Gateway with WARP Questions

I’m still learning about Gateway with WARP and have been playing with it quite a bit. When I enable it on my phone, a lot of sites do not work properly. I see there is Certificate Pinning available and have enabled that for sites that do not seem to load correctly to bypass the HTTP filter.

I will give you some examples:

  • Cafe Rio, Chipolte, Chick-Fil-A apps on Android devices will not connect unless they are exceptioned using a hostname list.
  • Reddit will not work
  • Twitter won’t work
  • Discord won’t connect, Captcha’s won’t load.
  • Google Calendar won’t sync
  • Outlook app won’t sync, connect, send email.
  • There are a lot more sites that have issues as well.

Since I’m attempting to understand this better, my questions are:

  • Is this normal behavior? I know this can be interpreted by some servers as a MITM attack, so maybe that is why they are not loading.
  • Is there a sort of set and forget it configuration out of the box, other than the pre-configured (Do Not Inspect) lists?
  • It seems enabling (Do Not Inspect) lists, also removes the applications from the Shadow IT discovery as well. Is there a way to still manage that without those sites be set to not be inspected? I’m assuming not, but asking because I suppose I need some education.
  • Are Gateway with DOH and WARP compatible without clobbering each other or should they be run independently?
  • What are the consensus best practices for Gateway with WARP? For example, only enable WARP on certain sites within a list, etc?

The reasons I’m asking all of this is because my experience hasn’t been this with with a lot of routers that support TLS inspection and haven’t had many issues with sites not loading, etc.

Thank you kindly for any helpful feedback and direction you may give! :slight_smile:

You have two options, a) Disable “TLS decryption” (Zero Trust Dashboard->Settings->Network->Firewall) or b) installing and trusting the certificate:

Hi Albertus,

I should’ve mentioned, the cert is installed on the Android device in question. Thank you.

Oh, ok. So if you inspect the certificate when browsing those websites, do you see it as not trusted? I would look into that direction to make sure the cert is correctly trusted.

So I’ll just start with Twitter here, if I visit their website, the cert shows valid in the browser, but the site errors out. Refreshing does nothing. See attached screenshot.

That looks like some session issue but I don’t know how this could be related to WARP. Some hello world page would probably be a better thing to test. I would also try to see if it works okay with TLS decryption off, just to be sure it’s not that.

As soon as I turn WARP off, everything works correctly.

When disabling TLS inspection, almost nothing appears in the logs. So that isn’t really worth that, as it won’t do much. Let me test something with the twitter app, not sure if I can sign out, then back in. When I turn it on, it refuses to work. If I can, it’s a session issue like you said, but that would be horrible for users having to do this to every app if that works…

Ok, so some further testing reveals that while the web versions of different sites work fine through the browser, they will not work through the locally installed apps at all. I’ve tested it with several applications.

My phone I’m testing with is a Pixel 4a with Android 12. I’ve tested with Twitter, Chick-Fil-A, Reddit, Outlook will not receive email notifications and can’t see new email, etc. This is obviously a deal breaker for users. What options do I have?

It sounds like something that would happen on a nonstandard Android setup. Do other VPN solutions work?

It’s stock Android 12. Do you have a suggestion to test?

Any VPN solution that offers a free trial maybe?

So I have Google FI and enabled their VPN service. I disabled exceptions on the connection so all traffic is routed through their VPN service and all apps seem to work without issue.

Did yo try WARP+ without Zero Trust?
Did you try removing the app and installing it again?
Did you try restarting your phone?

Can you share Diagnostics screen, and DNS logs, Console logs and Buringtun logs? You may need to use TinyPaste or something like that.

1.1.1.1->☰->Advanced->Diagnostics

Sorry for the delay, I got a bit swamped. I’ll see if I can work on this today. :slight_smile:

I answered inline above. In addition, I attempted to test the beta version of the 1.1.1.1 app in the Play Store, but it’s the same version of the live version, 6.16. Gateway with DOH works without issue.

If you use WARP and it works fine but then you have issues browsing after joining the Zero Trust organization I can only think that the Cloudflare egres IPs you’re using are somehow blocked.

I decided to try the warp on a Debian VM as well. It’s exhibiting issues as well.

EDIT: with warp-cli enabled, SSL issues persist here as well, even though it’s the CA crt has been imported. Getting ready to hit my head on the desk…

EDIT2: So the browser was failing because it uses it’s own cert store. I imported that into it’s store and it’s fine now. Need to figure out how to make APT use the CA cert now…

Where at? I don’t have anything in my firewall on the machines or gateway that would block that, unless Gateway with DOH is blocking it…

One sec, checking that category…

What category in DOH would WARP fall under?

EDIT: Checked the logs in the dashboard and on the HTTP policies (I have nothing enabled), they show BYPASS for Cloudflare entries. In the DOH logs, clouflare entries show allowed. I don’t see anything being blocked…