Site-to-Site VPN with Cloudflare WARP

  Рет қаралды 11,905

LinuxCloudHacks

LinuxCloudHacks

Күн бұрын

Пікірлер: 85
@zero_hours_played
@zero_hours_played 6 ай бұрын
The best WARP tutorial ever!! Way better than cloudflare's docs!! Thank you for sharing this valuable video for us
@LinuxCloudHacks
@LinuxCloudHacks 6 ай бұрын
Thank you very much! I'm glad it was helpful. Please let me know if you have any questions. I'll be doing more CloudFlare tutorials so stay tuned! Cheers
@bilalmujahid7445
@bilalmujahid7445 5 ай бұрын
I am a Cloudflare Architect, but this video just amazed me, very detailed yet the explanation is concise.
@fomofonk
@fomofonk 3 ай бұрын
Amazing tutorial! 🙏👏 It made a big chunk of Cloudflare docs "click"! Really Thank You! Please keep making the amazing content you provide!
@LinuxCloudHacks
@LinuxCloudHacks 3 ай бұрын
You're very welcome!
@devall4324
@devall4324 8 күн бұрын
Thanks your explanation, is very clear, you are the best.
@LinuxCloudHacks
@LinuxCloudHacks 7 күн бұрын
You are welcome! Please stay tuned as next video should be interesting :)
@shivamsaxena7378
@shivamsaxena7378 5 ай бұрын
Thank you for such a detailed video. This is exactly what I have been looking for! Looking forward to more such videos from you :)
@LinuxCloudHacks
@LinuxCloudHacks 5 ай бұрын
Glad you've liked it. More to come!
@JaroslavVazac
@JaroslavVazac 4 ай бұрын
Best howto video I ever seen. Thanks, it has helped me to understand WARP tunneling a lot.
@LinuxCloudHacks
@LinuxCloudHacks 4 ай бұрын
Great to hear!
@mansur_sw07
@mansur_sw07 7 ай бұрын
First Comment and first like from me 😅
@LinuxCloudHacks
@LinuxCloudHacks 7 ай бұрын
🎉 Thank you! Stay tuned for more videos!
@agungnandapr
@agungnandapr 7 ай бұрын
Nice tutorial, good job sir 👍
@LinuxCloudHacks
@LinuxCloudHacks 6 ай бұрын
Many thanks!
@kalpanchal6614
@kalpanchal6614 7 ай бұрын
Nice video, great job explaining
@LinuxCloudHacks
@LinuxCloudHacks 7 ай бұрын
Glad you liked it! Stay tuned for more!
@carlosgarcia1165
@carlosgarcia1165 3 ай бұрын
I cannot find a way to change the team name or the organization name, is that the url name?
@LinuxCloudHacks
@LinuxCloudHacks 3 ай бұрын
To change the team name go to Zero Trust -> Settings -> Custom Pages -> Team domain -> Edit Team name is before ".cloudflareaccess.com". BTW Cloudflare did simplify the installation process. I'll be releasing a revised video soon.
@angeloerasto
@angeloerasto 3 ай бұрын
Strange as soon as start the service I cannot reach the internet and warp-cli status says disconnected. if i stop the service i can reach the internet. All registration information is set up correctly. For the life of me I cant find out why. I am running the router and clients on proxmox containers
@LinuxCloudHacks
@LinuxCloudHacks 3 ай бұрын
Hi! Recently Cloudflare updated their WARP CLI software so the procedure may be a bit different. Later this month or early next month I'll create another video about how to set it up with latest Warp CLI and latest Ubuntu/Debian. Have not tried it yet. In the meantime please try playing with "ResolveUnicastSingleLabel=yes" in systemd-resolved. In general it's usually issue with DNS.
@angeloerasto
@angeloerasto 3 ай бұрын
Thanks. im sure i have tried playing with resolveunicastsinglelabel but i will keep trying. I wonder if its because im behind cgnat. Anyway i will wait for your video. I keep finding KZbin tutorials for the same thing. Your videos really make a difference. Cheers
@flug2253
@flug2253 2 ай бұрын
Do I need a Linux OS to do the same thing whose network packet forwarding to other networks is allowed if I want to enable ssh from a warp tunnel agent to computers that belong to another network?
