMxMTMifQ.eyJhdWQiOlsiZTExM2Q4MmU1YzJlMTExZGY5YWY5ZWNlNGZmMTdiNTk5ZjJlYTZkY2U3M2Q3NzU1MDczMmE1MTRlNDRkMDgwOCJdLCJlbWFpbCI6Imh

完成Team,即现在的Zero Trust注册

常见命令:

warp-cli account

这个将返回:

Account type: Team

Device ID:

Public key:

Account ID:

Organization: orbitmoonalpha

warp-cli tunnel ip add [排除IP]

请正确设置排除IP,确保源服务器的ssh连接维持正常,避免服务器失联。

WARP服务器Zero-Trust的私钥Private Key在哪里

/var/lib/cloudflare-warp# cat reg.json

这个路径下的reg.json记录了:

{“registration_id”:[“”,null],”api_token”:””,”secret_key”:””,”public_key”:””,”override_codes”:{“disable_for_time”:{“seconds”:86400,”secret”:””}}}root@WG-US:/var/lib/cloudflare-warp# 

由于WARP使用的底层技术就是WireGuard,这个json文件里提供的公钥和密钥就是WG配对用的。

MASQUE : Cloudflare WARP New Tunnel Protocol 新协议推出

MASQUE

MASQUE(Multiplexed Application Substrate over QUIC Encryption )is an innovative protocol that extends the capabilities of HTTP/3 and leverages the unique properties of the QUIC transport protocol to efficiently proxy IP and UDP traffic without compromising performance or privacy. With the growing demand for zero trust architecture, the features and solutions offered by MASQUE have become increasingly important. Users desire their network traffic to appear as HTTPS to avoid detection and blocking by firewalls, and many also require FIPS-compliant encryption. The effectiveness of MASQUE technology has been validated in other areas, leading to its integration into zero trust architectures, enabling it to deliver services at exceptional speeds. This application of the technology promises to provide users with a more secure and efficient network experience.

MASQUE网络协议的特点

MASQUE是一种创新的协议,扩展了HTTP/3的功能,并利用QUIC传输协议的独特特性,高效地代理IP和UDP流量,同时不牺牲性能或隐私。随着对零信任架构需求的增加,MASQUE提供的功能和解决方案变得尤为重要。用户希望其网络流量表现得像HTTPS,以避免被防火墙检测和阻止,同时许多用户还需要符合FIPS标准的加密。MASQUE技术在其他领域已被验证有效,因此将其集成到零信任架构中,使其能够以极高的速度提供服务。这一技术的应用将为用户带来更安全、更高效的网络体验。

MASQUE WARP 协议如何使用

目前可以通过服务器及APP切换Tunnel协议。

MASQUE

常见问题 Troubleshoot

warp-cli registration new遇到无法提交、旧注册未完成等死循环,warp-cli registration delete无法删除

A: 尝试删除warp-cli重新安装

sudo apt-get remove cloudflare-warp

注册Zero Trust时warp-cli register遇到Error: Failed to contact the WARP API.

A:在提交服务器验证API的时候如果报错,则在浏览器返回warp token页面,自动会刷新jwt,获取新的jwt后再次提交就会注册成功:

能否在服务器进行Zero Trust的WARP connect然后本地Wireguard连接?

实践证明是可以的。主要原理是在warp-cli connect之后,将ifconfig里的CloudflareWARP流量全部通过Wireguard转发。本地wg连接后得到IP就是CloudflareWARP的IP。

如何在服务器设置优选IP?

Force the client to connect to the specified IP:PORT endpoint (Zero Trust customers must run this command as a privileged user)

warp-cli tunnel endpoint set + IP:Port

需要root权限:

重设优选ip:

warp-cli tunnel endpoint reset

warp-cli connect导致服务器失联,如何恢复

进入Cloudflare ZERO TRUST 控制台,WARP Clients进入当前使用的Device settings,比如:

将WARP Mode切换至proxy模式,稍等api更新即可恢复连接服务器,然后将warp-cli disconnect

Cloudflare 无法连接 Unable to Connect HAPPY EYEBALLS MITM FAILURE

VPN:
Status: Unable to Connect
Error reason: Happy Eyeballs Failure
Error code: CF_HAPPY_EYEBALLS_MITM_FAILURE
Error description: Unable to establish WARP connection. Confirm if this device’s firewall allows WARP Ingress and/or UDP traffic.

