Can't get WARP Site-to-Site Connectivity to work

Zero Trust WARP
1

What is the name of the domain?

thebrowndomain

What is the issue you’re encountering

The devices in each subnet cannot reach each other.

What are the steps to reproduce the issue?

I’ve followed the cloudflare documentation titled: “Set up WARP Connector - Site to Site connectivity.” I can’t include a link to the documentation because the forum won’t let me.

This creates two tunnels to cloudflare; one from each subnet that you want to route between. But I really only want one machine from each subnet (they’re both QNAP NAS’s) to be able to reach each other. I don’t want any other devices on either subnet to be able to reach any other devices in the other subnet; therefore, I’m using /32 in my cidr routes.

Here’s my setup:

Network 1:
Subnet: 192.168.13.0/24
Warp connector:

  • name: warp-1
  • OS: rocky linux 9.4
  • IP: 192.168.13.49
  • CloudflareWARP: 100.96.0.3/32
  • Status: connected
  • ports opened in firewalld: 2408/udp 500/udp 1701/udp 4500/udp 443/udp

Qnap-1:

  • IP: 192.168.13.50/24
  • gateway: 192.168.13.1
  • routes: static route to reach 192.168.188.240/32 via 192.168.13.49

Tunnels:

  • name: subnet-192.168.13.50/32
  • cidr routes: 192.168.13.50/32
  • status: healthy

Network 2:
Subnet: 192.168.188.0/24
Warp connector:

  • name: warp-2
  • OS: rocky linux 9.4
  • IP: 192.168.188.241
  • CloudflareWARP: 100.96.0.2/32
  • Status: connected
  • ports opened in firewalld: 2408/udp 500/udp 1701/udp 4500/udp 443/udp

Qnap-2:

  • IP: 192.168.188.240/24
  • gateway: 192.168.188.1
  • Routes: static route to reach 192.168.13.50/32 via 192.168.188.241)

Tunnels:

  • name: subnet-192.168.188.240/32
  • cidr routes: 192.168.188.240/32
  • status: healthy

Split tunnel configuration:

  • mode: exclude
  • Subnets not listed in list (meaning they should be permitted to route through the tunnels):
    • 192.168.0.0/16
    • 192.168.188.240/32
    • 192.168.13.50/32
    • 100.64.0.0/10
  • Subnets included (meaning they should be blocked from routing through the tunnels):
    • All the defaults plus the following.
    • 100.64.0.0/11
    • 100.112.0.0/12

Following the documentation that I linked to above went perfectly. Both warp connectors are authenticated and connected. Both Tunnels showing a healthy status.

tests:
warp-1 is unable to ping warp-2 (100.96.0.2/32) or qnap-2 (192.168.188.240/32)
warp-2 is unable to ping warp-1 (100.96.0.3/32) or qnap-1 (192.168.13.50/32)
qnap-1 is unable to ping 192.168.188.240/32

  • When attempting to ping qnap-2, tcpdump running on warp-1 displays an “admin prohibited filter” response to the icmp echo request from qnap-1.
    qnap-2 is unable to ping 192.168.13.50/32

Not sure how else to troubleshoot this issue. Any advice would be hugely appreciated.

2

I thought I’d try to post a link to the documentation I followed.

Here it is: Set up WARP Connector · Cloudflare Zero Trust docs