-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added useful info when using WARP on a tightly-firewalled corporate network #12509
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,16 +10,22 @@ If your organization uses a firewall or other policies to restrict or intercept | |
|
||
## Client orchestration API | ||
|
||
The WARP client talks with our edge via a standard HTTPS connection outside the tunnel for operations like registration or settings changes. To perform these operations, you must allow `zero-trust-client.cloudflareclient.com` which will lookup the following IP addresses: | ||
Prior to connection, the WARP client talks with our edge via a standard HTTPS connection **outside the tunnel** for operations like registration and settings changes. | ||
|
||
Connections to the API will honour the system proxy settings (if configured), however it is recommended that the connections bypass any proxy and are allowed to be made directly. In this case you must allow `zero-trust-client.cloudflareclient.com` which will resolve to the following IP addresses: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Lets hold off on this for now |
||
|
||
{{<render file="warp/_client-orchestration-ips.md">}} | ||
|
||
Once the tunnel has been established, communication with the API will take place **inside the tunnel**, unless a proxy configuration (e.g. PAC file) says otherwise. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is inaccurate. Orchestration API and DoH traffic is always outside the tunnel. |
||
|
||
## DoH IP | ||
|
||
All DNS requests through WARP are sent outside the tunnel via DoH (DNS over HTTPS). The following IP addresses must be reachable for DNS to work correctly. | ||
|
||
{{<render file="warp/_doh-ips.md">}} | ||
|
||
DoH requests are always sent directly and will not use a proxy server, even if one is configured for the system. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Lets leave this out for now |
||
|
||
### Android devices | ||
|
||
If you are deploying the Cloudflare One Agent on Android/ChromeOS, you must also add `cloudflare-dns.com` to your firewall exception list. On Android/ChromeOS devices, WARP uses `cloudflare-dns.com` to resolve domains on your [Split Tunnel list](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels). | ||
|
@@ -56,9 +62,9 @@ The following domains are used as part of our captive portal check: | |
|
||
## Connectivity check | ||
|
||
As part of establishing the WARP connection, the client will check the following URLs to validate a successful connection: | ||
As part of establishing the WARP connection, the client will check the following HTTPS URLs to validate a successful connection: | ||
|
||
- `engage.cloudflareclient.com` verifies general Internet connectivity outside of the WARP tunnel. | ||
- `engage.cloudflareclient.com` verifies general Internet connectivity outside of the WARP tunnel. These requests are always sent directly and will not use a proxy server, even if one is configured for the system. Resolves to `162.159.192.1` and `2606:4700:d0::a29f:c001`. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Pending our QA team checking re the proxy comment. We aren't doing anything special here so need to investigate if this is specific to certain configurations or if this is just how Windows decides to handle things. We should document that the ips engage.cloudflareclient.com use though are whatever WARP Ingress IP we connect to. It isn't always what is in this PR, but could be anything in the WARP Ingress IPv4/24 or IPv6/48 range |
||
- `connectivity.cloudflareclient.com` verifies connectivity inside of the WARP tunnel. Because this check happens inside of the tunnel, you do not need to add `connectivity.cloudflareclient.com` to your firewall allowlist. | ||
|
||
## NEL reporting | ||
|
@@ -74,7 +80,12 @@ If your organization does not currently allow inbound/outbound communication ove | |
- macOS: `/Applications/Cloudflare WARP.app/Contents/Resources/CloudflareWARP` | ||
|
||
### Optional scopes | ||
To run [Digital Experience Monitoring tests](/cloudflare-one/insights/dex/tests/), you will also need to allow the `warp-dex` process to generate network traffic to your target destinations: | ||
To run [Digital Experience Monitoring tests](/cloudflare-one/insights/dex/tests/), you will need to allow the `warp-dex` process to generate network traffic to your target destinations: | ||
|
||
- Windows: `C:\Program Files\Cloudflare\Cloudflare WARP\warp-dex.exe` | ||
- macOS: `/Applications/Cloudflare WARP.app/Contents/Resources/warp-dex` | ||
|
||
In order to allow the network connectivity tests within the WARP GUI to function reliably, you will also need to allow the userspace GUI to generate network traffic: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is a good addition we should keep |
||
|
||
- Windows: `C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe` | ||
- macOS: `/Applications/Cloudflare WARP.app` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lets hold off on this for now