@LinuxCloudHacks
@LinuxCloudHacks 2 ай бұрын
Hi! Not sure if I get the question right. You need Linux with packet forwarding enabled if you want your WARP agent to act as a gateway between the WARP tunnel and the target network. If you are only the client then it does not have to be Linux. For example: Windows WARP agent -------------> Linux WARP agent ----------> Private Network
@flug2253
@flug2253 2 ай бұрын
@@LinuxCloudHacks​ ​⁠I successfully configured warp tunnel and confirmed I can ssh from my Windows computer with WARP client installed to WARP agent server by designating IP address assigned by Cloudflare WARP as ssh destination address! I appreciate your help
@LinuxCloudHacks
@LinuxCloudHacks 2 ай бұрын
Great!
@MohammadsadeghSalehi-l5x
@MohammadsadeghSalehi-l5x Ай бұрын
Can I have site-to-site tunnel and cloudflared tunnel (the regular one) on the same VM?
@LinuxCloudHacks
@LinuxCloudHacks Ай бұрын
Hi! It should be possible but you need to configure WARP-CLI in tunnel only mode (Service mode = Secure Web Gateway without DNS Filtering) and also configure Split Tunnel to Include IPs and add 100.96.0.0/12 and your 2 private ranges. Cheers!
@ncore231
@ncore231 4 ай бұрын
So the client is dont need to install the vpn? Instead the vpn supply is a source of eth1? So that the client running static ip and the gateway are 10.10.0.1?
@ncore231
@ncore231 4 ай бұрын
Correct if I'm wrong 😅
@LinuxCloudHacks
@LinuxCloudHacks 4 ай бұрын
No, clients in 10.10.0.x network don't have to install anything. Only set the default gateway to the router that is 10.10.0.1.
@ncore231
@ncore231 4 ай бұрын
@@LinuxCloudHacks Thank you it's work i do on 4 virtual machine 2 is my router 1 and router 2 and the other 2 is my client connected to host internal network im happy
@ncore231
@ncore231 4 ай бұрын
Eth1 is a static ip? Without gateway just only 10.10.0.1?
@LinuxCloudHacks
@LinuxCloudHacks 4 ай бұрын
ROUTER1 has two interfaces. ETH0 with 192.168.10.1. This interface points towards the Internet. The default Gateway is 192.168.10.200. ROUTER1 has also ETH1 with a static IP 10.10.0.1 towards the private network. All nodes in the private network has default gateway set to the ROUTER that is 10.10.0.1. Cloudflare WARP software is installed only on the ROUTER1. Clients in the 10.10.0.x network don't have CloudFlare installed.
@CelalDemir-g1s
@CelalDemir-g1s 4 ай бұрын
This is awesome content thank you so much.
@LinuxCloudHacks
@LinuxCloudHacks 4 ай бұрын
Glad you enjoyed it!
@MohammadsadeghSalehi-l5x
@MohammadsadeghSalehi-l5x 3 ай бұрын
Hi, thanks for this amazing video, I have done all the steps like you did but the VMs behind the routers can't ping each other!
@LinuxCloudHacks
@LinuxCloudHacks 3 ай бұрын
Hi! Please making sure that the local devices have return routing set, so the WARP peers need to be set as the default gateway for your network or your local devices need to have explicit static route for 100.64.0.0/10 and the remote network So in my example local client1 (10.10.0.2) needs to have route to 10.20.0.0/24 via 10.10.0.1 (warp peer) and client2 (10.20.0.2) needs to have route to 10.10.0.0/24 via 10.20.0.1 (warp peer). I'm not adding static routes as I have default gateway set as the warp client.
@MohammadMajdalawi-r1c
@MohammadMajdalawi-r1c 4 ай бұрын
Thank you for the detailed video, How can I implement a high availability (HA) setup for a Site-to-Site Warp connector?
@LinuxCloudHacks
@LinuxCloudHacks 4 ай бұрын
I believe that due to nature of how WARP is implemented it's not possible to do HA setup as we understand it. However: a) if you have 2 WANs from distinct ISPs, if one WAN goes down, you'll switch to other WAN and the operation should resume b) if CloudFlare colocation center goes down, you'll be connected to a different collocation center (due to anycast routing) I know that this is not ideal but it's close.
