You are not logged in.

Pages: 1 2

#1 2024-11-18 10:20:30

Elixirslayer
Member
Registered: 2024-07-12
Posts: 54

[SOLVED] Need help troubleshooting cloudflare warp and vpn problem

6.11.8-arch1-2
I have been trying to get cloudflare warp to work (with cloudflare-warp-bin package) but it doesn't even connect anymore.
previously it seemed to be connect and curl https://www.cloudflare.com/cdn-cgi/trace/ showed warp=on, but I had dns leaks, as showed by dnsleaktest JIO ISP servers showed up.

I have tried protonvpn with openvpn but it gets stuck on connecting and is very buggy (tried command line and gtk app both) (free version)

If any logs i can provide for troubleshooting, pls do tell I'll post them right on.
also I'm not using any firewall.

Part of the Solution: Install nftables

Last edited by Elixirslayer (2024-11-24 08:16:08)

Offline

#2 2024-11-18 12:35:27

-thc
Member
Registered: 2017-03-15
Posts: 852

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

What does

warp-cli status

say?

Offline

#3 2024-11-18 12:44:01

Elixirslayer
Member
Registered: 2024-07-12
Posts: 54

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

-thc wrote:

What does

warp-cli status

say?

──(oc㉿ArchOp)-[~]
└─$ warp-cli status
Status update: Disconnected
Reason: Manual Disconnection

┌──(oc㉿ArchOp)-[~]
└─$ warp-cli connect
Success (warp-cli disconnect says the same)

┌──(oc㉿ArchOp)-[~]
└─$ warp-cli status
Status update: Disconnected
Reason: Manual Disconnection

Last edited by Elixirslayer (2024-11-18 12:44:33)

Offline

#4 2024-11-18 12:54:53

-thc
Member
Registered: 2017-03-15
Posts: 852

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

WARP should write it's own "daemon.log" - what does it say?

Looks like this must be initiated first:
https://developers.cloudflare.com/cloud … warp-logs/

Last edited by -thc (2024-11-18 12:56:10)

Offline

#5 2024-11-18 13:11:17

Elixirslayer
Member
Registered: 2024-07-12
Posts: 54

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

-thc wrote:

WARP should write it's own "daemon.log" - what does it say?

Looks like this must be initiated first:
https://developers.cloudflare.com/cloud … warp-logs/

https://github.com/Elixirslayer/log/blo … daemon.log

sorry for github, idk why im not getting the option for attachments here

Offline

#6 2024-11-18 14:41:34

-thc
Member
Registered: 2017-03-15
Posts: 852

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

Your log contains a lot of

2024-11-18T12:46:18.729Z DEBUG actor_connectivity::connectivity: Routes changed:

That means (according to Cloudflare) another VPN is fighting WARP at the route table level.

Offline

#7 2024-11-18 14:43:39

Elixirslayer
Member
Registered: 2024-07-12
Posts: 54

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

-thc wrote:

Your log contains a lot of

2024-11-18T12:46:18.729Z DEBUG actor_connectivity::connectivity: Routes changed:

That means (according to Cloudflare) another VPN is fighting WARP at the route table level.

I'm not sure but that could be due to i turned on warp in my phone, "destination" shows my phone's ip
i have phone connected with kdeconnect, probably that's why. I don't have any other vpn.
also could be ssh instead of kdeconnect

EDIT: sorry, warp in phone doesnt do anything, it's just the NewNeighbour logs

Last edited by Elixirslayer (2024-11-18 15:32:58)

Offline

#8 2024-11-18 15:17:40

constellation
Member
Registered: 2024-08-16
Posts: 5

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

Try running

sudo warp-svc

Does that expose any errors? I'm having a similar issue where warp refuses to start.
When I run sudo warp-svc, I get the error

2024-11-18T15:16:20.369Z ERROR main_loop: warp_net::ipc::unix: Unix socket already bound by root. Is another daemon running? path="/run/cloudflare-warp/warp_service

.

Not sure how to fix this...

