Hi there! Abe from the Zero Trust product team here
Today, we’re excited to share that we’ve been working on a new, easy way to start building a private network on Cloudflare! To get started, you just need the software Cloudflare WARP, that you’re likely already familiar with running on your mobile devices and laptops.
To start building your first network, you simply need to:
Navigate to Settings > Network and enable Warp to Warp
Once enrolled, these two (or more) devices will become a part of the same virtual network and from there you can Ping, SSH, or access local web servers running on either machine as if they were in the same physical network. We’ll assign a private IP to each enrolled device that you can use. No additional configuration steps required.
If you want to add Zero Trust rules, you can! Otherwise you can make sure that everything enrolled in your Cloudflare One account can talk to everything else.
Needless to say, we’re excited to get this into your hands and get your early feedback. While this feature may simplify new, lightweight deployments, it also unlocks a number of use cases for more complex, existing deployments where you may want Warp devices to address one another. In either case, we’re excited to get your feedback and learn about what you’d like to see out of this feature-set next!
If you would like to be part of the beta, please fill out fill out this form and we will get this feature flag surfaced in Zero Trust account.
If you login to https://one.dash.cloudflare.com/ , you’ll find it in the URL as the alphanumeric number after you pick your account (if you have multiple ones)
Same if you go to https://dash.cloudflare.com/ — as well as after you pick a Zone (if you have any), then you’ll find it on the right bottom of the screen under “Account”
whoops! @nuno.diegues — didn’t notice until now that you were the one to reply to my inquiry, thank you.
also, @abe just wondering how long to expect before the feature might be enabled for my account? hoping to use this over Tailscale / ZeroTier since Zero Trust is already configured and would be preferable of course. thanks!
No problem at all. For context, we’ve been enabling accounts on weekly basis, but I’ll be sure to double check this weeks enablement to include your account. Looking forward to receiving your feedback as well!
Awesome, I see it now. I was able to get the warp-to-warp traffic going but wanted to point out that I am using include routes. Therefore I had to add the 100.96.x.x CGNAT address to the included routes in my warp config for this to work correctly. Might be worth adding to eventual documentation.
I was able to get connectivity between a VM in the cloud and my local system working properly with warp to warp. It works great and I am really excited about using this in prod.
Since warp-cli can now expose services, what’s the future of cloudflared? Will it eventually be replaced by warp-cli?
Edit: further testing shows that warp to warp only works intermittently. I can ping both machines from each other, but running a simple http server on my desktop and trying to access it from my cloud vm only works some times. Currently curl is getting an empty response from the server when sending the request from the cloud vm. Then sometimes, ping will return destination unreachable.
Doing some further testing. Here’s my setup:
Windows machine running warp.
Ubuntu VM running in a cloud provider running warp without a public ip address and using a NAT gateway for egress.
Both machines are connected to warp and I can see them listed in the device list in the warp ui.
I can (usually) ping the machines for each other, although sometimes ping will fail randomly.
I can always ssh into the VM from the Windows machine using the VM’s Cloudflare assigned virtual ip. This is reliable and always works.
I am unable to access any other service running on the VM from the windows machine using the virtual ip.
This is the output of lsof-i -n -P | more on the VM:
Would be very cool could set an IP, or create an alias (like a domain) for be more easy to access some relevant device, without have to check the Devices List.
One thing that I had to do for work is on the split tunnel settings remove the 10.XX.0.0/10 setting. (I’m using on exclude mode).
As a quick update, this feature is now available in all accounts. Check out our dev docs for more information on how to get started
Thank you testing this out @robson. This is great feedback as we’re thinking through ways to improve the UX around this feature.
@f21 would you mind opening a support ticket at https://support.cloudflare.com/hc/en-us/requests/ (or you can just email support[at]cloudflare.com) and referencing this thread? We’ll likely want to collect some logs here to help us understand the issue a bit better. Sounds like it may be related to service bindings, but we’ll be able investigate further with a bit more information from the machines running warp
@abe
I am unable to open a support ticket as I am on the free plan. I emailed support@Cloudflare… and I got an automated response to open a support ticket instead.
Is there a direct email address I can email to debug this?
@robson are you able to share what your setup looks like? I am trying to get warp-to-warp working, but other than ssh, I am not able to access any other services running on my warp clients.
Finally had time to really dive into this. The problem with the Oracle Cloud VM is the default iptables rules that come with their platform images.
There’s a rule in there that allows states RELATED and ESTABLISHED: -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
And another one after that that rejects everything: -A INPUT -j REJECT --reject-with icmp-host-prohibited
The solution is to modify the first rule to include the state NEW or to add another rule to allow NEW before the rule that rejects everything: -A INPUT -m state --state NEW -j ACCEPT
The reason why SSH was working while other services were not was because Oracle’s default iptable rules has an entry that allows NEW on port 22 (ssh).