A guide to use Cloudflare Tunnel with WireGuard client application

tunnel-to-wg.md

tunnel-to-wg

Table of Contents

• About
• Guide
• Usage
• Acknowledgements

❔ About

To use Cloudflare Tunnel on your client devices, you need to use Cloudflare WARP client application. On mobile phones, you need to use Cloudflare One Agent.
For people who want a little more control, e.g. to automatically turn off the tunnel connection on certain Wi-Fi APs, or to turn on the tunnel connection on mobile network or certain Wi-Fi APs, you can "extract" the WireGuard configuration from Cloudflare WARP and use it in any client WireGuard application you use. Below is a detailed guide to "extract" the WireGuard configuration for your Cloudflare Tunnel.

🚀 Guide

Note

This guide assumes you have already signed up for Cloudflare Zero Trust

1. In Zero Trust overview page, select Settings in the left panel
2. In Settings page, select Network
3. • In Network, you may turn on or off Activity Logging
   • Under Firewall, enable Proxy and enable TCP, UDP and ICMP
4. In Settings, select WARP Client
   • Select Manage for "Device enrollment permissions"
   • In the Policies tab, select Create new policy
   • Add Emails as a "rule". (This email will be used later on to login into Zero Trust)
5. • Go back to the WARP Client page, and select "Configure" for the Default profile by clicking on the 3-dotted menu
   • Under Split Tunnels, select "Manage" for Exclude IPs and domains
   • Select all entries by clicking on the checkbox at the top-left of the table and press "Confirm delete" under the Action button
   • Go back to the Default profile page and select "Save profile"
6. • Now, to get started, select "Create a tunnel" under the Tunnel page in the left panel
   • Under Create a tunnel, choose Select Cloudflared
   • Choose an appropriate name for your tunnel. In this example, we'll choose test
   • Choose your environment and confirm it's Healthy when connected
   • In Route tunnel, select the Private networks tab
   • For this example, we choose our local network's CIDR
   • Select Save tunnel
   • Confirm the route has been created in the Routes page in the left panel

🛠️ Usage

To add a device to your Cloudflare Tunnel:

1. Go to tpm2dot0/wgcf-teams and download the latest release. Extract the .zip file and open your terminal. Start the wgcf-teams binary (.exe for Windows e.t.c.).
   The binary will output a WireGuard configuration for your Cloudflare Tunnel.
2. Go to the webpage https://team-name.cloudflareaccess.com/ and select Login. team-name would be whatever name you chose for your Zero Trust teamname. It can also be found at Settings > Custom Pages, under Team domain
3. Enter the email address we previously configured the policy with
4. Check your email for a one-time PIN and enter it
5. Once successfully authenticated, you will see the Oops! page.
6. Do not worry. In the address bar, change the address to https://team-name.cloudflareaccess.com/warp
7. This will redirect you to a Success! page
8. Hit F12 on your keyboard (or open Developer tools on your browser). Expand head and copy everything after token= and paste it into the terminal.
9. One last thing to do is update the Endpoint of the WireGuard configuration with 162.159.193.1:2408, which is the WARP ingress IP for WireGuard for Cloudflare WARP.

You have successfully "extracted" the WireGuard configuration for you Cloudflared Tunnel!

Note

This process needs to be repeated for each device

🙌 Acknowledgements

This guide has been made by collecting information from the following sources:

1. WireGuard into a private LAN via CloudFlare Tunnels
2. poscat0x04/wgcf-teams (Original repository of the fork tpm2dot0/wgcf-teams )