Offline

#9 2024-11-18 15:19:28

Elixirslayer
Member
Registered: 2024-07-12
Posts: 54

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

sudo warp-svc
9ad3:d2d0:d9d7:0:6810:50e6]
2024-11-18T15:20:21.848Z DEBUG firewall::change: Changing catch all policy Deny->Deny
2024-11-18T15:20:21.848Z DEBUG firewall::change: Firewall allow managed network endpoints managed_network_endpoints=[]
2024-11-18T15:20:21.848Z  INFO firewall::engine: Firewall starting
2024-11-18T15:20:21.848Z ERROR firewall::linux: Failed to start firewall: Os { code: 2, kind: NotFound, message: "No such
file or directory" }
2024-11-18T15:20:21.848Z  WARN firewall::engine: fw.apply_config_changes failed e=ApplyError("No such file or directory (os error 2)")
2024-11-18T15:20:21.848Z  WARN main_loop: warp::warp_service: Unable to update firewall on disconnect e=ApplyError("No such file or directory (os error 2)")
2024-11-18T15:20:21.848Z DEBUG main_loop: warp::warp_service: Determining disconnected reason from connectivity state net_info=IPv4: [enp3s0; 192.168.29.181; Ethernet], IPv6: [enp3s0; 2405:201:302f:b8eb:a71:53c4:71b9:f120; Ethernet], DNS servers:,  192.168.29.1:53,  [2405:201:302f:b8eb::c0a8:1d01]:53
 power_state=None disconnect_reason=None
2024-11-18T15:20:21.848Z  WARN main_loop: warp::warp_service: Disconnecting, but reason is unknown
2024-11-18T15:20:21.849Z  WARN main_loop: warp::warp_service: Reconnect on settings change failed error=FirewallUpdateFailed(ApplyError("No such file or directory (os error 2)"))
2024-11-18T15:20:23.389Z DEBUG warp_api_endpoints::payloads: Warp endpoint override ports ports=[443, 500, 1701, 4500, 4443, 8443, 8095]
2024-11-18T15:20:23.389Z DEBUG main_loop: warp_api_client::executor: Returning API response for GetRegistrationConfig request_id=1177c2db-be50-4762-80ab-7533a7fb2f03
2024-11-18T15:20:23.389Z DEBUG main_loop: warp::warp_service: Entering main loop arm arm="api_responses"
2024-11-18T15:20:23.389Z DEBUG run: warp_settings::manager: LayerManager update: NetworkPolicy(Some(NetworkPolicySettings
{ onboarding: None, operation_mode: None, disable_auto_fallback: None, fallback_domains: None, proxy_port: None, split_config: None, gateway_id: None, support_url: None, allow_mode_switch: None, switch_locked: None, auto_connect: None, captive_portal: None, organization: None, allow_updates: None, allowed_to_leave: None, profile_id: None, lan_allow_settings: Some(LanAllowSettings { minutes: None, subnet_size: SubnetSize(24) }), warp_tunnel_protocol: Some(Masque) }))
2024-11-18T15:20:23.389Z DEBUG main_loop: warp::warp_service::api_handlers: Registration updated current_registration=RefreshInProgress(reg=4b4bffd9-52d6-4075-ae1d-2b6e5d0bd8b5) disposition=CheckAndUpdate
2024-11-18T15:20:23.390Z DEBUG main_loop: warp::warp_service::api_handlers: Registration is up to date, updating refresh time
2024-11-18T15:20:23.390Z DEBUG main_loop: warp::warp_service::api_handlers: Registration refresh time updated 0.00 hours old, refresh at 2024-11-19 15:20:23.389302919 +00:00:00
Registration: 4b4bffd9-52d6-4075-ae1d-2b6e5d0bd8b5
Auth Method: Consumer
Public key: 3059301306072a8648ce3d020106082a8648ce3d030107034200046aef7f390ab6ea763b127f7694e0123f70f9d1a79ae950377957f5b4e9c81a7234c491b04149a5c2c94a8ab475e78ee54ecad64800a4b536d39dc968cf14fbb2
Interface: WarpEndpoint { v4: 172.16.0.2, v6: 2606:4700:110:8489:31f8:af63:b547:5b2a }
Endpoints: [WarpSocketAddrPair { v4: 162.159.198.1:443, v6: [2606:4700:103::1]:443 }, WarpSocketAddrPair { v4: 162.159.198.1:500, v6: [2606:4700:103::1]:500 }, WarpSocketAddrPair { v4: 162.159.198.1:1701, v6: [2606:4700:103::1]:1701 }, WarpSocketAddrPair { v4: 162.159.198.1:4500, v6: [2606:4700:103::1]:4500 }, WarpSocketAddrPair { v4: 162.159.198.1:4443, v6: [2606:4700:103::1]:4443 }, WarpSocketAddrPair { v4: 162.159.198.1:8443, v6: [2606:4700:103::1]:8443 }, WarpSocketAddrPair { v4: 162.159.198.1:8095, v6: [2606:4700:103::1]:8095 }]
Subnet CIDRS: None

Account: Free { id: AccountId(bd03cdc0-03f8-4652-ac94-f9227fc42720), license: "9Y584jbp-192Jr5EW-f4R29T7n" }