Status: Unable to Connect

Error reason: Happy Eyeballs Failure

Error code: CF_HAPPY_EYEBALLS_MITM_FAILURE

Error description: Unable to establish WARP connection. Confirm if this device’s firewall allows WARP Ingress and/or UDP traffic.

What is HAPPY EYEBALLS ?

HAPPY EYEBALL可以简单理解为:一种让你的电脑或者手机在上网时,能够同时尝试走这两条路(IPv4和IPv6),看哪条路更快、更顺畅,然后选择最快的那条路来上网。

近期中国大陆出现无法连接情形涵盖warp, warp+及zero trust,似乎主要是由于firewall因素导致。

Zero-Trust如何启用MASQUE协议

3 Steps to Enable the Cloudflare MASQUE protocol in Zero-Trust:

Step1:Cloudflare Zero-Trust Console — Settings — WARP settings — Profile setting — Default

Step2:Enable “Device tunnel protocol” MASQUE , and SAVE profile

Step3: Back to WARP Client — Global settings — Enable “Override local interface IP

MacOS :

不需要在终端进行任何协议模式切换的命令。

MASQUE连接后,ISP信息显示为:AS13335 Cloudflare, Inc.

ip地址的ISP、地区等信息查询:

warp-cli tunnel -h                 
Configure tunnel settings

Usage: warp-cli tunnel <COMMAND>

Commands:
  dump         Get split tunnel routing dump. For include-only mode, this shows routes NOT included
  host         Configure split tunnel hosts
  ip           Configure split tunnel IP ranges
  stats        Retrieve the stats for the current tunnel connection
  rotate-keys  Generate a new key-pair, keeping the current registration
  endpoint     Force the client to connect to the specified IP:PORT endpoint (Zero Trust customers must run this command as a privileged user)
  help         Print this message or the help of the given subcommand(s)

Linux:

warp-cli mdm -h
MDM configs

Usage: warp-cli mdm <COMMAND>

Commands:
  get-configs  Show information about current MDM configurations
  set-config   Apply config from configs found in MDM file
  help         Print this message or the help of the given subcommand(s)

How to verify WARP tunnel protocol is using MASQUE 验证 WARP MASQUE 协议是否生效

warp-cli settings list

WARP tunnel protocol: MASQUE 意味着已启用

warp-cli settings list
Merged configuration:
(derived)	Always On: true
(network policy)	Switch Locked: false
(network policy)	Mode: WarpWithDnsOverHttps
(network policy)	WARP tunnel protocol: MASQUE
(network policy)	Disabled for Wifi: false
(network policy)	Disabled for Ethernet: false
(user set)	qlog logging: Enabled
(default)	Onboarding: true
(network policy)	Exclude mode, with hosts/ips:
(Not set)	Daemon Teams Auth: false
(network policy)	Disable Auto Fallback: false
(network policy)	Captive Portal: 0
(network policy)	Support URL: 
(network policy)	Organization: orbitmoonalpha
(network policy)	Allow Mode Switch: true
(network policy)	Allow Updates: false
(network policy)	Allowed to Leave Org: false
(network policy)	Profile ID: default

How to use the WARP client with macOS Sequoia

Because Apple has updated the “Block All Incoming Connections” setting in macOS Sequoia relative to previous macOS versions, Cloudflare recommends the use of macOS 15.1 or later. With macOS 15.1, Apple addressed several issues that may have caused the WARP client to not behave as expected when used with macOS 15.0.x.
Apple provided guidance that the “Block All Incoming Connections” setting within the macOS firewall in System Settings must be disabled when using the WARP client on macOS Sequoia. In addition, the following must have the “Allow incoming connections” setting explicitly enabled (note: one has a space, one does not):
“CloudflareWARP” at /Applications/CloudflareWARP.app/Contents/Resources/CloudflareWARP
“Cloudflare WARP” with bundle ID com.cloudflare.1dot1dot1dot1dot1.macos

error: unrecognized subcommand ‘teams-enroll’

改用 warp-cli registration new + 组织名


AI AGENT

Free AI Research Guidebook:

AI Agent Complete Guidebook help gear you up人工智能助手指南

AI Tool Agent

Directly interact with ChatGPT for multi-turn conversations

Input URL as reference material to pass in conversation history, ask multiple questions based on the reference material

Summarize YouTube video summaries, requires enabling subtitles for videos

Summarize and follow up on PDF files

Summarize and follow up on news or web articles

Analyze and ask questions about images

Generate high-quality images

more info about AI Agent how to use: https://orbitmoonalpha.com/how-to-use/

Shopping Cart
Scroll to Top