This setup all ipv4 cidr of cloudflare as a route through vpn warp client that was previously setup

setup-unifi-route-vpn-client.ts

import IPCIDR from 'ip-cidr';

const endpoint = 'https://unifi'; // url
const apiKey = ''; // secret, create it in your unifi admin user
const description = 'Cloudflare'; // Route name
const wgClientName = 'Cloudflare Warp Client';
const wireguardInterfaceAddress = '172.16.0.2/32';
const wireguardInterfacePrivateKey = ''; // Secret provided by wgcf, see: https://www.tiernanotoole.ie/2024/12/12/how-to-use-cloudflare-warp-with-a-udm-pro.html
const wireguardPeerPublicKey = 'bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=';

process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
const endpointUrl = new URL(endpoint);

endpointUrl.pathname = '/proxy/network/api/s/default/rest/networkconf';
const createWgClient = {
  enabled: true,
  name: wgClientName,
  purpose: 'vpn-client',
  ip_subnet: wireguardInterfaceAddress,
  dhcpd_dns_1: '1.1.1.1',
  dhcpd_dns_2: '1.0.0.1',
  vpn_type: 'wireguard-client',
  wireguard_client_mode: 'manual',
  wireguard_client_peer_ip: 'engage.cloudflareclient.com',
  wireguard_client_peer_port: 2408,
  wireguard_client_peer_public_key: wireguardPeerPublicKey,
  wireguard_client_preshared_key: '',
  wireguard_client_preshared_key_enabled: false,
  x_wireguard_private_key: wireguardInterfacePrivateKey,
};

console.log('Creating VPN Client to Warp');
const resVPNClient = await fetch(endpointUrl, {
  headers: {
    'accept': 'application/json',
    'content-type': 'application/json',
    'x-api-key': apiKey,
  },
  body: JSON.stringify(createWgClient),
  method: 'POST',
}).then((res) => res.json());

console.log(resVPNClient);

const network_id = resVPNClient.data?.[0]?._id;

if (network_id) {
  console.log('Adding Cloudflare routes');
  // Routes
  const ipcidrsInstances = await fetch('https://www.cloudflare.com/ips-v4/#')
    .then((res) => res.text())
    .then((ips) =>
      ips
        .split('\n')
        .map((cidr) => (IPCIDR.isValidCIDR(cidr) ? new IPCIDR(cidr) : false))
        .filter((v) => !!v)
    );

  const ip_ranges = ipcidrsInstances.map((ipcidr) => {
    const [ip_start, ip_stop] = ipcidr.toRange();
    return {
      ip_start,
      ip_stop,
      ip_version: 'v4',
    };
  });

  const createRoutes = {
    enabled: true,
    description,
    domains: [],
    regions: [],
    matching_target: 'IP',
    network_id,
    next_hop: '',
    kill_switch_enabled: false,
    target_devices: [
      {
        type: 'ALL_CLIENTS',
      },
    ],
    ip_addresses: [],
    ip_ranges,
  };

  endpointUrl.pathname = '/proxy/network/v2/api/site/default/trafficroutes';

  const resRoutes = await fetch(endpointUrl, {
    headers: {
      'accept': 'application/json',
      'content-type': 'application/json',
      'x-api-key': apiKey,
    },
    body: JSON.stringify(createRoutes),
    method: 'POST',
  }).then((res) => res.json());

  console.log(resRoutes);
}

Cliente Wireguard con warp

Instala wgcf y crea una conexión para vpn con warp:

brew install wgcf
# Registro. Crea un archivo de configuración (lo crea en el directorio actual $PWD)
wgcf register
# Genera una archivo de conexión para wireguard
wgcf generate

Una vez tienes el archivo de configuración lo lees y de ahí sacas la clave privada de [Interface] y lo pones en la variable: wireguardInterfacePrivateKey.

Api Key de Unifi

Accede a tu Unifi Network directamente o a través de unifi.ui.com > Settings > Admins & Users (abajo del todo):

• Pulsas sobre tu usario y en "Control Plane API Key" pulsas en "Create New"
• Añades la API Key en la variable apiKey

Ejecución

Te sugiero usar Bun:

bun setup-unifi-route-vpn-client.ts

Da una ⭐ y salud 🍺!

---

Source/Fuente: https://www.tiernanotoole.ie/2024/12/12/how-to-use-cloudflare-warp-with-a-udm-pro.html