2024-11-18T15:20:23.390Z  INFO main_loop: warp::storage::registration: Saving registration cache with config_name=None
2024-11-18T15:20:25.660Z  INFO handle_update{update=NetworkInfoChanged}: actor_alternate_network: close time.busy=15.1µs time.idle=38.5µs
2024-11-18T15:20:25.660Z  INFO handle_command{command=NetworkChanged}: actor_alternate_network::actor: close time.busy=3.23µs time.idle=37.8µs
2024-11-18T15:20:25.660Z DEBUG main_loop: warp::warp_service: Entering main loop arm arm="main_loop_compat_rx"
2024-11-18T15:20:25.660Z DEBUG main_loop:handle_update{update=NetworkInfoChanged}: warp::warp_service::actor_compat: Handling network status change old_info=IPv4: [enp3s0; 192.168.29.181; Ethernet], IPv6: [enp3s0; 2405:201:302f:b8eb:a71:53c4:71b9:f120; Ethernet], DNS servers:,  192.168.29.1:53,  [2405:201:302f:b8eb::c0a8:1d01]:53
 new_info=IPv4: [enp3s0; 192.168.29.181; Ethernet], IPv6: [enp3s0; 2405:201:302f:b8eb:a71:53c4:71b9:f120; Ethernet], DNS servers:,  192.168.29.1:53,  [2405:201:302f:b8eb::c0a8:1d01]:53

2024-11-18T15:20:25.660Z DEBUG main_loop:handle_update{update=NetworkInfoChanged}: warp::warp_service::actor_compat: close time.busy=190µs time.idle=16.0µs
2024-11-18T15:20:29.293Z DEBUG actor_connectivity::connectivity: Routes changed:
NewNeighbour; Destination: 192.168.29.13;
^C2024-11-18T15:20:32.860Z  INFO main_loop: warp::warp_service::shutdown: SIGINT received
2024-11-18T15:20:32.860Z DEBUG main_loop: warp::warp_service: Entering main loop arm arm="shutdown"
2024-11-18T15:20:32.860Z  WARN watchdog: warp::watchdog: Watchdog reports that daemon has disconnected watchdog_name="main loop"
2024-11-18T15:20:32.860Z DEBUG main_loop: warp::warp_service: close time.busy=11.4ms time.idle=11.2s
2024-11-18T15:20:32.861Z DEBUG watchdog: warp::watchdog: close time.busy=11.2s time.idle=11.9µs
2024-11-18T15:20:32.861Z  INFO warp::warp_service: Dropping WarpService
2024-11-18T15:20:32.861Z  INFO warp_svc: Service stopped exit_code=Ok(())
2024-11-18T15:20:32.861Z DEBUG run: warp_settings::manager: close time.busy=986µs time.idle=11.2s

Last edited by Elixirslayer (2024-11-18 15:44:20)

