From 4bd793f5c92c822f9a5f9d9ee0c36e11b2202cf3 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Wed, 2 Oct 2024 15:34:05 -0400 Subject: [PATCH] split into multiple pages --- .../private-net/warp-connector/index.mdx | 49 ++++++ .../warp-connector/site-to-internet.mdx | 22 +++ .../site-to-site.mdx} | 159 +++--------------- .../warp-connector/user-to-site.mdx | 18 ++ .../warp-connector/vpc-deployments.mdx | 23 +++ .../tunnel/install-warp-connector.mdx | 62 +++++++ 6 files changed, 194 insertions(+), 139 deletions(-) create mode 100644 src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx create mode 100644 src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet.mdx rename src/content/docs/cloudflare-one/connections/connect-networks/private-net/{warp-connector.mdx => warp-connector/site-to-site.mdx} (53%) create mode 100644 src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site.mdx create mode 100644 src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/vpc-deployments.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/install-warp-connector.mdx diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx new file mode 100644 index 00000000000000..afd2e2962580a0 --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx @@ -0,0 +1,49 @@ +--- +pcx_content_type: concept +title: WARP Connector +sidebar: + label: Overview + order: 5 + badge: + text: Beta +tableOfContents: false +--- + +import { Details} from "~/components"; + +
+ +| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | +| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- | +| Gateway with WARP | All plans | + +| System | Availability | +| -------- | ------------ | +| Windows | ❌ | +| macOS | ❌ | +| Linux | ✅ | +| iOS | ❌ | +| Android | ❌ | +| ChromeOS | ❌ | + +
+ +Cloudflare WARP Connector is a piece of software [^1] that enables site-to-site, bidirectional, and mesh networking connectivity without requiring changes to underlying network routing infrastructure. WARP Connector establishes a secure Layer 3 connection between a private network and Cloudflare, allowing you to: + +- Connect two or more private networks to each other. +- Connect IoT devices that cannot run external software, such as printers and IP phones. +- Filter and log server-initiated traffic, such as VoIP and SIP traffic. +- Apply Zero Trust security policies based on the source IP of the request. + +![Two subnets connected with WARP Connector](~/assets/images/cloudflare-one/connections/connect-apps/warp-connector/overview.png) + +As shown in the diagram, WARP Connector acts as a router for a subnet within the private network to on-ramp and off-ramp traffic through Cloudflare. All devices on the subnet can access any services connected to Cloudflare, and all devices connected to Cloudflare can access any services on the subnet. Each subnet runs a WARP Connector on a designated Linux machine (typically the default gateway router), but other devices on the network do not need to install software. + +To set up WARP Connector, refer to the guide for your use case: + +- **[Site-to-Internet](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet/)**: Send requests from your private network to the Internet. +- **[Site-to-site](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site/)**: Send requests between two or more private networks. +- **[User-to-site](/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site/)**: Allow WARP client devices to access your private network. +- **Internet-to-site**: Not supported by WARP Connector. To provide clientless access to applications on your private network, set up a [Cloudflare Tunnel with `cloudflared`](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) and configure a [public hostname route](/cloudflare-one/connections/connect-networks/routing-to-tunnel/). + +[^1]: WARP Connector is an extension of the [WARP client](/cloudflare-one/connections/connect-devices/warp/). diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet.mdx new file mode 100644 index 00000000000000..69f2cbb1b66e43 --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet.mdx @@ -0,0 +1,22 @@ +--- +pcx_content_type: how-to +title: Connect private network to Internet +sidebar: + label: Site-to-Internet + order: 3 +--- + +import { Details, GlossaryTooltip, TabItem, Tabs } from "~/components"; + +Forward requests from the private network to the Internet. + +```mermaid + flowchart LR + subgraph subnet1[Subnet 10.0.0.0/24] + router1["WARP Connector + 10.0.0.1"] + end + router1-->C((Cloudflare))-->I{Internet} +``` + +The `10.0.0.0/24` WARP Connector is now routing traffic from the host machine to Cloudflare. \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site.mdx similarity index 53% rename from src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site.mdx index beb00808fe979f..05292f6d3caa85 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site.mdx @@ -1,111 +1,38 @@ --- pcx_content_type: how-to -title: Site-to-site connectivity +title: Connect two or more private networks sidebar: - order: 5 - badge: - text: Beta -head: - - tag: title - content: Set up WARP Connector + label: Site-to-site + order: 3 --- import { Details, GlossaryTooltip, TabItem, Tabs } from "~/components"; -
