nixos/cloudflare-warp: init

[WolfangAukang]

Description of changes

Creating module based on #148395

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.05 Release Notes (or backporting 21.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[CMCDragonkai]

Does enabling this service change your iptables rules and would it impact tailscale exit node configuration?

[WolfangAukang]

@CMCDragonkai This is a good question. I can check this later and provide a response, at least regarding iptables.

[CMCDragonkai]

Did you find out?

[WolfangAukang]

Sorry for the late response, I was able to check the iptables and there were no changes. For the other one I wasn't able to check out.

[poita66]

I just tried running warp on NixOS (using the package, not the module) and I see this a lot in the warp-svc output:

ERROR warp::firewall::linux: Failed to start firewall: Os { code: 2, kind: NotFound, message: "No such file or directory" }

Does this indicate that it's trying to modify iptables rules and failing? And by extension why you saw no iptables changes?

EDIT: Using strace I've found that warp-svc tries to execute nft (from nftables package). This should be added to the dependencies of the cloudflare-warp package

[WolfangAukang]

Does this indicate that it's trying to modify iptables rules and failing?

I would believe so, or I might be running the wrong command to see the rules. Let me try to fix that. I haven't seen that error on the logs though, so I'm going to try to dedicate some time further to check this. Will set this as a draft.

[CMCDragonkai]

Note that I believe NixOS uses a compatibility of iptables commands that actually interact with the underlying nftables system.

[CMCDragonkai]

Since it does automatic iptables/nftables manipulation, it would be important to check if it create rules that are compatible with the existing nixos firewall. Tailscale does it well and no conflicts.

[WolfangAukang]

I still need to figure out the issue pointed by @poita66. I have added nftables as a build input (tried both native and the "normal") and the error still persists. But maybe I need to wrap the warp-svc as done on tailscale. Will update you soon.

UPDATE: Effectively, warp-svc needs to be wrapped. With that, the error is gone.

[WolfangAukang]

And yeah, by using warp-cli connect and running listing the tables generated, I can see the ones from cloudflare-warp:

·> doas nft list tables
table inet cloudflare-warp

·> doas nft list table inet cloudflare-warp
table inet cloudflare-warp {
        chain input {
                type filter hook input priority filter; policy drop;
                iif "lo" accept
                iif "CloudflareWARP" accept
                meta nfproto ipv4 udp sport 67 udp dport 68 accept
                ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept
                meta l4proto ipv6-icmp accept
                icmp type destination-unreachable accept
                icmp type time-exceeded accept
                ip saddr 172.64.156.22 tcp sport 443 accept
                ip saddr 104.18.47.234 tcp sport 443 accept
                ip saddr 162.159.192.6 accept
                ip6 saddr 2606:4700:d0::a29f:c006 accept
                ip saddr 10.0.0.0/8 accept
                ip saddr 100.64.0.0/10 accept
                ip saddr 169.254.0.0/16 accept
                ip saddr 172.16.0.0/12 accept
                ip saddr 192.0.0.0/24 accept
                ip saddr 192.168.0.0/16 accept
                ip saddr 224.0.0.0/24 accept
                ip saddr 240.0.0.0/4 accept
                ip saddr 255.255.255.255 accept
                ip6 saddr fe80::/10 accept
                ip6 saddr fd00::/8 accept
                ip6 saddr ff01::/16 accept
                ip6 saddr ff02::/16 accept
                ip6 saddr ff03::/16 accept
                ip6 saddr ff04::/16 accept
                ip6 saddr ff05::/16 accept
        }

        chain output {
                type filter hook output priority filter; policy drop;
                oif "lo" accept
                oif "CloudflareWARP" accept
                ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport 68 udp dport 67 accept
                ip6 saddr fe80::/10 ip6 daddr ff02::1:2 udp sport 546 udp dport 547 accept
                ip6 saddr fe80::/10 ip6 daddr ff05::1:3 udp sport 546 udp dport 547 accept
                meta l4proto ipv6-icmp accept
                ip daddr 172.64.156.22 tcp dport 443 accept
                ip daddr 104.18.47.234 tcp dport 443 accept
                ip daddr 162.159.192.6 accept
                ip6 daddr 2606:4700:d0::a29f:c006 accept
                ip daddr 10.0.0.0/8 accept
                ip daddr 100.64.0.0/10 accept
                ip daddr 169.254.0.0/16 accept
                ip daddr 172.16.0.0/12 accept
                ip daddr 192.0.0.0/24 accept
                ip daddr 192.168.0.0/16 accept
                ip daddr 224.0.0.0/24 accept
                ip daddr 240.0.0.0/4 accept
                ip daddr 255.255.255.255 accept
                ip6 daddr fe80::/10 accept
                ip6 daddr fd00::/8 accept
                ip6 daddr ff01::/16 accept
                ip6 daddr ff02::/16 accept
                ip6 daddr ff03::/16 accept
                ip6 daddr ff04::/16 accept
                ip6 daddr ff05::/16 accept
        }
}

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/891

[WolfangAukang]

Fair enough. Can you please throw a review @psibi?

[psibi]

@WolfangAukang I tested it, it doesn't seem to work. Sorry for leading you to wrong path.

Looking into cloudflare forum, it seems to be the similar case for other Distros: https://community.cloudflare.com/t/disable-warp-svc-debug-logs/382246

I think we should just undo this commit and get this PR merged as this is usable in the current state and is on par with what's available in other distributions.

[WolfangAukang]

No worries at all @psibi. Somehow the complaint by @crinklywrappr is pretty much common between WARP users, and Cloudflare hasn't provided any response (at least from what I have searched so far) on how to control the log level, leading to bloated logs (as indicated here).

[crinklywrappr]

I was tagged. Hey @WolfangAukang any thoughts on my PR? WolfangAukang#1

Ooo... it has conflicts now. I don't really have time to deal with them atm.

[WolfangAukang]

@crinklywrappr I didn't see that PR was pointing to my fork, my bad. Going to check it.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/cant-start-cloudflare-warp-cli/23267/2

[WolfangAukang]

As there hasn't been any checks on this PR, I moved it to my personal repo and will close this.

[boozedog]

@WolfangAukang can you share instructions on how we can use it from your personal repo? Thanks!

[WolfangAukang]

@WolfangAukang can you share instructions on how we can use it from your personal repo? Thanks!

Add my repo to your flake inputs (remember it must be in the git+https format and reference the main branch). From there, you can reference it from the nixosModules. For example, if you set it as wolfangaukang on your inputs, then on the modules list of the server you want to build, add wolfangaukang.nixosModules.cloudflare-warp.

[arthurk]

I've just tried the service module from @WolfangAukang's personal repo and everything worked well. Just had to manually download the cloudflare root certificate and specify the path in the config. Not sure why this PR wasn't merged.

[tshakah]

It mostly works well, but I get an error about Warp being unable to overwrite the DNS servers:

ERROR main_loop: warp::warp::dns_recovery::unix: Error setting DNS servers Os { code: 30, kind: ReadOnlyFilesystem, message: "Read-only file system" }

[tuliolima]

I had the same error as @tshakah. Could there be a missing write permission?

[tshakah]

I run sudo warp-svc manually when I need the DNS override and that works

[tuliolima]

Thanks, @tshakah! It worked to me.
But I am still looking for a way to give this permission with the service configuration.

[tshakah]

This has stopped working for me (I think as of the 23.05 release)

[evanrichter]

This has stopped working for me (I think as of the 23.05 release)

it's certainly working for me on 23.05

(I'm just using sudo warp-svc for dns support however)