The “warp” aka “zero trust” was blocked in my country

The Cloudflare warp help my team a lot reaching to internet, but my teammates and I recently (we just deployed in 8 NotLikeThis ) discovered the warp PC client and client uses wireguard protocol cannot reach anymore. We have tested it in multi places, most places like school or province firewall are dropping wireguard handshakes, even the connection are just 4 route hop distance. For iPhone warp client that uses ISAKMP protocol was still reachable to cloudflare’s server, so we think the firewall has identified wireguard and drops it. Are there any possible support for warp client confusing to firewall (such as using udp2tcp or v2ray thingy) so they can reachable again? (or hen cloudflare@home ?lol) Thanks!
15 Replies
33335
33335OP15mo ago
Sorry for too long post, for tl;dr: warp and wireguard was blocked in my country, are there possible support?
!
!15mo ago
Have you tried changing ports ? For engage.cloudflareclient.com 2408, 500, 1701, or 4500 @33335 I have more solutions if needed most bypasses are easy for me it's the bandwidth from the connections is my struggling part I hate data caps
33335
33335OP15mo ago
Yes, I have tried all ports(500、854、859、864、878、880、890、891、894、903、908、928、934、939、942、943、945、946、955、968、987、988、1002、1010、1014、1018、1070、1074、1180、1387、1701、1843、2371、2408、2506、3138、3476、3581、3854、4177、4198、4233、4500、5279、5956、7103、7152、7156、7281、7559、8319、8742、8854、8886). The block was protocol and domain specific. We tried setting host for reachable cloudflare IPs, the result was firewall will check protocol, then TLS1.0 handshake certificate’s domain, if was in blacklist sends RST,ACK or drops it. QUIC seems not in blacklist but very slow
!
!15mo ago
Let's try to trace your nearest center connection by connecting your phone to the same internet connection as your PC oh and make sure to check your PC firewall outbound connection and DNS adapter as well I'ma send pictures to make it make sense for wireguard
!
!15mo ago
No description
No description
No description
No description
!
!15mo ago
@33335
33335
33335OP15mo ago
I have tried connecting all reachable(tcp syn on 443 acked) datacenters. None wireguard protocol connection was made. The wireshark indicates there’s only handshake request packet, no any response packet was received on my side, on my server are only handshake request packet but none response packet received. So maybe we can try using ISAKMP or anything goes by tcp that firewall doesn’t recognizes. Hope cloudflare warp team can make it possible
!
!15mo ago
Wireguard VPN is udp only https://www.wireguard.com/known-limitations/ . Before wireguard was a thing openvpn tcp was my go-to for my vps back in the day.
!
!15mo ago
@33335
33335
33335OP15mo ago
I saw some udp2tcp or udp2raw projects, don’t know if cloudflare can deploy it.
!
!15mo ago
I wouldn't trust it because of security something decrypting and encrypting it
!
!15mo ago
No description
!
!15mo ago
Interesting
33335
33335OP15mo ago
that was a way, thanks. I’ll try that. Solved, with a phone using zero trust and hotspot share VPN, then route all wireguard to it.
!
!15mo ago
Secret old but gold 🤫 http://www.junefabrics.com/index.php

Did you find this page helpful?