Cloudflare WARP tunnel via Wireguard client

Cloudflare-WARP_Wireguard.md

Cloudflare WARP tunnel via Wireguard client

This example provides a simple configuration for a Debian client to have a Cloudflare tunnel while not installing the official Cloudflare WARP client. Note: Tunnel transport outbound to engage.cloudlflare.com on udp/2408 is default, with a dynamic listening udp port and a fwmark for packet matching by wireguard. Any applicable firewall rules may need to be adjusted.

• Top-level GitHub project to convert cloudflare endpoint to generic wireguard configuration file: https://github.com/ViRb3/wgcf

Install dependancies

sudo apt install openresolv wireguard-tools golang git

Get the latest client from Github and build using go

git clone https://github.com/ViRb3/wgcf.git
cd wgcf
go build -buildvcs=false

Register new endpoint account and generate Wireguard configuration

1. Create a registration record using Cloudflare API and save account to file:wgcf-account.toml

./wgcf register

2. Generate a generic wireguard configuration file:wgcf-profile.conf from the registration file

./wgcf generate

3. Setup ipv4/ipv6 static routes as needed for ensuring services you want to be reachable outside the tunnel (e.g. ssh) go via the non-CF network path

• This needs to point to the existing gateway (gw) and interface to ensure clarity of network path

  route add -host 151.200.27.234 gw 64.176.70.1 dev enp1s0
  route -6 add 2001:db8:4005:f800::/56 gw fe80::fc00:4ff:fedc:c302 dev enp1s0

Initiate Wireguard tunnel connection using wg-quick

wg-quick up ./wgcf-profile.conf

Validate that WARP tunnel is working

Check the ipv4/ipv6 routes defined after the network is up

netstat -rn46

Check the output of the wgcf trace command and make sure that warp=on is in output

./wgcf trace

Check wireguard status and active configuration

wg show
ifconfig wgcf-profile

Check ip address using curl (for both IPv6 and IPv4)

curl -6 https://ipconfig.io
curl -4 https://ipconfig.io

Check cdn trace using curl (for both IPv6 and IPv4) similar to ./wgcf trace

curl -6 https://www.cloudflare.com/cdn-cgi/trace/
curl -4 https://www.cloudflare.com/cdn-cgi/trace/

Optional

• Adjust MTU to 1460 instead of 1280 in wgcf-profile.conf for better performance (in non-degraded MTU environments)
• Adjust Address = configuration to remove either ipv4 or ipv6 transport lines (if not needed) for outside the tunnel
• Adjust AllowedIPs = configuration if default route(/0) is not needed

is it possible to excluding SMTP port to be proxy in wireguard ?

Easiest way to exclude something is by adding a more specific route for that endpoint, but you can also do fancy things to perform specific tcp port redirects using either iptables or standalone utilities like netcat just for the SMTP port. Wireguard supports both PreUp and PostUp configurations directly in the wireguard wg-quick(8) config file. See:

• https://www.man7.org/linux/man-pages/man8/wg-quick.8.html
• https://www.man7.org/linux/man-pages/man8/wg.8.html
• https://www.wireguard.com/netns/

do you have example ?
i have try ip rule but its fail

my config
[Interface]
PrivateKey = myprivatekey
Address = address
MTU = 1400

PostUp = ip -4 rule add from myserverip lookup main
PostDown = ip -4 rule delete from myserverip lookup main

Table = 1234
PostUp = ip rule add ipproto tcp dport 25 table 1234
PreDown = ip rule delete ipproto tcp dport 25 table 1234

[Peer]
PublicKey = bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myendpoint

i can access to vps [incoming]
but in the vps i access out to 25 [ outgoing has blocked by vpn vendor ]

so i want to exclude port 25 to being proxy in outgoing