@4m0ses
@4m0ses 3 ай бұрын
Can you do a video on how to connect via wrap active directory on zentyal
@LinuxCloudHacks
@LinuxCloudHacks 2 ай бұрын
Hi! In my next video I'll show integration with Azure AD.
@mattiaippolito1625
@mattiaippolito1625 5 ай бұрын
When I try to connect my client and login with the Warp app I get a 404 Page not found error and not the page where I should fill in the email address... can you help?
@LinuxCloudHacks
@LinuxCloudHacks 5 ай бұрын
Hi, This happens when you click "login to zero trust" in Preferences -> Account ? Then you do enter the team name (for example abc.cloudflareaccess.com) that you found under your web console->zero trust->settings->custom pages? And then you get 404?
@mattiaippolito1625
@mattiaippolito1625 5 ай бұрын
@@LinuxCloudHacks correct…that’s what happened …. But after in my zero trust I changed the team name it worked….maybe my team name was already used or I don’t understand…. I now have a different problem. I have two devices a Mac and an iPhone both connected to the same WiFi network…if I enable the warp client on both devices when they are connected to the WiFi and I try to access a server on the same LAN I get a timeout error and no connection on the Mac but but it works perfectly fine on the phone under the same circumstances…
@MAMSEIN021
@MAMSEIN021 3 ай бұрын
Hi there, thank you for your useful video. Is there anyway to use MASQUE protocol on WARP to connect from WARP client to a VPS server like Linode or OVH? I mean using it as a VPN.
@LinuxCloudHacks
@LinuxCloudHacks 3 ай бұрын
Hi! Last time I've checked their MASQUE proto was in beta (not available to the public) and they used Wireguard for VPN (on WARP).
@MAMSEIN021
@MAMSEIN021 3 ай бұрын
​@@LinuxCloudHacks Hi again, No it is not in beta now, you can change your protocol on WARP client via warp-cli command, and once you changed it to MASQUE you will be able to use it easily and it is working fine even in Iran. I only need to know how can I use my own VPS server to connect to it via WARP client and use it like a VPN service. if you know any ways please let me know. thanks ❤
@MAMSEIN021
@MAMSEIN021 3 ай бұрын
@@TheMrNatoShow No sir, I just want to use WARP Client as a VPN to connect to my server via WARP Client. I just can get connected to WARP servers easily, but I want to get my server's IP address when I connected via WARP. don't want to get cloudflare IP address.
@ngoyal16
@ngoyal16 5 ай бұрын
Hello Team, This is a great video. and i followed the exact steps as i showed in video. i don't have access to router so i installted the warp on one client at both side. i am able to ping and telnet the devices via the CGNET address. but when i am trying to ping via their private IP address space it is not working. ip -4 -br a showing as intended. i also checked the route table it is forwarding to warp tunnel only. i also enable the ip4 forwarding in sysctl.conf file as well. any idea what can be wrong. nothing is getting pinged, sshed or curl,
@LinuxCloudHacks
@LinuxCloudHacks 5 ай бұрын
Hi. Looks like an issue with the reverse routing. Traffic does not know how to get back. The devices on your private networks needs to have either: - default gateway set to the device running WARP (that is not your case, right? as you have a router as the default gateway already - if I'm reading it correctly) OR - static route that points to the other private network via device running WARP for example if your private network 1 is 10.1.0.0/24 and the WARP 1 device is 10.1.0.10, and your private network 2 is 10.2.0.0/24 and the WARP 2 device is 10.2.0.10 then all devices on the private network 1 needs to have ip route add 10.2.0.0/24 via 10.1.0.10 and all devices on private network 2 needs to have ip route add 10.1.0.0/24 via 10.2.0.10 Let me know if that helps.
@ngoyal16
@ngoyal16 5 ай бұрын
@@LinuxCloudHacks one more thing i forgot to add. one of my site is in local onprime server. and another site is AWS VPC which i am tring to connect
@MichelHespanha
@MichelHespanha 5 ай бұрын
Hello, great video!!. I have a question: is it possible for me to have a single network interface on Linux routers and use the same interface to connect to Cloudflare warp and also pass my network that is behind my Linux router? ex: 2 Linux routers with Cloudflare warps in different locations, each with a single network interface, and on router1: 10.10.0.0/24 and router2: 10.20.0.0/2, allowing clients behind these routers to access each other?!
