warp.sh icon indicating copy to clipboard operation
warp.sh copied to clipboard
verified publisher icon rany2

Service Token auth

Open gunzino opened this issue 1 year ago • 9 comments

Hello,

Would it be possible implement Service Token auth for "WARP Connector" so this would allow us to create true Site-to-Site VPN with pure WireGuard.

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/warp-connector/

gunzino avatar Jul 26 '24 05:07 gunzino

I'll have to research it, I don't know what this is

rany2 avatar Jul 26 '24 22:07 rany2

I attempted using the CF_Authorization cookie obtained by authorizing with a service token at the TEAMNAME.cloudflareaccess.com/warp endpoint. However, it seems the current version of the warp.sh script isn't compliant with this authorization method. The following error is returned:

curl: (22) The requested URL returned error: 500

MeesJ avatar Aug 20 '24 18:08 MeesJ

I doubt that that cookie is used to obtain a WG config. I'll have a look myself but my assumption is that everything is going to be different in terms of generating the config and it will not be a straightforward modification.

rany2 avatar Aug 22 '24 15:08 rany2

I doubt that that cookie is used to obtain a WG config

Not directly, but the output of that cookie returns a JWT token as usual (https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/).

MeesJ avatar Aug 24 '24 23:08 MeesJ

@MeesJ I did get this working (Cloudflare ZT/Teams w/ Service Auth) by pulling information from the cloudflare warp linux client. I can provide feedback here or we can start a group chat if we're interested in getting this working natively in this script.

My UDM Pro Max is natively connected via its wireguard client to cloudflare.

image

Gumbees avatar Aug 27 '24 02:08 Gumbees

@GaryChicago Do you know how to MITM it? warp-svc on Linux seems to embed the trusted certificates into the binary itself so it's not trivial to modify it. If you have any tips I'd appreciate it.

rany2 avatar Sep 26 '24 10:09 rany2

You can try my own WARP Connector config extractor: https://github.com/AnimMouse/wgcf-connector

AnimMouse avatar Jan 11 '25 18:01 AnimMouse

@AnimMouse how does WARP Connector differ from WARP teams? Is there any advantage to using it over Teams auth? I'm asking because currently Teams has the advantage of not reporting any TCP port as being open whereas unauthenticated Warp does.

rany2 avatar Jan 11 '25 18:01 rany2

@rany2

how does WARP Connector differ from WARP teams? Is there any advantage to using it over Teams auth?

WARP Connector is basically WARP teams but with the added feature of being able to route an entire subnet (just like cloudflared) so that a site-to-site VPN is possible. The connection to Cloudflare is basically the same, the only difference is WARP Connector uses warp_connector@<your-team-name>.cloudflareaccess.com as email.

I'm asking because currently Teams has the advantage of not reporting any TCP port as being open whereas unauthenticated Warp does.

Yes, WARP Connector and WARP teams are the same when it comes to that.

AnimMouse avatar Jan 12 '25 04:01 AnimMouse