+This guide will cover how to connect two independent subnets with WARP Connector. Each subnet must run its own WARP Connector on a Linux host. Installing on your router is the simplest setup, but if you do not have access to the router, you may choose any other machine on the subnet. -| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | -| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- | -| Gateway with WARP | All plans | - -| System | Availability | -| -------- | ------------ | -| Windows | ❌ | -| macOS | ❌ | -| Linux | ✅ | -| iOS | ❌ | -| Android | ❌ | -| ChromeOS | ❌ | - -
- -Cloudflare WARP Connector is a piece of software [^1] that enables site-to-site, bidirectional, and mesh networking connectivity without requiring changes to underlying network routing infrastructure. WARP Connector establishes a secure Layer 3 connection between a private network and Cloudflare, allowing you to: - -- Connect two or more private networks to each other. -- Connect IoT devices that cannot run external software, such as printers and IP phones. -- Filter and log server-initiated traffic, such as VoIP and SIP traffic. -- Apply Zero Trust security policies based on the source IP of the request. - -![Two subnets connected with WARP Connector](~/assets/images/cloudflare-one/connections/connect-apps/warp-connector/overview.png) - -As shown in the diagram, WARP Connector acts as a router for a subnet within the private network to on-ramp and off-ramp traffic through Cloudflare. All devices on the subnet can access any services connected to Cloudflare, and all devices connected to Cloudflare can access any services on the subnet. Each subnet runs a WARP Connector on a designated Linux machine (typically the default gateway router), but other devices on the network do not need to install software. +```mermaid + flowchart LR + subgraph subnet1[Subnet 10.0.0.0/24] + router1["WARP Connector #1 + 10.0.0.1"] + end + subgraph subnet2[Subnet 192.168.1.0/24] + router2["WARP Connector #2 + 192.168.1.97"] + end + router1<-->C((Cloudflare))<-->router2 +``` -This guide will cover how to connect two independent subnets, for example `10.0.0.0/24` and `192.168.1.0/24`. Each subnet must run its own WARP Connector on a Linux host. Installing on your router is the simplest setup, but if you do not have access to the router, you may choose any other machine on the subnet. In this example, we will create a WARP Connector for subnet `10.0.0.0/24` and install it on `10.0.0.1`. We will then create a second WARP Connector for subnet `192.168.1.0/24` and install it on `192.168.1.97`. +In this example, we will create a WARP Connector for subnet `10.0.0.0/24` and install it on `10.0.0.1`. We will then create a second WARP Connector for subnet `192.168.1.0/24` and install it on `192.168.1.97`. ## Prerequisites -- A Linux host [^2] on each subnet +- A Linux host [^1] on each subnet - Verify that your firewall allows inbound/outbound traffic over the [WARP IP addresses, ports, and domains](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/). ## 1. Install a WARP Connector -To install WARP Connector on a host machine: - -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Network** > **Tunnels**. -2. Select **Create a tunnel**. -3. For the tunnel type, select **WARP Connector**. -4. You will be prompted to turn on **Warp to Warp** and [**Override local interface IP**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip) if they are currently turned off. These settings allow Cloudflare to assign a unique CGNAT IP to each WARP device and route traffic between them. -5. Give the tunnel any name (for example, `Subnet-10.0.0.0/24`) and select **Create tunnel**. -7. Select the operating system of your host machine. -8. On your host machine, open a terminal window and run the commands shown in the Zero Trust dashboard. Those commands will install the WARP Connector, enable IP forwarding on the host, and connect WARP Connector to your Zero Trust organization. - - :::note[Remote SSH connections] - - If you are managing the deployment remotely over SSH, your connection may drop when you install the WARP Connector. Because the WARP connector immediately starts forwarding traffic to Cloudflare, the remote SSH server's traffic will now route to Cloudflare instead of via the server's public IP. To work around the issue: - - **Option 1**: In your WARP Connector [device profile](#3-recommended-create-a-device-profile), temporarily add the public IP of your local machine to the [Split Tunnel Exclude list](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/). - - - **Option 2**: If your local machine is connected to Zero Trust (for example, via the WARP client), you can SSH to the CGNAT IP of the WARP Connector. Traffic to the CGNAT IP must [route through the WARP tunnel](#4-configure-split-tunnels). - ::: - -9. (Optional) Configure IP forwarding: - -