Offline

#10 2024-11-18 15:27:46

Elixirslayer
Member
Registered: 2024-07-12
Posts: 54

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

8056; Success
2024-11-18T15:26:20.744Z  INFO warp::warp_service::ipc_loop: IPC connection ended
2024-11-18T15:26:21.720Z DEBUG actor_connectivity::connectivity: Routes changed:
NewNeighbour; Destination: 192.168.29.13;
2024-11-18T15:26:22.597Z DEBUG actor_connectivity::connectivity: Routes changed:
NewNeighbour; Destination: 192.168.29.13;
2024-11-18T15:26:26.820Z DEBUG main_loop: warp::warp_service: Entering main loop arm arm="main_loop_compat_rx"
2024-11-18T15:26:26.820Z DEBUG main_loop:handle_state_request{state_request=GetRegistrationState}: warp::warp_service::actor_compat: close time.busy=5.25µs time.idle=3.06µs
2024-11-18T15:26:26.820Z DEBUG main_loop: warp::warp_service: Entering main loop arm arm="main_loop_compat_rx"
2024-11-18T15:26:26.820Z DEBUG main_loop:handle_state_request{state_request=GetSettings}: warp::warp_service::actor_compat: close time.busy=5.83µs time.idle=1.58µs
2024-11-18T15:26:26.820Z DEBUG main_loop: warp::warp_service: Entering main loop arm arm="main_loop_compat_rx"
2024-11-18T15:26:26.820Z DEBUG main_loop:handle_state_request{state_request=GetDaemonStatus}: warp::warp_service::actor_compat: close time.busy=1.90µs time.idle=1.54µs
2024-11-18T15:26:26.820Z DEBUG main_loop: warp::warp_service: Entering main loop arm arm="main_loop_compat_rx"
2024-11-18T15:26:26.820Z DEBUG main_loop:handle_state_request{state_request=GetWarpConnectionInfo}: warp::warp_service::actor_compat: close time.busy=1.32µs time.idle=1.34µs
2024-11-18T15:26:26.820Z DEBUG collect_device_state: actor_device_state::collector: close time.busy=23.7µs time.idle=133µs
2024-11-18T15:26:27.010Z DEBUG warp_api_client::client: Method: POST, Path: v0/4b4bffd9-52d6-4075-ae1d-2b6e5d0bd8b5/observe_events, StructuredLogsEndpoint { device_id: "4b4bffd9-52d6-4075-ae1d-2b6e5d0bd8b5", logs: Array [Object {"event": String("UserToggledV0"), "toggle": String("on"), "warp_colo": String("none"), "warp_metal": String("none"), "version": Number(0), "client_sample_rate": Number(1), "app_version": String("2024.11.150.0"), "os": String("Linux"), "os_version": String("6.11.8"), "timestamp": Number(1731943580742287), "session_id": String("618add8d-7dd4-44ec-b9b7-9eb33500ffca")}] }
2024-11-18T15:26:29.185Z ERROR warp_api_client::client: Failed API Request endpoint=StructuredLogsEndpoint { device_id: "4b4bffd9-52d6-4075-ae1d-2b6e5d0bd8b5", logs: Array [Object {"event": String("UserToggledV0"), "toggle": String("on"), "warp_colo": String("none"), "warp_metal": String("none"), "version": Number(0), "client_sample_rate": Number(1), "app_version": String("2024.11.150.0"), "os": String("Linux"), "os_version": String("6.11.8"), "timestamp": Number(1731943580742287), "session_id": String("618add8d-7dd4-44ec-b9b7-9eb33500ffca")}] } err=ApiFailure(500, ApiErrors { errors: [], other: {"messages": Array [], "success": Bool(false), "result": Null} })
^[[A2024-11-18T15:26:57.852Z  INFO warp::warp_service::ipc_loop: IPC: new connection exec_context=Regular process_name="/usr/bin/warp-cli" pid=71246
2024-11-18T15:26:57.852Z DEBUG main_loop: warp::warp_service::ipc_handlers: Ipc request: b3483fb3-21a1-4050-8d35-74904195ae4f; GetAppSettings
2024-11-18T15:26:57.853Z DEBUG main_loop: warp::warp_service::ipc_handlers: Ipc request: 80572190-b9fc-4437-b3bb-cace730564a2; GetAccount
2024-11-18T15:26:57.853Z DEBUG main_loop: warp::warp_service::ipc_handlers: Ipc response: 80572190-b9fc-4437-b3bb-cace730564a2; Registration: ID: 4b4bffd9-52d6-4075-ae1d-2b6e5d0bd8b5; Public Key: 3059301306072a8648ce3d020106082a8648ce3d030107034200046aef7f390ab6ea763b127f7694e0123f70f9d1a79ae950377957f5b4e9c81a7234c491b04149a5c2c94a8ab475e78ee54ecad64800a4b536d39dc968cf14fbb2; Managed: false; Account: Free { id: AccountId(bd03cdc0-03f8-4652-ac94-f9227fc42720), license: "9Y584jbp-192Jr5EW-f4R29T7n" };Alternate networks: None
2024-11-18T15:26:57.853Z DEBUG main_loop: warp::warp_service::ipc_handlers: Ipc request: 42ce7e75-905f-44cc-9c06-a8b9b8b305e7; SetAlwaysOn(true)
2024-11-18T15:26:57.853Z  INFO main_loop: structlog: event="UserToggledV0" toggle="on" warp_colo="none" warp_metal="none"
2024-11-18T15:26:57.854Z DEBUG run: warp_settings::manager: LayerManager update: UserOverrides(<mutator>)
2024-11-18T15:26:57.854Z DEBUG run: warp_settings::manager: UserOverrides updated: UserOverrides { version: Some(Current), always_on: Some(true), operation_mode: Some(Warp), disable_for_wifi: None, disable_for_ethernet: None, disable_for_networks: None, families: None, dns_log_until: DnsLogUntil(None), gateway_id: None, onboarding: None, organization: None, split_config: None, fallback_domains: None, proxy_port: None, disable_connectivity_checks: None, override_api_endpoint: None, override_doh_endpoint: None, override_warp_endpoint: None, override_tunnel_mtu: None, qlog_logging: Some(Enabled) }
2024-11-18T15:26:57.854Z DEBUG main_loop: warp::warp_service::ipc_handlers: Ipc response: 42ce7e75-905f-44cc-9c06-a8b9b8b305e7; Success
2024-11-18T15:26:57.854Z  INFO warp::warp_service::ipc_loop: IPC connection ended

this is what happens when i try to 

 warp-cli connect

Offline

#11 2024-11-18 15:35:15

Elixirslayer
Member
Registered: 2024-07-12
Posts: 54

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

constellation wrote:

Try running

sudo warp-svc

Does that expose any errors? I'm having a similar issue where warp refuses to start.
When I run sudo warp-svc, I get the error

2024-11-18T15:16:20.369Z ERROR main_loop: warp_net::ipc::unix: Unix socket already bound by root. Is another daemon running? path="/run/cloudflare-warp/warp_service

.

