Last October we released WARP for Desktop, bringing a safer and faster way to use the Internet to billions of devices for free. At the same time, we gave our enterprise customers the ability to use WARP with Cloudflare for Teams. By routing all an enterprise's traffic from devices anywhere on the planet through WARP, we've been able to seamlessly power advanced capabilities such as Secure Web Gateway and Browser Isolation and, in the future, our Data Loss Prevention platforms.
Today, we are excited to announce Cloudflare WARP for Linux and, across all desktop platforms, the ability to use WARP with single applications instead of your entire device.
What is WARP?WARP was built on the philosophy that even people who don't know what 'VPN' stands for should be able to still easily get the protection a VPN offers. It was also built for those of us who are unfortunately all too familiar with traditional corporate VPNs, and need an innovative, seamless solution to meet the challenges of an always-connected world.
Enter our own WireGuard implementation called BoringTun.
The WARP application uses BoringTun to encrypt traffic from your device and send it directly to Cloudflare's edge, ensuring that no one in between is snooping on what you're doing. If the site you are visiting is already a Cloudflare customer, the content is immediately sent down to your device. With WARP+, we use Argo Smart Routing to use the shortest path through our global network of data centers to reach whomever you are connecting to.
Combined with the power of 1.1.1.1 (the world's fastest public DNS resolver), WARP keeps your traffic secure, private and fast. Since nearly everything you do on the Internet starts with a DNS request, choosing the fastest DNS server across all your devices will accelerate almost everything you do online.
Bringing WARP to LinuxWhen we built out the foundations of our desktop client last year, we knew a Linux client was something we would deliver. If you have ever shipped software at this scale, you'll know that maintaining a client across all major operating systems is a daunting (and error-prone) task. To avoid these pitfalls, we wrote the core of the product in Rust, which allows for 95% of the code to be shared across platforms.
Internally we refer to this common code as the shared Daemon (or Service, for Windows folks), and it allows our engineers to spend less time duplicating code across multiple platforms while ensuring most quality improvements hit everyone at the same time. The really cool thing about this is that millions of existing WARP users have already helped us solidify the code base for Linux!
The other 5% of code is split into two main buckets: UI and quirks of the operating system. For now, we are forgoing a UI on Linux and instead working to support three distributions:
- Ubuntu
- Red Hat Enterprise Linux
- CentOS
We want to add more distribution support in the future, so if your favorite distro isn't there, don't despair - the client may in fact already work with other Debian and Redhat based distributions, so please give it a try. If we missed your favorite distribution, we'd love to hear from you in our Community Forums.
So without a UI - what's the mechanism for controlling WARP? The command line, of course! Keen observers may have noticed an executable that already ships with each client called the warp-cli. This platform-agnostic interface is already the preferred mechanism of interacting with the daemon by some of our engineers and is the main way you'll interact with WARP on Linux.
Installing Cloudflare WARP for LinuxSeasoned Linux developers can jump straight to https://pkg.cloudflareclient.com/install. After linking our repository, get started with either sudo apt install cloudflare-warp or sudo yum install cloudflare-warp, depending on your distribution.
For more detailed installation instructions head over to our WARP Client documentation.
Using the CLIOnce you've installed WARP, you can begin using the CLI with a single command:
warp-cli --help
The CLI will display the output below.
