Added useful info when using WARP on a tightly-firewalled corporate network #12509
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jamie-sandbox
requested review from
kennyj42,
abelinkinbio,
kkrum,
janani-cr and
a team
as code owners
|
Any progress on this?
…________________________________
From: ranbel ***@***.***>
Sent: 29 January 2024 4:31 PM
To: cloudflare/cloudflare-docs ***@***.***>
Cc: jamie-sandbox ***@***.***>; Author ***@***.***>
Subject: Re: [cloudflare/cloudflare-docs] Added useful info when using WARP on a tightly-firewalled corporate network (PR #12509)
@dh-cf<https://github.com/dh-cf>
—
Reply to this email directly, view it on GitHub<#12509 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BEHRKDBWUHZ5RAQVI7RJRLDYQ7FGTAVCNFSM6AAAAABBZAM7TSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJVGA4DAMBWHE>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
This PR is awaiting a technical review from the WARP team. |
|
@aw-cf Could someone on your team help review this PR? |
kkrum
requested changes
Apr 4, 2024
|
|
||
| - Windows: `C:\Program Files\Cloudflare\Cloudflare WARP\warp-dex.exe` | ||
| - macOS: `/Applications/Cloudflare WARP.app/Contents/Resources/warp-dex` | ||
|
|
||
| In order to allow the network connectivity tests within the WARP GUI to function reliably, you will also need to allow the userspace GUI to generate network traffic: |
There was a problem hiding this comment.
This is a good addition we should keep
|
|
||
| - `engage.cloudflareclient.com` verifies general Internet connectivity outside of the WARP tunnel. | ||
| - `engage.cloudflareclient.com` verifies general Internet connectivity outside of the WARP tunnel. These requests are always sent directly and will not use a proxy server, even if one is configured for the system. Resolves to `162.159.192.1` and `2606:4700:d0::a29f:c001`. |
There was a problem hiding this comment.
Pending our QA team checking re the proxy comment. We aren't doing anything special here so need to investigate if this is specific to certain configurations or if this is just how Windows decides to handle things.
We should document that the ips engage.cloudflareclient.com use though are whatever WARP Ingress IP we connect to. It isn't always what is in this PR, but could be anything in the WARP Ingress IPv4/24 or IPv6/48 range
| ## DoH IP | ||
|
|
||
| All DNS requests through WARP are sent outside the tunnel via DoH (DNS over HTTPS). The following IP addresses must be reachable for DNS to work correctly. | ||
|
|
||
| {{<render file="warp/_doh-ips.md">}} | ||
|
|
||
| DoH requests are always sent directly and will not use a proxy server, even if one is configured for the system. |
|
|
||
| {{<render file="warp/_client-orchestration-ips.md">}} | ||
|
|
||
| Once the tunnel has been established, communication with the API will take place **inside the tunnel**, unless a proxy configuration (e.g. PAC file) says otherwise. |
There was a problem hiding this comment.
This is inaccurate. Orchestration API and DoH traffic is always outside the tunnel.
| @@ -10,16 +10,22 @@ If your organization uses a firewall or other policies to restrict or intercept | |||
|
|
|||
| ## Client orchestration API | |||
|
|
|||
| The WARP client talks with our edge via a standard HTTPS connection outside the tunnel for operations like registration or settings changes. To perform these operations, you must allow `zero-trust-client.cloudflareclient.com` which will lookup the following IP addresses: | |||
| Prior to connection, the WARP client talks with our edge via a standard HTTPS connection **outside the tunnel** for operations like registration and settings changes. | |||
There was a problem hiding this comment.
Lets hold off on this for now
| The WARP client talks with our edge via a standard HTTPS connection outside the tunnel for operations like registration or settings changes. To perform these operations, you must allow `zero-trust-client.cloudflareclient.com` which will lookup the following IP addresses: | ||
| Prior to connection, the WARP client talks with our edge via a standard HTTPS connection **outside the tunnel** for operations like registration and settings changes. | ||
|
|
||
| Connections to the API will honour the system proxy settings (if configured), however it is recommended that the connections bypass any proxy and are allowed to be made directly. In this case you must allow `zero-trust-client.cloudflareclient.com` which will resolve to the following IP addresses: |
There was a problem hiding this comment.
Lets hold off on this for now
|
addressed in #14682 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added useful info learned from hours of debugging and reverse-engineering when setting up WARP on a tightly-firewalled corporate network.