Not sure how to fix this...

That error is probably because the warp-svc service is already running

Offline

#12 2024-11-18 15:43:20

constellation
Member
Registered: 2024-08-16
Posts: 5

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

Elixirslayer wrote:
constellation wrote:

Try running

sudo warp-svc

Does that expose any errors? I'm having a similar issue where warp refuses to start.
When I run sudo warp-svc, I get the error

2024-11-18T15:16:20.369Z ERROR main_loop: warp_net::ipc::unix: Unix socket already bound by root. Is another daemon running? path="/run/cloudflare-warp/warp_service

.

Not sure how to fix this...

That error is probably because the warp-svc service is already running

Ah.. I see. I disabled & stopped warp-svc.service, I'm getting some different errors from the warp-svc log now...

2024-11-18T15:42:16.815Z ERROR firewall::linux: Failed to start firewall: Os { code: 2, kind: NotFound, message: "No such file or directory" }
2024-11-18T15:42:27.951Z ERROR warp::root_ca: This OS does not support custom root CA management

Offline

#13 2024-11-18 15:48:30

Elixirslayer
Member
Registered: 2024-07-12
Posts: 54

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

constellation wrote:

Ah.. I see. I disabled & stopped warp-svc.service, I'm getting some different errors from the warp-svc log now...

2024-11-18T15:42:16.815Z ERROR firewall::linux: Failed to start firewall: Os { code: 2, kind: NotFound, message: "No such file or directory" }
2024-11-18T15:42:27.951Z ERROR warp::root_ca: This OS does not support custom root CA management

same errors.

Offline

#14 2024-11-18 17:47:03

-thc
Member
Registered: 2017-03-15
Posts: 852

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

Just read that WARP is Cloudflares own implementation of WireGuard written in Rust.

Tried it.
- Compiled and installed the cloudflare-warp-bin AUR package
- Enabled and started warp-svc (WARP doesn't work without it, since it ignores the WireGuard kernel implementation)
- "warp-cli registration new"
- "warp-cli connect"

Works without any hassle. The trace ("curl https://www.cloudflare.com/cdn-cgi/trace/") shows warp is on and dnsleaktest shows none.

Some things i noticed:
- Works out of the box with systemd-resolved
- Feels slow on first contact with a new (non-DNS-cached) site
- Sets an additional rule in the "ip rule" set (similar to "wg-quick")
- Sets a remarkably low MTU (1280) for the virtual interface
- Sets a slightly awkward nftables table (but doesn't require "nftables" as a dependency (maybe an oversight?))

table inet cloudflare-warp {
	chain input {
		type filter hook input priority filter; policy drop;
		iif "lo" accept
		iif "CloudflareWARP" accept
		meta nfproto ipv4 udp sport 67 udp dport 68 accept
		ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport 68 udp dport 67 accept
		ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept
		ip6 saddr fe80::/10 ip6 daddr ff02::1:2 udp sport 546 udp dport 547 accept
		ip6 saddr fe80::/10 ip6 daddr ff05::1:3 udp sport 546 udp dport 547 accept
		meta l4proto ipv6-icmp accept
		ip protocol icmp accept
		ip saddr 104.17.143.163 tcp sport 443 accept
		ip saddr 104.16.80.230 tcp sport 443 accept
		ip6 saddr 2606:4700::6811:8fa3 tcp sport 443 accept
		ip6 saddr 2606:4700::6810:50e6 tcp sport 443 accept
		ip saddr 162.159.198.1 ip protocol udp accept
		ip saddr 162.159.198.1 tcp sport 443 accept
		ip6 saddr 2606:4700:103::1 ip6 nexthdr udp accept
		ip6 saddr 2606:4700:103::1 tcp sport 443 accept
		ip saddr 240.0.0.0/4 accept
		ip saddr 10.0.0.0/8 accept
		ip saddr 100.64.0.0/10 accept
		ip saddr 172.16.0.0/12 accept
		ip saddr 17.249.0.0/16 accept
		ip saddr 17.252.0.0/16 accept
		ip saddr 169.254.0.0/16 accept
		ip saddr 192.168.0.0/16 accept
		ip saddr 17.188.128.0/18 accept
		ip saddr 17.57.144.0/22 accept
		ip saddr 17.188.20.0/23 accept
		ip saddr 192.0.0.0/24 accept
		ip saddr 224.0.0.0/24 accept
		ip saddr 239.255.255.250 accept
		ip6 saddr fc00::/7 accept
		ip6 saddr fe80::/10 accept
		ip6 saddr ff02::/15 accept
		ip6 saddr ff04::/15 accept
		ip6 saddr ff01::/16 accept
		ip6 saddr 2403:300:a42::/48 accept
		ip6 saddr 2403:300:a51::/48 accept
		ip6 saddr 2620:149:a44::/48 accept
		ip6 saddr 2a01:b740:a42::/48 accept
	}

