What is the name of the domain?
example.com
What is the error number?
none
What is the error message?
none
What is the issue you’re encountering
Cannot access HTTP webpage behind warp tunnel but can RDP into server hosting webpage
What steps have you taken to resolve the issue?
Checked, routing, created explicit allow rules in gateway firewall, set to no scan.
What are the steps to reproduce the issue?
I have a remote site hosting a Warp Connector tunnel that I can access everything behind with the exception of HTTP and HTTPS. Packet captures show that when initiating the communications that the three way hand shake takes place and then the is a psh from the remote warp client ,most likely requesting the web server to load the page but then nothing loada and the remote warp ip stops responding and the gateway keeps sending acks until timeout. If is use a Cloudflared tunnel everything works fine but unfortunately I need the Warp Connector tunnel to be able to map the cgnat ips to user identities. The Warp Connector tunnel does not seem to work with Network Proxy disabled. I have confirmed though that the Cloudflared Tunnel passes https/https with or without the proxy enabled. Any help would be really appreciated.
I have been beating my head against my desk trying to resolve this issue. I have a Cloudflare Warp Connect tunnel (not Cloudflared) that comes into Bastion Host. From there routing is provisioned to access internal resources and this all work fine with the exception of accessing the Captive Portal Webpage that is hosted on the firewall, or the firewall login page itself.
HTTP does work I tested this by spinning up a nginx server which consistently works. Then reconfigured it to proxy to the firewall login page. The first time I accessed it it (firewall login page) worked, all subsequent requests lead to a gateway timeout error from cloudflare. I have zero trust completely open for testing and all gateway network and http logs show allow yet the page wont load (nginx page will load just no Captive portal or Firewall web page). There seems to be an issue on the Cloudflared side handling redirects that I cannot see.
Another note debug flows and packet captures all show everything working correctly on the firewall side and if I change the tunnel to a Cloudflared everything works. Unfortunately Cloudflared tunnel will not work as I need the cgnat space offered by warp connect tunnels to map identities.
Client Warp Version 2024.12.492 Windows 11 23h2
Connector Warp Version 2025.1.861 Debian 12 6.1.0
You might want to confirm that the traffic coming into the web server isn’t hitting an asynchronous route. i.e: coming in through the connector but the return takes a direct path to your gateway, compared to back to the warp connector.
There are separate profiles for the Warp connector tunnels and the Warp Clients. The clients receive a profile with the split tunnel includes destination for the remote networks and the CGNAT space the connector has a split tunnel include for the CGNAT space 100.96.0.0/12 only. The FW sees the traffic coming from the CGNAT space and has a static route that goes back to the Warp connector tunnel. The FW doesnt allow WAN access on those networks and all the routes are explicitly defined so Im not sure how it could be asynchronous. Good idea though, thanks for the thought.