- ```sh - echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-warp-svc.conf - sudo sysctl -p /etc/sysctl.d/99-warp-svc.conf - ``` -
- -
- If you are setting up WARP Connector on a host with iptables enabled, make sure that your iptables FORWARD chain includes rules to accept the desired traffic. For testing and troubleshooting purposes, you can set the default policy for the WARP interface to ACCEPT: - ```sh - iptables -A FORWARD -i CloudflareWARP -J ACCEPT - iptables -A FORWARD -o CloudflareWARP -J ACCEPT - ``` -
- - - -10. To verify that the WARP Connector is connected to Cloudflare: - ```sh - $ warp-cli status - Status update: Connected - Success - ``` - -
- - If WARP is disconnected, try the following troubleshooting strategies: - - - Run `warp-cli connect`. - - - If your private network uses a firewall to restrict Internet traffic, ensure that it allows the [WARP ports and IPs](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/). - - - Review your [WARP daemon logs](/cloudflare-one/connections/connect-devices/warp/troubleshooting/warp-logs/) for information about why the connection is failing. - -
- -WARP Connector software is now installed but not yet routing traffic. + ## 2. Add private network routes @@ -135,36 +62,10 @@ In your WARP Connector device profile, update [Split Tunnel settings](/cloudflar 1. Route your private network CIDR (`10.0.0.0/24`) through the WARP tunnel. For example, if you are using **Exclude** mode, delete `10.0.0.0/8` from the list and re-add the following IPs: `10.0.1.0/24`, `10.0.2.0/23`, `10.0.4.0/22`, `10.0.8.0/21`, `10.0.16.0/20`, `10.0.32.0/19`, `10.0.64.0/18`, `10.0.128.0/17`, `10.1.0.0/16`, `10.2.0.0/15`, `10.4.0.0/14`, `10.8.0.0/13`, `10.16.0.0/12`, `10.32.0.0/11`, `10.64.0.0/10`, `10.128.0.0/9` 2. Route the CGNAT IP space (`100.96.0.0/12`) through the WARP tunnel. For example, if you are using **Exclude** mode, delete `100.64.0.0/10` from the list and re-add `100.64.0.0/11` and `100.112.0.0/12`. -The `10.0.0.0/24` WARP Connector is now routing traffic from the host machine to Cloudflare. -```mermaid - flowchart LR - subgraph subnet1[Subnet 10.0.0.0/24] - router1["Device running - WARP Connector - 10.0.0.1"] - end - router1<-->C((Cloudflare)) -``` - ## 5. Install another WARP Connector Repeat Steps 1, 2, and 4 above to install an additional WARP Connector on subnet `192.168.1.0/24`. The device profile created in Step 3 will apply to all WARP Connectors. -```mermaid - flowchart LR - subgraph subnet1[Subnet 10.0.0.0/24] - router1["Device running - WARP Connector #1 - 10.0.0.1"] - end - subgraph subnet2[Subnet 192.168.1.0/24] - router2["Device running - WARP Connector #2 - 192.168.1.97"] - end - router1<-->C((Cloudflare))<-->router2 -``` - ## 6. Route traffic through WARP Connector Depending on where you installed the WARP Connector, you may need to configure other devices on the subnet to route traffic through WARP Connector. @@ -288,24 +189,4 @@ You can now test the connection between the two subnets. For example, on the `10 If you are testing with curl using private hostnames, add the `--ipv4` flag to your curl commands. ::: -## VPC deployments - -When setting up WARP Connector on a virtual private cloud (VPC), you may need to configure additional settings in the cloud service provider. - -### GCP - -For Google Cloud Project (GCP) deployments, [enable IP forwarding](https://cloud.google.com/vpc/docs/using-routes#canipforward) on the VM instance where you installed WARP Connector. - -### AWS - -For Amazon Web Services (AWS) deployments: -- Stop [source/destination checking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) on the EC2 instance where you installed WARP Connector. -- In your [subnet route table](https://docs.aws.amazon.com/vpc/latest/userguide/subnet-route-tables.html), route all IPv4 traffic to the EC2 instance where you installed WARP Connector. For example, - - | Destination | Target | - | ----------- | ------ | - | `0.0.0.0/0` | `eni-11223344556677889` | - -[^1]: WARP Connector is an extension of the [WARP client](/cloudflare-one/connections/connect-devices/warp/). - -[^2]: Check the [system requirements](/cloudflare-one/connections/connect-devices/warp/download-warp/#linux). Package dependencies are the following: `curl`, `gpg`, `iptables`, `iptables-persistent`, `lsb-core`, and `sudo`. +[^1]: Check the [system requirements](/cloudflare-one/connections/connect-devices/warp/download-warp/#linux). Package dependencies are the following: `curl`, `gpg`, `iptables`, `iptables-persistent`, `lsb-core`, and `sudo`. