What is WARP, Zero-Trust
WARP is a new form of Wireguard
Zero-Trust is the best version of WARP
How to deploy WARP
Follow this guide, pretty simple.
Difference between WARP, WARP+, Zero Trust
WARP : 1G
WARP+: Medium plan
Zero Trust: Business plan
Download WARP client APP
the official download site of WARP: https://one.one.one.one
远端服务器部署Zero-Trust注册
以Linux为例,按照这个网址进行服务器端应用的下载。
对于使用甲骨文Oracle Cloud部署WireGuard服务的教学请参考《Oracle Cloud WireGuard Setup Complete Guide 甲骨文服务器配置指南》
然后执行以下命令
warp-cli teams-enroll orbitmoonalpha
WARNING: Teams registration run as root is not supported.
Please re-run command as a regular user.
注意,提交组织注册时,不要使用root。用以下命令退出:
exit
NOTICE:
Your organization is using Cloudflare for Teams, a security platform that makes
connections to the Internet and applications faster and safer.
What information is available to administrators of my organization?
The following information may be viewed by administrators from your
organization:
* the websites you visit
* the times you visited them
More information is available at:
– https://www.cloudflare.com/application/terms/
– https://www.cloudflare.com/application/privacypolicy/
Accept Terms of Service and Privacy Policy? [y/N] y
A browser window should open at the following URL:
https://orbitmoonalpha.cloudflareaccess.com/warp
If the browser fails to open, please visit the URL above directly in your browser.
然后页面打开完成邮箱验证码提交后,提取蓝色按钮里的jwt:
稍微注意下,单引号内部的完整字符串才是jwt
然后按以下格式提交WARP API验证:
warp-cli registration token + com.cloudflare.warp://[组织名].cloudflareaccess.com/auth?token= + [token]
比如:
warp-cli registration token com.cloudflare.warp://orbitmoonalpha.cloudflareaccess.com/auth?token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjhkOWIwOTgyNTY3MDYyMWM0N2E3OWQ3MWU2OTFkMTY2MmE2ZTg5ZGUxMmI3YTliZGVlMDczOGE2YWIxNDMxMTMifQ.eyJhdWQiOlsiZTExM2Q4MmU1YzJlMTExZGY5YWY5ZWNlNGZmMTdiNTk5ZjJlYTZkY2U3M2Q3NzU1MDczMmE1MTRlNDRkMDgwOCJdLCJlbWFpbCI6Imh
完成Team,即现在的Zero Trust注册
常见命令:
warp-cli account
这个将返回:
Account type: Team
Device ID:
Public key:
Account ID:
Organization: orbitmoonalpha
warp-cli tunnel ip add [排除IP]
请正确设置排除IP,确保源服务器的ssh连接维持正常,避免服务器失联。
若设置不当,服务器在执行warp-cli connect后可能导致你再也无法连接到源服务器。
WARP服务器Zero-Trust的私钥Private Key在哪里
/var/lib/cloudflare-warp# cat reg.json
这个路径下的reg.json记录了:
{“registration_id”:[“”,null],”api_token”:””,”secret_key”:””,”public_key”:””,”override_codes”:{“disable_for_time”:{“seconds”:86400,”secret”:””}}}root@WG-US:/var/lib/cloudflare-warp#
由于WARP使用的底层技术就是WireGuard,这个json文件里提供的公钥和密钥就是WG配对用的。
MASQUE : Cloudflare WARP New Tunnel Protocol 新协议推出
MASQUE(Multiplexed Application Substrate over QUIC Encryption )is an innovative protocol that extends the capabilities of HTTP/3 and leverages the unique properties of the QUIC transport protocol to efficiently proxy IP and UDP traffic without compromising performance or privacy. With the growing demand for zero trust architecture, the features and solutions offered by MASQUE have become increasingly important. Users desire their network traffic to appear as HTTPS to avoid detection and blocking by firewalls, and many also require FIPS-compliant encryption. The effectiveness of MASQUE technology has been validated in other areas, leading to its integration into zero trust architectures, enabling it to deliver services at exceptional speeds. This application of the technology promises to provide users with a more secure and efficient network experience.
MASQUE网络协议的特点
MASQUE是一种创新的协议,扩展了HTTP/3的功能,并利用QUIC传输协议的独特特性,高效地代理IP和UDP流量,同时不牺牲性能或隐私。随着对零信任架构需求的增加,MASQUE提供的功能和解决方案变得尤为重要。用户希望其网络流量表现得像HTTPS,以避免被防火墙检测和阻止,同时许多用户还需要符合FIPS标准的加密。MASQUE技术在其他领域已被验证有效,因此将其集成到零信任架构中,使其能够以极高的速度提供服务。这一技术的应用将为用户带来更安全、更高效的网络体验。
MASQUE WARP 协议如何使用
目前可以通过服务器及APP切换Tunnel协议。
常见问题 Troubleshoot
warp-cli registration new遇到无法提交、旧注册未完成等死循环,warp-cli registration delete无法删除
A: 尝试删除warp-cli重新安装
sudo apt-get remove cloudflare-warp
注册Zero Trust时warp-cli register遇到Error: Failed to contact the WARP API.
