CD
Cloudflare Developers•10mo ago
semaja2

Maintain source IP for WARP

Is there any method to maintain the source IP (eg. 100.96.0.10) when talking to a routed subnet through WARP, without the use of Magic WAN? Magic WAN is too expensive for our use case, but the cloudflared built in masquerading is causing issues with firewall logs when we want to identify the source user for specific traffic flow, the traffic is also not HTTP (otherwise we would just publish the app)
3 Replies
semaja2
semaja2OP•10mo ago
It looks like the new tunnels via WARP might be the solution, however looks like this does not run inside a container 😦 be nice if you could generate wireguard profiles as we are loading it onto a router anywya thanks, how often does the wireguard certs change etc? wireguard certs that is That could be interesting as the new WARP auth identity config is a global config, but I would be using this agaisnt a service token warp login, so maybe it will be fine? Would be nice if CF supported this offically as its a bit of an overkill to install the WARP client etc just for site to site or client to site connectivity Oh on the client side 100% agree, but this is specific to the newer warp-to-warp stuff, but suppose it also kills their MagicWAN partially When I evaluated the Magic WAN product it was lacking on alot of the required components we would like (if we were to use it as a WAN solution) But our requirement is essentially just this dang source IP thing 😦 so hoping it works anyway Magic WAN was pretty exxy for what we want it for, and was very static in its design when you buy Yeh makes sense on their primary product (http reverse proxy) mixed with the complications of trying to configure routing to make it work for that use case PS. Network Engineer for a carrier network Anywho getting late, will try to extract the wireguard from the service profile and see what happens
denham5927
denham5927•10mo ago
Thanks for posting this. 🙂
semaja2
semaja2OP•10mo ago
Struggling to work out how to get that code built, never had to use nix before But from using the binary from the original repo, it looks like the service auth token for a WARP tunnel is not compatible Curious if you can extract and manually build the wireguard config from the bits from an existing WARP machine Well that was easier then expected.... For others what I did was grab some details from /var/lib/cloudflare-warp/conf.json those being the public_key for the peer, and the endpoints detail Then grabbed my secret_key from /var/lib/cloudflare-warp/reg.sjon Popping these into the wireguard config for my router (MikroTik CHR) 
/interface wireguard add listen-port=13232 mtu=1420 name=wireguard2 private-key="<key from reg.json>"
/interface wireguard peers add allowed-address=100.96.0.0/16 endpoint-address=<endpoint address from conf.json> endpoint-port=<endpoint port from conf.json> interface=wireguard2 public-key="<public_key from conf.json"
/ip route add disabled=no dst-address=100.96.0.0/16 gateway=wireguard2 routing-table=main suppress-hw-offload=no
/interface wireguard add listen-port=13232 mtu=1420 name=wireguard2 private-key="<key from reg.json>"
/interface wireguard peers add allowed-address=100.96.0.0/16 endpoint-address=<endpoint address from conf.json> endpoint-port=<endpoint port from conf.json> interface=wireguard2 public-key="<public_key from conf.json"
/ip route add disabled=no dst-address=100.96.0.0/16 gateway=wireguard2 routing-table=main suppress-hw-offload=no
The above will enable routing of the 100.96.0.0/16 CGNAT space, for the client to initate it will need traffic so on the router enable a scheduled ping etc
Want results from more Discord servers?
Add your server