-
@ Girino Vey!
2025-02-06 03:58:47
## Motivations
Recently, my sites hosted behind Cloudflare tunnels mysteriously stopped working—not once, but twice. The first outage occurred about a week ago. Interestingly, when I switched to using the 1.1.1.1 WARP VPN on my cellphone or PC, the sites became accessible again. Clearly, the issue wasn't with the sites themselves but something about the routing. This led me to the brilliant (or desperate) idea of routing all Cloudflare-bound traffic through a WARP tunnel in my local network.
## Prerequisites
- A "server" with an **amd64 processor** (the WARP client only works on amd64 architecture). I'm using an old mac mini, but really, anything with an amd64 processor will do.
- Basic knowledge of Linux commands.
- Access to your Wi-Fi router's settings (if you plan to configure routes there).
---
## Step 1: Installing the WARP CLI
1. **Update your system packages:**
```bash
sudo apt update && sudo apt upgrade -y
```
2. **Download and install the WARP CLI:**
```bash
curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
sudo apt-get update && sudo apt-get install cloudflare-warp
```
3. **Register and connect to WARP:**
Run the following commands to register and connect to WARP:
```bash
sudo warp-cli register
sudo warp-cli connect
````
Confirm the connection with:
```bash
warp-cli status
```
---
## Step 2: Routing Traffic on the Server Machine
Now that WARP is connected, let's route the local network's Cloudflare-bound traffic through this tunnel.
1. **Enable IP forwarding:**
```bash
sudo sysctl -w net.ipv4.ip_forward=1
```
Make it persistent after reboot:
```bash
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
```
2. **Set up firewall rules to forward traffic:**
```bash
sudo nft add rule ip filter FORWARD iif "eth0" oif "CloudflareWARP" ip saddr 192.168.31.0/24 ip daddr 104.0.0.0/8 accept
sudo nft add rule ip filter FORWARD iif "CloudflareWARP" oif "eth0" ip saddr 104.0.0.0/8 ip daddr 192.168.31.0/24 ct state established,related accept
```
Replace `eth0` with your actual network interface if different.
3. **Make rules persistent:**
```bash
sudo apt install nftables
sudo nft list ruleset > /etc/nftables.conf
```
---
## Step 3: Configuring the Route on a Local PC (Linux)
On your local Linux machine:
1. **Add a static route:**
```bash
sudo ip route add 104.0.0.0/24 via <SERVER_IP>
```
Replace `<SERVER_IP>` with the internal IP of your WARP-enabled server. This should be a temporary solution, since it only effects a local machine. For a solution that can effect the whole local network, please see next step.
---
## Step 4: Configuring the Route on Your Wi-Fi Router (Recommended)
If your router allows adding static routes:
1. **Log in to your router's admin interface.**
2. **Navigate to the Static Routing section.** (This may vary depending on the router model.)
3. **Add a new static route:**
- **Destination Network:** `104.0.0.0`
- **Subnet Mask:** `255.255.255.0`
- **Gateway:** `<SERVER_IP>`
- **Metric:** `1` (or leave it default)
4. **Save and apply the settings.**
One of the key advantages of this method is how easy it is to disable once your ISP's routing issues are resolved. Since the changes affect the entire network at once, you can quickly restore normal network behavior by simply removing the static routes or disabling the forwarding rules, all without the need for complex reconfigurations.
---
## Final Thoughts
Congratulations! You've now routed all your Cloudflare-bound traffic through a secure WARP tunnel, effectively bypassing mysterious connectivity issues. If the sites ever go down again, at least you’ll have one less thing to blame—and one more thing to debug.