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site.mdx new file mode 100644 index 00000000000000..5c10a6050c421d --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site.mdx @@ -0,0 +1,18 @@ +--- +pcx_content_type: how-to +title: Connect WARP clients to private network +sidebar: + label: User-to-site + order: 3 +--- + +import { Details, GlossaryTooltip, TabItem, Tabs } from "~/components"; + +```mermaid + flowchart LR + subgraph subnet1[Subnet 10.0.0.0/24] + router1["WARP Connector + 10.0.0.1"] + end + router1<-->C((Cloudflare))<-->W[WARP client] +``` diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/vpc-deployments.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/vpc-deployments.mdx new file mode 100644 index 00000000000000..d6c07df28ff08c --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/vpc-deployments.mdx @@ -0,0 +1,23 @@ +--- +pcx_content_type: reference +title: Tips for VPC deployments +sidebar: + label: VPC deployments + order: 3 +--- + +When setting up WARP Connector on a virtual private cloud (VPC), you may need to configure additional settings in the cloud service provider. + +## GCP + +For Google Cloud Project (GCP) deployments, [enable IP forwarding](https://cloud.google.com/vpc/docs/using-routes#canipforward) on the VM instance where you installed WARP Connector. + +## AWS + +For Amazon Web Services (AWS) deployments: +- Stop [source/destination checking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) on the EC2 instance where you installed WARP Connector. +- In your [subnet route table](https://docs.aws.amazon.com/vpc/latest/userguide/subnet-route-tables.html), route all IPv4 traffic to the EC2 instance where you installed WARP Connector. For example, + + | Destination | Target | + | ----------- | ------ | + | `0.0.0.0/0` | `eni-11223344556677889` | diff --git a/src/content/partials/cloudflare-one/tunnel/install-warp-connector.mdx b/src/content/partials/cloudflare-one/tunnel/install-warp-connector.mdx new file mode 100644 index 00000000000000..4c11aa1df28624 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/install-warp-connector.mdx @@ -0,0 +1,62 @@ +--- +{} +--- + +import { Details } from "~/components"; + +To install WARP Connector on a host machine: + +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Network** > **Tunnels**. +2. Select **Create a tunnel**. +3. For the tunnel type, select **WARP Connector**. +4. You will be prompted to turn on **Warp to Warp** and [**Override local interface IP**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip) if they are currently turned off. These settings allow Cloudflare to assign a unique CGNAT IP to each WARP device and route traffic between them. +5. Give the tunnel any name (for example, `Subnet-10.0.0.0/24`) and select **Create tunnel**. +7. Select the operating system of your host machine. +8. On your host machine, open a terminal window and run the commands shown in the Zero Trust dashboard. Those commands will install the WARP Connector, enable IP forwarding on the host, and connect WARP Connector to your Zero Trust organization. + + :::note[Remote SSH connections] + + If you are managing the deployment remotely over SSH, your connection may drop when you install the WARP Connector. Because the WARP connector immediately starts forwarding traffic to Cloudflare, the remote SSH server's traffic will now route to Cloudflare instead of via the server's public IP. To work around the issue: + - **Option 1**: In your WARP Connector [device profile](#3-recommended-create-a-device-profile), temporarily add the public IP of your local machine to the [Split Tunnel Exclude list](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/). + + - **Option 2**: If your local machine is connected to Zero Trust (for example, via the WARP client), you can SSH to the CGNAT IP of the WARP Connector. Traffic to the CGNAT IP must [route through the WARP tunnel](#4-configure-split-tunnels). + ::: + +9. (Optional) Configure IP forwarding: + +
+ ```sh + echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-warp-svc.conf + sudo sysctl -p /etc/sysctl.d/99-warp-svc.conf + ``` +
+ +
+ If you are setting up WARP Connector on a host with iptables enabled, make sure that your iptables FORWARD chain includes rules to accept the desired traffic. For testing and troubleshooting purposes, you can set the default policy for the WARP interface to ACCEPT: + ```sh + iptables -A FORWARD -i CloudflareWARP -J ACCEPT + iptables -A FORWARD -o CloudflareWARP -J ACCEPT + ``` +
+ + +10. To verify that the WARP Connector is connected to Cloudflare: + ```sh + $ warp-cli status + Status update: Connected + Success + ``` + +
+ + If WARP is disconnected, try the following troubleshooting strategies: + + - Run `warp-cli connect`. + + - If your private network uses a firewall to restrict Internet traffic, ensure that it allows the [WARP ports and IPs](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/). + + - Review your [WARP daemon logs](/cloudflare-one/connections/connect-devices/warp/troubleshooting/warp-logs/) for information about why the connection is failing. + +
+ +WARP Connector software is now installed but not yet routing traffic. \ No newline at end of file