Maintain source IP for WARP
Is there any method to maintain the source IP (eg. 100.96.0.10) when talking to a routed subnet through WARP, without the use of Magic WAN?
Magic WAN is too expensive for our use case, but the cloudflared built in masquerading is causing issues with firewall logs when we want to identify the source user for specific traffic flow, the traffic is also not HTTP (otherwise we would just publish the app)
3 Replies
It looks like the new tunnels via WARP might be the solution, however looks like this does not run inside a container 😦 be nice if you could generate wireguard profiles as we are loading it onto a router anywya
thanks, how often does the wireguard certs change etc?
wireguard certs that is
That could be interesting as the new WARP auth identity config is a global config, but I would be using this agaisnt a service token warp login, so maybe it will be fine?
Would be nice if CF supported this offically as its a bit of an overkill to install the WARP client etc just for site to site or client to site connectivity
Oh on the client side 100% agree, but this is specific to the newer warp-to-warp stuff, but suppose it also kills their MagicWAN partially
When I evaluated the Magic WAN product it was lacking on alot of the required components we would like (if we were to use it as a WAN solution)
But our requirement is essentially just this dang source IP thing 😦 so hoping it works anyway
Magic WAN was pretty exxy for what we want it for, and was very static in its design when you buy
Yeh makes sense on their primary product (http reverse proxy) mixed with the complications of trying to configure routing to make it work for that use case
PS. Network Engineer for a carrier network
Anywho getting late, will try to extract the wireguard from the service profile and see what happens
Thanks for posting this. 🙂
Struggling to work out how to get that code built, never had to use nix before
But from using the binary from the original repo, it looks like the service auth token for a WARP tunnel is not compatible
Curious if you can extract and manually build the wireguard config from the bits from an existing WARP machine
Well that was easier then expected....
For others what I did was grab some details from
/var/lib/cloudflare-warp/conf.json
those being the public_key
for the peer, and the endpoints
detail
Then grabbed my secret_key
from /var/lib/cloudflare-warp/reg.sjon
Popping these into the wireguard config for my router (MikroTik CHR)
The above will enable routing of the 100.96.0.0/16 CGNAT space, for the client to initate it will need traffic so on the router enable a scheduled ping etc