Last active
November 10, 2025 10:31
-
-
Save daemonhorn/7e1886a10d0b2e63a4604f02bc937a93 to your computer and use it in GitHub Desktop.
Revisions
-
daemonhorn revised this gist
Jun 8, 2024 . 1 changed file with 10 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -20,11 +20,21 @@ This example provides a simple configuration for a Debian client to have a Cloud ``` ./wgcf generate ``` 3. Setup ipv4/ipv6 static routes as needed for ensuring services you want to be reachable outside the tunnel (e.g. ssh) go via the non-CF network path * This needs to point to the existing gateway (gw) and interface to ensure clarity of network path ``` route add -host 151.200.27.234 gw 64.176.70.1 dev enp1s0 route -6 add 2001:db8:4005:f800::/56 gw fe80::fc00:4ff:fedc:c302 dev enp1s0 ``` ## Initiate Wireguard tunnel connection using `wg-quick` ``` wg-quick up ./wgcf-profile.conf ``` ## Validate that WARP tunnel is working Check the ipv4/ipv6 routes defined after the network is up ``` netstat -rn46 ``` Check the output of the `wgcf trace` command and make sure that `warp=on` is in output ``` ./wgcf trace -
Apr 15, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,50 @@ # Cloudflare WARP tunnel via Wireguard client This example provides a simple configuration for a Debian client to have a Cloudflare tunnel while not installing the *official* Cloudflare WARP client. Note: Tunnel transport outbound to `engage.cloudlflare.com` on `udp/2408` is default, with a dynamic listening udp port and a fwmark for packet matching by wireguard. Any applicable firewall rules *may* need to be adjusted. * Top-level GitHub project to convert cloudflare endpoint to generic wireguard configuration file: https://github.com/ViRb3/wgcf ## Install dependancies ``` sudo apt install openresolv wireguard-tools golang git ``` ## Get the latest client from Github and build using go ``` git clone https://github.com/ViRb3/wgcf.git cd wgcf go build -buildvcs=false ``` ## `Register` new endpoint account and `generate` Wireguard configuration 1. Create a registration record using Cloudflare API and save account to file:`wgcf-account.toml` ``` ./wgcf register ``` 2. Generate a generic wireguard configuration file:`wgcf-profile.conf` from the registration file ``` ./wgcf generate ``` ## Initiate Wireguard tunnel connection using `wg-quick` ``` wg-quick up ./wgcf-profile.conf ``` ## Validate that WARP tunnel is working Check the output of the `wgcf trace` command and make sure that `warp=on` is in output ``` ./wgcf trace ``` Check wireguard status and active configuration ``` wg show ifconfig wgcf-profile ``` Check ip address using curl (for both IPv6 and IPv4) ``` curl -6 https://ipconfig.io curl -4 https://ipconfig.io ``` Check cdn trace using curl (for both IPv6 and IPv4) *similar* to `./wgcf trace` ``` curl -6 https://www.cloudflare.com/cdn-cgi/trace/ curl -4 https://www.cloudflare.com/cdn-cgi/trace/ ``` ### Optional * Adjust MTU to 1460 instead of 1280 in `wgcf-profile.conf` for better performance (in non-degraded MTU environments) * Adjust `Address =` configuration to remove either ipv4 or ipv6 transport lines (if not needed) for outside the tunnel * Adjust `AllowedIPs =` configuration if default route(/0) is not needed