@LinuxCloudHacks
@LinuxCloudHacks 5 ай бұрын
Hi! Just so I get it right. There's a default gateway to the Internet, let's say 192.168.1.1, and there's a local node with single interface only let's say 192.168.1.10 that is using that default gateway to get to the Internet and has Cloudflare installed. You want other nodes on the 192.168.1.0/24 network to go to let the other private network via Cloudflare using the 192.168.1.10? In other words you want to install cloudflare on one of your local servers and not the gateway, right?
@MichelHespanha
@MichelHespanha 5 ай бұрын
@@LinuxCloudHacks that’s exactly it! The routers with cloudflare warp will be geographically separated, but each router will have only a single network interface, like this example: Side A = Internet 192.168.1.1 -> Switch -> warp router (single interface) 192.168.1.10, cloudflare passing the route 192.168.1.0/24. Side B = Internet 10.10.0.1 -> Switch -> warp router (single interface) 10.10.0.10, cloudflare passing the route 10.10.0.0/24. I would like to know if with only a single interface on each warp router, it would be possible that all nodes that are on the same network as the warp routers on both sides could be accessed?!
@LinuxCloudHacks
@LinuxCloudHacks 5 ай бұрын
I don't see a reason it should not work. You'd just have to add a static route on all devices on Side A that 10.10.0.0/24 is accessible via 10.10.0.10 and on all devices on Side B that 192.168.1.0/24 is accessible via 192.168.1.10. Or add those routes only on the routers. Just to be sure let me check it over the weekend and get back to you.
@MichelHespanha
@MichelHespanha 5 ай бұрын
@@LinuxCloudHacksthat’s nice, sir! Thank you for the tips! I’ll try to do that soon!
@neodragoon
@neodragoon 6 ай бұрын
Love the video, But can you do a written guide do go along with this great video
@LinuxCloudHacks
@LinuxCloudHacks 6 ай бұрын
Thanks! BTW Written guides are something I've been thinking about (like for every YT video a single article). As soon as the channel grows (hopefully) I'll implement it.
@neodragoon
@neodragoon 6 ай бұрын
​@@LinuxCloudHacks Ran into an issue where i am unable to ping site to site or client to client. I notice that the client network (10.5.20.x) and the warp (100.96.0.x) is not listed in the table 65743 to be routed thru cloudflare warp. Is there a way to force that list to update? Both netwoks are not listed in "Split Tunnel entries (exclude)" section
@neodragoon
@neodragoon 6 ай бұрын
@@LinuxCloudHacks Ran into issue when im unable to ping site to site or client to client. I notice the client network and the warp 100.69.0.0 network is not listed in 65743 table. Do you know a way i can update this list
@LinuxCloudHacks
@LinuxCloudHacks 6 ай бұрын
Hi! Are you saying ping between 100.96.0.x peers does not work? Can you double check if Settings->Networks->"WARP to WARP" is enabled and Settings->Networks->Proxy (TCP/UDP/ICMP) is enabled? Please also remove "100.64.0.0/10" from the exclude list and add "100.64.0.0/11" and "100.112.0.0/12"
@Shhommy
@Shhommy 7 ай бұрын
Hey nice video, I was looking for good site-to-site setup, and this seems like a good option. However I am running into a problem where the app needs to be installed to connect to the other network, is there a workaround through static routs configuration on the router and does ti work with Cloudflare WARP?
@LinuxCloudHacks
@LinuxCloudHacks 7 ай бұрын
Hi, Not sure if I understand the question. You need to have Cloudflare WARP daemon installed as it's connecting you to the Cloudflare network. It's not possible to do it via static routes etc. If you don't want all your traffic to go via the tunnel you can setup split tunnel to "include" and only include the site to site traffic and CGNAT to go via tunnel and all other traffic goes as is (default gateway). BTW There are also other options if you have direct reachability - for example Wireguard, ZeroTier, Tailscale, etc. Thank!