A:在提交服务器验证API的时候如果报错,则在浏览器返回warp token页面,自动会刷新jwt,获取新的jwt后再次提交就会注册成功:
能否在服务器进行Zero Trust的WARP connect然后本地Wireguard连接?
实践证明是可以的。主要原理是在warp-cli connect之后,将ifconfig里的CloudflareWARP流量全部通过Wireguard转发。本地wg连接后得到IP就是CloudflareWARP的IP。
如何在服务器设置优选IP?
Force the client to connect to the specified IP:PORT endpoint (Zero Trust customers must run this command as a privileged user)
warp-cli tunnel endpoint set + IP:Port
需要root权限:
warp-cli connect导致服务器失联,如何恢复
进入Cloudflare ZERO TRUST 控制台,WARP Clients进入当前使用的Device settings,比如:
将WARP Mode切换至proxy模式,稍等api更新即可恢复连接服务器,然后将warp-cli disconnect
Cloudflare 无法连接 Unable to Connect HAPPY EYEBALLS MITM FAILURE
Status: Unable to Connect
Error reason: Happy Eyeballs Failure
Error code: CF_HAPPY_EYEBALLS_MITM_FAILURE
Error description: Unable to establish WARP connection. Confirm if this device’s firewall allows WARP Ingress and/or UDP traffic.
What is HAPPY EYEBALLS ?
HAPPY EYEBALL可以简单理解为:一种让你的电脑或者手机在上网时,能够同时尝试走这两条路(IPv4和IPv6),看哪条路更快、更顺畅,然后选择最快的那条路来上网。
近期中国大陆出现无法连接情形涵盖warp, warp+及zero trust,似乎主要是由于firewall因素导致。
Zero-Trust如何启用MASQUE协议
3 Steps to Enable the Cloudflare MASQUE protocol in Zero-Trust:
Step1:Cloudflare Zero-Trust Console — Settings — WARP settings — Profile setting — Default
Step2:Enable “Device tunnel protocol” MASQUE , and SAVE profile
Step3: Back to WARP Client — Global settings — Enable “Override local interface IP“
MacOS :
不需要在终端进行任何协议模式切换的命令。
MASQUE连接后,ISP信息显示为:AS13335 Cloudflare, Inc.
ip地址的ISP、地区等信息查询:
warp-cli tunnel -h
Configure tunnel settings
Usage: warp-cli tunnel <COMMAND>
Commands:
dump Get split tunnel routing dump. For include-only mode, this shows routes NOT included
host Configure split tunnel hosts
ip Configure split tunnel IP ranges
stats Retrieve the stats for the current tunnel connection
rotate-keys Generate a new key-pair, keeping the current registration
endpoint Force the client to connect to the specified IP:PORT endpoint (Zero Trust customers must run this command as a privileged user)
help Print this message or the help of the given subcommand(s)
Linux:
warp-cli mdm -h
MDM configs
Usage: warp-cli mdm <COMMAND>
Commands:
get-configs Show information about current MDM configurations
set-config Apply config from configs found in MDM file
help Print this message or the help of the given subcommand(s)
How to verify WARP tunnel protocol is using MASQUE 验证 WARP MASQUE 协议是否生效
warp-cli settings list
WARP tunnel protocol: MASQUE 意味着已启用
warp-cli settings list
Merged configuration:
(derived) Always On: true
(network policy) Switch Locked: false
(network policy) Mode: WarpWithDnsOverHttps
(network policy) WARP tunnel protocol: MASQUE
(network policy) Disabled for Wifi: false
(network policy) Disabled for Ethernet: false
(user set) qlog logging: Enabled
(default) Onboarding: true
(network policy) Exclude mode, with hosts/ips:
(Not set) Daemon Teams Auth: false
(network policy) Disable Auto Fallback: false
(network policy) Captive Portal: 0
(network policy) Support URL:
(network policy) Organization: orbitmoonalpha
(network policy) Allow Mode Switch: true
(network policy) Allow Updates: false
(network policy) Allowed to Leave Org: false
(network policy) Profile ID: default
Free AI Research Guidebook:
AI Agent Complete Guidebook help gear you up人工智能助手指南
Directly interact with ChatGPT for multi-turn conversations
Input URL as reference material to pass in conversation history, ask multiple questions based on the reference material
Summarize YouTube video summaries, requires enabling subtitles for videos
Summarize and follow up on PDF files
Summarize and follow up on news or web articles
Analyze and ask questions about images
Generate high-quality images
more info about AI Agent how to use: https://orbitmoonalpha.com/how-to-use/