Private network inaccessible on warp macos

nasrj3 · May 20, 2023, 8:14am

When connecting using ZeroTrust WARP on my Android, I can access devices on the defined private network. However, on my mac when doing the same thing, the same IP’s time out and show nothing.

albert · May 20, 2023, 8:44am

Could you please visit https://cloudflare.com/cdn-cgi/trace while connected to WARP on your Mac and share the output?

nasrj3 · May 20, 2023, 6:15pm

Sure!

This is the output of that when my Mac is connected via WARP.

fl=138f27
h=cloudflare.com
ip=2a09:bac5:6239:569::8a:1b
ts=1684606364.267
visit_scheme=https
uag=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.48
colo=SMF
sliver=none
http=http/3
loc=US
tls=TLSv1.3
sni=plaintext
warp=plus
gateway=off
rbi=off
kex=X25519

and this is the same site on my Android phone via WARP

fl=4f626
h=cloudflare.com
ip=2a09:bac1:76c0:28::4:272
ts=1684606436.553
visit_scheme=https
uag=Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Mobile Safari/537.36
colo=SJC
sliver=010-tier1
http=http/2
loc=US
tls=TLSv1.3
sni=plaintext
warp=plus
gateway=off
rbi=off
kex=X25519

albert · May 20, 2023, 6:56pm

I see that your Mac is connecting over HTTP/3, which uses UDP instead of TCP. Do you have UDP proxying enabled in your network settings?

nasrj3 · May 20, 2023, 7:05pm

I don’t have any proxy enabled in network settings.

On another note when my router uses the same local IP range as is configured in zero trust (10.0.0.0/24) mac does not connect to the private devices (android doesn’t seem to mind this). However, when the router’s local IP range is different (192.168.1.0/24) than the zero trust range (10.0.0.0/24) macos allows me to connect. Could this be contributing to or caused by the HTTP/3 issue? Maybe there is some mac setting that routes subnet routes internally rather than allowing cloudflare to handle them or something? idk.

albert · May 20, 2023, 7:09pm

I meant in the Zero Trust network settings.

nasrj3 · May 20, 2023, 7:28pm

Oh I never enabled the firewall in zero trust.

albert · May 20, 2023, 7:38pm

If the proxy is not enabled in Zero Trust network settings, then connections will not be routed through the tunnel to your private network. I believe TCP proxy is enabled by default, but you have to manually enable UDP.

nasrj3 · May 20, 2023, 8:36pm

I enabled UDP under the proxy settings and it did not make any difference. I still believe it’s because of the local subnet tbh, because when I change my router settings to use a completely different ip address space than zero trust, it works. Even on my mac with HTTP/3.

nasrj3 · May 20, 2023, 8:51pm

For now, I simply moved the IP ranges for zero trust up by 65,536
So 10.0.0.0/24 is now 10.1.0.0/24, this should prevent any IP overlap with the local routing tables when connecting (even though the local routing tables are not needed by me).

Thank you for the help Albert!