	chain output {
		type filter hook output priority filter; policy drop;
		oif "lo" accept
		oif "CloudflareWARP" goto tun
		ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport 68 udp dport 67 accept
		meta nfproto ipv4 udp sport 67 udp dport 68 accept
		ip6 saddr fe80::/10 ip6 daddr ff02::1:2 udp sport 546 udp dport 547 accept
		ip6 saddr fe80::/10 ip6 daddr ff05::1:3 udp sport 546 udp dport 547 accept
		ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept
		meta l4proto ipv6-icmp accept
		ip daddr 104.17.143.163 tcp dport 443 accept
		ip daddr 104.16.80.230 tcp dport 443 accept
		ip6 daddr 2606:4700::6811:8fa3 tcp dport 443 accept
		ip6 daddr 2606:4700::6810:50e6 tcp dport 443 accept
		ip daddr 162.159.198.1 ip protocol udp accept
		ip daddr 162.159.198.1 tcp dport 443 accept
		ip daddr 162.159.198.1 ip protocol icmp icmp type echo-request accept
		ip6 daddr 2606:4700:103::1 ip6 nexthdr udp accept
		ip6 daddr 2606:4700:103::1 tcp dport 443 accept
		ip daddr 240.0.0.0/4 accept
		ip daddr 10.0.0.0/8 accept
		ip daddr 100.64.0.0/10 accept
		ip daddr 172.16.0.0/12 accept
		ip daddr 17.249.0.0/16 accept
		ip daddr 17.252.0.0/16 accept
		ip daddr 169.254.0.0/16 accept
		ip daddr 192.168.0.0/16 accept
		ip daddr 17.188.128.0/18 accept
		ip daddr 17.57.144.0/22 accept
		ip daddr 17.188.20.0/23 accept
		ip daddr 192.0.0.0/24 accept
		ip daddr 224.0.0.0/24 accept
		ip daddr 239.255.255.250 accept
		ip6 daddr fc00::/7 accept
		ip6 daddr fe80::/10 accept
		ip6 daddr ff02::/15 accept
		ip6 daddr ff04::/15 accept
		ip6 daddr ff01::/16 accept
		ip6 daddr 2403:300:a42::/48 accept
		ip6 daddr 2403:300:a51::/48 accept
		ip6 daddr 2620:149:a44::/48 accept
		ip6 daddr 2a01:b740:a42::/48 accept
	}

	chain tun {
		ip saddr 172.16.0.2 accept
		ip6 saddr 2606:4700:110:8bc3:9790:7b1f:393b:bbf1 accept
		ip6 saddr fe80::/10 accept
		ip protocol tcp reject with tcp reset
		reject
	}

	chain forward {
		type filter hook forward priority mangle; policy accept;
		oif "CloudflareWARP" tcp flags & (syn | rst) == syn tcp option maxseg size set rt mtu
	}
}

Last edited by -thc (2024-11-18 17:50:16)

Offline

#15 2024-11-18 17:52:39

Elixirslayer
Member
Registered: 2024-07-12
Posts: 54

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

-thc wrote:

Just read that WARP is Cloudflares own implementation of WireGuard written in Rust.

Tried it.
- Compiled and installed the cloudflare-warp-bin AUR package
- Enabled and started warp-svc (WARP doesn't work without it, since it ignores the WireGuard kernel implementation)
- "warp-cli registration new"
- "warp-cli connect"

Works without any hassle. The trace ("curl https://www.cloudflare.com/cdn-cgi/trace/") shows warp is on and dnsleaktest shows none.