@JustinStuartYoung
@JustinStuartYoung 5 ай бұрын
I have the same question. I think what he's asking is, can this work line the "other options" you mentioned. We were going to try this with zerotier, but wanted to know if this was a viable option for riding non-warp-client traffic, like IOT, legacy OS devices, etc.
@LinuxCloudHacks
@LinuxCloudHacks 5 ай бұрын
@@JustinStuartYoung This behaves like a regular VPN tunnel. You can send any traffic there. The network does not have to be directly connected to the Warp Peer. So for example there is 172.16.1.0/24 network somewhere on the SITE1 and there is 172.16.2.0/24 network somewhere on SITE2. Those networks are not directly connected to WarpClient Peers but you can put a static route on the servers or routers in SITE1 to send traffic to 172.16.2.0/24 via local WarpClient and the other way around - on SITE2 you put a static route to point to 172.16.1.0/24 via the WarpClient and you'll get reachability. There are few things you need to do: - Networks/Tunnels/Private Network - you need to add 172.16.1.0/24 to net-10 tunnel and 172.16.2.0/24 to the net-12 tunnel - in the split tunnel configuration you need to remove 172.16.0.0/12 from the exclude list so this traffic goes via the tunnel - you need to make sure that the Warp peer knows how to get to local 172.16.x.x network (by adding a static route or going via router that knows how to get there) - basic routing stuff So we have something like: 172.16.1.0/24 router 10.10.0.0/24 warp peer warp peer 10.12.0.0/24 172.16.2.0/24 Not sure if I did a good job explaining but long story short it's possible :) Cheers
@wudoo6666
@wudoo6666 5 ай бұрын
Did anyone manage to get the warp tunnel running in a Docker container? I am trying to figure it if i can use it to access private cloud resources without the need for a jumphost/bastion setup. I am thinking in this direction: a warp connector running in a container in the cloud infrastructure (Azure) and Warp clients (laptops with the warp client) that are able to access behind the firewall private resources that are not exposed with public endpoints.
@LinuxCloudHacks
@LinuxCloudHacks 5 ай бұрын
Once I find some time I'll try to play with WARP in a container and let you know the results. Just as a POC you can try running WARP on a Azure VM (and not container). Another thing that you can do (if you want to expose only certain apps and not whole network) is to run CloudflareD in a container and add policies (I did something similar here kzbin.info/www/bejne/aZ2knIxuZsZ6jc0si=L6s56ta9MZIbIigG)
@wudoo6666
@wudoo6666 5 ай бұрын
@@LinuxCloudHacks , yes Cloudflared in a container works smoothly. I ran it on AKS, and Azure Container Apps, and on Synology Nas. I was looking at Warp as an alternative to accessing non publicly exposed resources like VMs, db endpoints, Keyvault etc.
@MrGromac
@MrGromac Ай бұрын
perfect FILIP!
@LinuxCloudHacks
@LinuxCloudHacks Ай бұрын
Thank you!
@NuttySwiss
@NuttySwiss 2 ай бұрын
Tailscale. 😎
@LinuxCloudHacks
@LinuxCloudHacks 2 ай бұрын
Hi! At first sight they may look similar (as both use Wireguard) but they use different concept. Tailscale is a mesh vpn - it tries to establish a direct connection between the sites using UDP hole-punching vs WARP connects to the nearest Cloudflare datacenter and routes the traffic via Cloudflare infrastructure (like a hub and spoke). If Tailscale is unable to perform hole-punching it will relay the traffic through one of the DERP servers (that's usually slower). Cloudflare on the other hand will always work as the connection is outgoing from the client to the Cloudflare datacenter. Moreover once you connect to Cloudflare your Internet traffic will go out via their gateways (you'll have a public IP from Cloudflare's network). WARP also has this concept of ZeroTrust and allows you to perform network, DNS and HTTP filtering, AV scanning, SSO, protection of applications etc. It can also support MASQUE VPN that is harder to detect and block vs Wireguard. By no means I'm trying to discourage Tailscale as it's a fantastic product, where you can setup exit node or site to site VPN in 3 minutes. I'm just saying those two are similar but at the end of the day have different concept/assumptions or how to call it :) When you have few moments please look at this kzbin.info/www/bejne/bKuVqql6hchgpcksi=KUwkmKXOYpW2Kl0J and kzbin.info/www/bejne/pZrUlGiul7OgodUsi=Vjm33As_dHekLvSz
@AdrianuX1985
@AdrianuX1985 7 ай бұрын
+1
@LinuxCloudHacks
@LinuxCloudHacks 7 ай бұрын
Thanks!
