Warp-cli: --access-client-id and --access-client-secret no longer exist?

control2 · May 16, 2022, 4:43pm

Hello,

How I can enroll linux device without GUI with warp-cli?

Seems like --access-client-id and --access-client-secret no longer exist?

[email protected]:~# warp-cli --version
WARP 2022.4.235

warp-cli teams-enroll --help
warp-cli-teams-enroll
Enroll with Cloudflare for Teams

USAGE:
warp-cli teams-enroll

FLAGS:
-h, --help Prints help information
-V, --version Prints version information

ARGS:

michael.tiller · May 17, 2022, 6:57pm

I have the same question. How are we supposed to link servers up with warp-cli? These are not users logging in “for the day”, they need to be always up and connected. I got the impression this is what service tokens were for…why would you remove this functionality?

control2 · May 17, 2022, 8:51pm

Yes it’s crazy it was availiable when we were on Free plan, now paying Standard and thinking about Enterprise and this feature dissapear…

We need more stability of core features in SECURITY SOFTWARE because Cloudflare for Teams is now announced as SECURITY SOFTWARE.

KianNH · May 18, 2022, 10:33am

Go to https://teamname.cloudflareaccess.com/warp.
Open DevTools.
Login.
When you get a prompt about opening a link with Cloudflare WARP, press cancel.
Look at the request to auth?token=<blah> & copy the Request URL that starts with com.cloudflare.warp
Run warp-cli teams-enroll-token "<paste that Request URL here>"

Ideal? Probably not - but it works.

Source: strings on /usr/bin/warp-cli

Maybe the Zero Trust team can chime in with a more seamless flow.

michael.tiller · May 18, 2022, 4:27pm

Kian,

Thanks for looking into this, I realize this is outside your scope. This doesn’t work in practice. I’m doing a fresh install on an Ubuntu 20.04 VM (I can post every single step if you’d like). The main thing is that I do the warp-cli register and warp-cli connect and those work fine.

I can certainly follow your directions, that isn’t the issue. I can run warp-cli teams-enroll-token ... and I get a Success in response. But it isn’t actually making things any better. It is actually making things works. After running register and connect if I run curl https://www.cloudflare.com/cdn-cgi/trace/ I get warp=on but gateway=off. My hope was that by running warp-cli teams-enroll, I could get gateway=on as well. But, in fact, after running the commands you suggest, not only do I get gateway=off, I also get warp=off, i.e., is appears to cancel out the previous warp-cli connect command.

Keep in mind, I’d obviously like scriptable way of implementing this for each new VM we try to deploy. So yes, in that sense it isn’t ideal. But that isn’t the part that is so frustrating here, it is the fact that none of this is even documented (and by that I mean in the documentation). Installing to headless Linux servers is a HUGE part of our use case and it is a bit shocking to me that while “Linux support” has been touted for some time, this particular use case seems to have been completely ignored. I’m not complaining, you’ve gone out of your way to help. But I’m just pointing out that a little bit of documentation could go a long way here in improving support for what must be a common use case (that or I do not understand at all what this product is for…which is entirely possible).

In any case, I’m still completely stuck.

control2 · September 22, 2022, 4:55pm

Update: now after create MDM file we enroll device without GUI (for example linux server)

developers.Cloudflare(dot)com/Cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/#install-warp-on-linux

For example we can enroll device by Service Token

In Zero Trust dashobard go to Access > Service Auth. Create token and save.
In Zero Trust dashboard go to Settings > WARP Client > Device enrollment permissions > Manage and add Service Auth rule
On Linux server install WARP and create MDM file:

/var/lib/cloudflare-warp/mdm.xml

with content:

<dict>
  <key>organization</key>
  <string>your_org_name</string>
  <key>auth_client_id</key>
  <string>auth_client_id.access</string>
  <key>auth_client_secret</key>
  <string>auth_client_secret</string>
</dict>

and run warp-cli register && warp-cli connect

Now we are connected to our Team… but incoming connections stop working (like SSH) until warp-cli disconnect… not sure how resolve this issue

f21 · February 7, 2023, 4:02am

Did you ever find a solution to this? I am also experimenting with warp-cli on a Ubuntu server and it seems that if warp-cli is enabled and connected, incoming connections no longer work.

Edit: I had to exclude the public IP of the machine I am using to SSH into the server in split tunnels to connect into the server with Warp enabled. This is less than ideal.

js.zhang06 · March 14, 2023, 9:53am

You need to log in to your organization and set the WARP Client service mode to Proxy mode,
Settings > WARP Client > Device settings > Default > configure
Allow updates --Enabled
Service mode --Proxy mode
and run warp-cli connect

control2 · March 14, 2023, 5:12pm

I currently use

“Gateway with WARP”

All traffic is encrypted by Gateway. This mode is required if you want to enable HTTP rules, Browser Isolation, Anti-Virus scanning and DLP.

in Proxy mode there is no HTTP rules etc.

control2 · March 14, 2023, 5:12pm

And you connect to server only via WARP or without too?