Some things i noticed:
- Works out of the box with systemd-resolved
- Sets an additional rule in the "ip rule" set (similar to "wg-quick")
- Sets a remarkably low MTU (1280) for the virtual interface
- Sets a slightly awkward nftables table (but doesn't require "nftables" as a dependency (maybe an oversight?))Just read that WARP is Cloudflares own implementation of WireGuard written in Rust.

table inet cloudflare-warp {
	chain input {
		type filter hook input priority filter; policy drop;
		iif "lo" accept
		iif "CloudflareWARP" accept
		meta nfproto ipv4 udp sport 67 udp dport 68 accept
		ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport 68 udp dport 67 accept
		ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept
		ip6 saddr fe80::/10 ip6 daddr ff02::1:2 udp sport 546 udp dport 547 accept
		ip6 saddr fe80::/10 ip6 daddr ff05::1:3 udp sport 546 udp dport 547 accept
		meta l4proto ipv6-icmp accept
		ip protocol icmp accept
		ip saddr 104.17.143.163 tcp sport 443 accept
		ip saddr 104.16.80.230 tcp sport 443 accept
		ip6 saddr 2606:4700::6811:8fa3 tcp sport 443 accept
		ip6 saddr 2606:4700::6810:50e6 tcp sport 443 accept
		ip saddr 162.159.198.1 ip protocol udp accept
		ip saddr 162.159.198.1 tcp sport 443 accept
		ip6 saddr 2606:4700:103::1 ip6 nexthdr udp accept
		ip6 saddr 2606:4700:103::1 tcp sport 443 accept
		ip saddr 240.0.0.0/4 accept
		ip saddr 10.0.0.0/8 accept
		ip saddr 100.64.0.0/10 accept
		ip saddr 172.16.0.0/12 accept
		ip saddr 17.249.0.0/16 accept
		ip saddr 17.252.0.0/16 accept
		ip saddr 169.254.0.0/16 accept
		ip saddr 192.168.0.0/16 accept
		ip saddr 17.188.128.0/18 accept
		ip saddr 17.57.144.0/22 accept
		ip saddr 17.188.20.0/23 accept
		ip saddr 192.0.0.0/24 accept
		ip saddr 224.0.0.0/24 accept
		ip saddr 239.255.255.250 accept
		ip6 saddr fc00::/7 accept
		ip6 saddr fe80::/10 accept
		ip6 saddr ff02::/15 accept
		ip6 saddr ff04::/15 accept
		ip6 saddr ff01::/16 accept
		ip6 saddr 2403:300:a42::/48 accept
		ip6 saddr 2403:300:a51::/48 accept
		ip6 saddr 2620:149:a44::/48 accept
		ip6 saddr 2a01:b740:a42::/48 accept
	}

	chain output {
		type filter hook output priority filter; policy drop;
		oif "lo" accept
		oif "CloudflareWARP" goto tun
		ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport 68 udp dport 67 accept
		meta nfproto ipv4 udp sport 67 udp dport 68 accept
		ip6 saddr fe80::/10 ip6 daddr ff02::1:2 udp sport 546 udp dport 547 accept
		ip6 saddr fe80::/10 ip6 daddr ff05::1:3 udp sport 546 udp dport 547 accept
		ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept
		meta l4proto ipv6-icmp accept
		ip daddr 104.17.143.163 tcp dport 443 accept
		ip daddr 104.16.80.230 tcp dport 443 accept
		ip6 daddr 2606:4700::6811:8fa3 tcp dport 443 accept
		ip6 daddr 2606:4700::6810:50e6 tcp dport 443 accept
		ip daddr 162.159.198.1 ip protocol udp accept
		ip daddr 162.159.198.1 tcp dport 443 accept
		ip daddr 162.159.198.1 ip protocol icmp icmp type echo-request accept
		ip6 daddr 2606:4700:103::1 ip6 nexthdr udp accept
		ip6 daddr 2606:4700:103::1 tcp dport 443 accept
		ip daddr 240.0.0.0/4 accept
		ip daddr 10.0.0.0/8 accept
		ip daddr 100.64.0.0/10 accept
		ip daddr 172.16.0.0/12 accept
		ip daddr 17.249.0.0/16 accept
		ip daddr 17.252.0.0/16 accept
		ip daddr 169.254.0.0/16 accept
		ip daddr 192.168.0.0/16 accept
		ip daddr 17.188.128.0/18 accept
		ip daddr 17.57.144.0/22 accept
		ip daddr 17.188.20.0/23 accept
		ip daddr 192.0.0.0/24 accept
		ip daddr 224.0.0.0/24 accept
		ip daddr 239.255.255.250 accept
		ip6 daddr fc00::/7 accept
		ip6 daddr fe80::/10 accept
		ip6 daddr ff02::/15 accept
		ip6 daddr ff04::/15 accept
		ip6 daddr ff01::/16 accept
		ip6 daddr 2403:300:a42::/48 accept
		ip6 daddr 2403:300:a51::/48 accept
		ip6 daddr 2620:149:a44::/48 accept
		ip6 daddr 2a01:b740:a42::/48 accept
	}

	chain tun {
		ip saddr 172.16.0.2 accept
		ip6 saddr 2606:4700:110:8bc3:9790:7b1f:393b:bbf1 accept
		ip6 saddr fe80::/10 accept
		ip protocol tcp reject with tcp reset
		reject
	}

	chain forward {
		type filter hook forward priority mangle; policy accept;
		oif "CloudflareWARP" tcp flags & (syn | rst) == syn tcp option maxseg size set rt mtu
	}
}

did you have to install wiregaurd? or simply cloudflare-warp-bin worked out of the box with systemd-resolved?
in my case i have systemd-resolved and simply installing the warp package then enabling and starting warp-svc service doesn't help as it doesn't connect successfully.

and i dont have nftables, but that's not a problem right?