@chrisjchalifoux
@chrisjchalifoux 2 ай бұрын
awlsome video
@LinuxCloudHacks
@LinuxCloudHacks 2 ай бұрын
Thank you!
@jayvratsinhjadeja8299
@jayvratsinhjadeja8299 5 ай бұрын
I followed your video step by step and got my devices to ping the WARP IPs assigned to each client but I am not able to ping the local devices in any WARP tunnels. The only thing I can do is ping the device running the WARP tunnel using the 100.96.X.X IPs. I even uncommented the "net.ipv4.ip_forward=1" in the /etc/sysctl.conf and applied the change with "sudo sysctl -p", still no luck. Command "ip route get 192.168.XX.XX fibmatch" show that the IP is routing through the Cloudflare interface but when I ping that IP it does not respond. I am using the Include Method in the Split Tunnel Configuration as I only need 3 devices with static IPs to connect to each other. Could anyone help me.
@LinuxCloudHacks
@LinuxCloudHacks 5 ай бұрын
Hi! Please start with making sure that the local devices have return routing set. So you need to either have the WARP peer set as the default gateway on your local device or your local devices need to have explicit static routes for 100.64.0.0/10 and the other local network. So in my example local client1 (10.10.0.2) needs to have route to 10.20.0.0/24 via 10.10.0.1 (warp peer) client2 (10.20.0.2) needs to have route to 10.10.0.0/24 via 10.20.0.1 (warp peer). I'm not adding static routes as I have default gateway set as the warp client.
@jayvratsinhjadeja8299
@jayvratsinhjadeja8299 5 ай бұрын
@@LinuxCloudHacks It turns out for some reason ping and ssh are not working through the WARP connector even after turning on the UDP and ICMP option in Settings>Network>Proxy. The WARP connector lets me connect http and https services through it which works for me now. Great video man, It made the overall setup process pretty easy.
@ngoyal16
@ngoyal16 5 ай бұрын
HI @@jayvratsinhjadeja8299 , I am trying to connect the one on prime subnet with AWS VPC. have you tried the same. in my case peer to peer is working over virtual interface ips but site to site is not working
@ErisonSilvaa
@ErisonSilvaa 25 күн бұрын
@@jayvratsinhjadeja8299 I am with the same issue, I tried to add the route above but it did not work :/ did you have any success with it? Note: When I added the route above it added for my local network interface besides CloudflareWARP interface
@jayvratsinhjadeja8299
@jayvratsinhjadeja8299 11 күн бұрын
​@@ErisonSilvaa check your split tunnel configuration. The ip range 100.96.0.0/12 in addition to your local ip range should be able to route through the WARP connector.
@truko22
@truko22 4 ай бұрын
@LinuxCloudHacks
@LinuxCloudHacks 4 ай бұрын
Thank you!
Secure Web SSH: OAuth, Tunnels & Short-Lived Certs & Google Identity
22:23
Cloudflare Tunnels
19:01
Syntax
Рет қаралды 4,2 М.
Don’t Choose The Wrong Box 😱
00:41
Topper Guild
Рет қаралды 62 МЛН
She made herself an ear of corn from his marmalade candies🌽🌽🌽
00:38
Valja & Maxim Family
Рет қаралды 18 МЛН
The Best Band 😅 #toshleh #viralshort
00:11
Toshleh
Рет қаралды 22 МЛН
Lockdown Your Network: Building a Fortress with Cloudflare Zero Trust
31:54
[How To] Configure WireGuard Site-to-Site VPN on OPNsense (& wg.conf examples)
20:32
0x2142 - Networking Nonsense
Рет қаралды 17 М.
Don’t Choose The Wrong Box 😱
00:41
Topper Guild
Рет қаралды 62 МЛН