~$ warp-cli --help WARP 0.2.0 Cloudflare CLI to the WARP service daemon USAGE: warp-cli [FLAGS] [SUBCOMMAND] FLAGS: --accept-tos Accept the Terms of Service agreement -h, --help Prints help information -l Stay connected to the daemon and listen for status changes and DNS logs (if enabled) -V, --version Prints version information SUBCOMMANDS: register Registers with the WARP API, will replace any existing registration (must be run before first connection) teams-enroll Enroll with Cloudflare for Teams delete Deletes current registration rotate-keys Generates a new key-pair, keeping the current registration status Asks the daemon to send the current status warp-stats Retrieves the stats for the current WARP connection settings Retrieves the current application settings connect Asks the daemon to start a connection, connection progress should be monitored with -l disconnect Asks the daemon to stop a connection enable-always-on Enables always on mode for the daemon (i.e. reconnect automatically whenever possible) disable-always-on Disables always on mode disable-wifi Pauses service on WiFi networks enable-wifi Re-enables service on WiFi networks disable-ethernet Pauses service on ethernet networks enable-ethernet Re-enables service on ethernet networks add-trusted-ssid Adds a trusted WiFi network, for which the daemon will be disabled del-trusted-ssid Removes a trusted WiFi network allow-private-ips Exclude private IP ranges from tunnel enable-dns-log Enables DNS logging, use with the -l option disable-dns-log Disables DNS logging account Retrieves the account associated with the current registration devices Retrieves the list of devices associated with the current registration network Retrieves the current network information as collected by the daemon set-mode set-families-mode set-license Attaches the current registration to a different account using a license key set-gateway Forces the app to use the specified Gateway ID for DNS queries clear-gateway Clear the Gateway ID set-custom-endpoint Forces the client to connect to the specified IP:PORT endpoint clear-custom-endpoint Remove the custom endpoint setting add-excluded-route Adds an excluded IP remove-excluded-route Removes an excluded IP get-excluded-routes Get the list of excluded routes add-fallback-domain Adds a fallback domain remove-fallback-domain Removes a fallback domain get-fallback-domains Get the list of fallback domains restore-fallback-domains Restore the fallback domains get-device-posture Get the current device posture override Temporarily override MDM policies that require the client to stay enabled set-proxy-port Set the listening port for WARP proxy (127.0.0.1:{port}) help Prints this message or the help of the given subcommand(s)
You can begin connecting to Cloudflare's network with just two commands. The first command, register, will prompt you to authenticate. The second command, connect, will enable the client, creating a WireGuard tunnel from your device to Cloudflare's network.
~$ warp-cli register Success ~$ warp-cli connect Success
Once you've connected the client, the best way to verify it is working is to run our trace command:
~$ curl https://www.cloudflare.com/cdn-cgi/trace/
And look for the following output:
warp=on
Want to switch from encrypting all traffic in WARP to just using our 1.1.1.1 DNS resolver? Use the warp-cli set-mode command:
~$ warp-cli help set-mode warp-cli-set-mode USAGE: warp-cli set-mode [mode] FLAGS: -h, --help Prints help information -V, --version Prints version information ARGS: [possible values: warp, doh, warp+doh, dot, warp+dot, proxy] ~$ warp-cli set-mode doh Success
Protecting yourself against malware with 1.1.1.1 for Families is just as easy, and it can be used with either WARP enabled or in straight DNS mode:
~$ warp-cli set-families-mode --help warp-cli-set-families-mode USAGE: warp-cli set-families-mode [mode] FLAGS: -h, --help Prints help information -V, --version Prints version information ARGS: [possible values: off, malware, full] ~$ warp-cli set-families-mode malware SuccessA note on Cloudflare for Teams support
Cloudflare for Teams support is on the way, and just like our other clients, it will ship in the same package. Stay tuned for an in-app update or reach out to your Account Executive to be notified when a beta is available.
We need feedbackIf you encounter an error, send us feedback with the sudo warp-diag feedback command:
~$ sudo warp-diag feedback
For all other functionality check out warp-cli --help or see our documentation here.
WARP as a Local ProxyWhen WARP launched in 2019, one of our primary goals was ease of use. You turn WARP on and all traffic from your device is encrypted to our edge. Through all releases of the client, we've kept that as a focus. One big switch to turn on and you are protected.
However, as we've grown, so have the requirements for our client. Earlier this year we released split tunnel and local domain fallback as a way for our Cloudflare for Teams customers to exclude certain routes from WARP. Our consumer customers may have noticed this stealthily added in the last release as well. We've heard from customers who want to deploy WARP in one additional mode: Single Applications. Today we are also announcing the ability for our customers to run WARP in a local proxy mode in all desktop clients.
When WARP is configured as a local proxy, only the applications that you configure to use the proxy (HTTPS or SOCKS5) will have their traffic sent through WARP. This allows you to pick and choose which traffic is encrypted (for instance, your web browser or a specific app), and everything else will be left open over the Internet.
Because this feature restricts WARP to just applications configured to use the local proxy, leaving all other traffic unencrypted over the Internet by default, we've hidden it in the advanced menu. To turn it on:
1. Navigate to Preferences -> Advanced and click the Configure Proxy button.
2. On the dialog that opens, check the box and configure the port you want to listen on.
3. This will enable a new mode you can select from:
To configure your application to use the proxy, you want to specify 127.0.0.1 for the address and the value you specified for a port (40000 by default). For example, if you are using Firefox, the configuration would look like this:
Download todayYou can start using these capabilities right now by visiting https://one.one.one.one. We're super excited to hear your feedback.
Attachments
- Original document
- Permalink
Disclaimer
CloudFlare Inc. published this content on 17 June 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 17 June 2021 13:03:06 UTC.