Last edited by Elixirslayer (2024-11-18 17:53:11)

Offline

#16 2024-11-18 18:21:16

-thc
Member
Registered: 2017-03-15
Posts: 852

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

No you don't need to install wireguard,

Try installing nftables. Maybe the ominous "firewall" error is based on it's absence.

Offline

#17 2024-11-18 18:22:54

Elixirslayer
Member
Registered: 2024-07-12
Posts: 54

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

-thc wrote:

No you don't need to install wireguard,

Try installing nftables. Maybe the ominous "firewall" error is based on it's absence.

Oh wow, as soon as i installed nftables and restarted warp-svc service, status says connected.

probably is a dependency??

Offline

#18 2024-11-18 18:23:48

-thc
Member
Registered: 2017-03-15
Posts: 852

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

Yeah I think so.

Offline

#19 2024-11-18 18:25:31

Elixirslayer
Member
Registered: 2024-07-12
Posts: 54

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

-thc wrote:

Yeah I think so.

dns leak still hasn't been resolved though, dnsleaktest.com shows 6 jio isp servers. (atleast the major problem is gone)

curl https://www.cloudflare.com/cdn-cgi/trace/
fl=670f70
h=www.cloudflare.com
ip=2a09:bac5:3b30:1a46::29e:46
ts=1731954232.404
visit_scheme=https
uag=curl/8.11.0
colo=BOM
sliver=none
http=http/2
loc=IN
tls=TLSv1.3
sni=plaintext
warp=on
gateway=off
rbi=off
kex=X25519

Last edited by Elixirslayer (2024-11-18 18:26:02)

Offline

#20 2024-11-18 18:31:54

-thc
Member
Registered: 2017-03-15
Posts: 852

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

What does

resolvectl

show?

Offline

#21 2024-11-18 18:32:35

Elixirslayer
Member
Registered: 2024-07-12
Posts: 54

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

-thc wrote:

What does

resolvectl

show?

resolvectl
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
  Current DNS Server: 127.0.2.2
         DNS Servers: 127.0.2.2 127.0.2.3
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google
                      2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google

Link 2 (enp3s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.29.1
       DNS Servers: 192.168.29.1 2405:201:302f:b8eb::c0a8:1d01

Link 4 (wlp0s20f0u7)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 5 (CloudflareWARP)
    Current Scopes: LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

Last edited by Elixirslayer (2024-11-18 18:33:57)

Offline

#22 2024-11-18 18:38:24

-thc
Member
Registered: 2017-03-15
Posts: 852

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

Your "/etc/resolv.conf" should be a link to "/run/systemd/resolve/stub-resolv.conf":

lrwxrwxrwx 1 root root 37 Oct 30  2023 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf

and should read

# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search .~

"resolvectl" should say

resolv.conf mode: stub

Offline

#23 2024-11-18 18:39:40

Elixirslayer
Member
Registered: 2024-07-12
Posts: 54

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

-thc wrote:

Your "/etc/resolv.conf" should be a link to "/run/systemd/resolve/stub-resolv.conf":

lrwxrwxrwx 1 root root 37 Oct 30  2023 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf

and should read

# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search .~

"resolvectl" should say

resolv.conf mode: stub

i see, how do i fix this?

Offline

#24 2024-11-18 18:41:31

-thc
Member
Registered: 2017-03-15
Posts: 852

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Offline

#25 2024-11-18 18:42:56

Elixirslayer
Member
Registered: 2024-07-12
Posts: 54

Re: [SOLVED] Need help troubleshooting cloudflare warp and vpn problem

-thc wrote:
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
resolvectl
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
         DNS Servers: 127.0.2.2 127.0.2.3
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google
                      2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google

Link 2 (enp3s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 192.168.29.1 2405:201:302f:b8eb::c0a8:1d01

Link 4 (wlp0s20f0u7)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 5 (CloudflareWARP)
    Current Scopes: DNS mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute -LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 127.0.2.2 127.0.2.3 ::ffff:127.0.2.2 ::ffff:127.0.2.3
        DNS Domain: ~.

looks good

Offline

Pages: 1 2

Board footer

Powered by FluxBB