Connecting to Cloudflare Warp directly via wg can have advantages in flexibility or specific scenarios. For example, the Warp client, warp-cli would refuse to establish connection if it can’t override /etc/resolve.conf. By connecting directly using WireGuard, you get control over all that.
The first step is to install warp-cli and register using warp-cli register. This will create the WireGuard private-key used for the connection and register it with Cloudflare. The private key can be found in /usr/lib/cloudflare-warp/reg.json. The endpoint data and Cloudflare’s public key should be constant. Alternative endpoints are listed in /usr/lib/cloudflare-warp/conf.json.
Adjust the following template accordingly, and put in int /etc/wireguard/warp.conf:
[Interface]
PrivateKey = XXXXXXXXXXXX
Address = 172.16.0.2/32
Address = 2606:4700:110:892f:607d:85a6:5e07:70cf/128
[Peer]
PublicKey = bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = engage.cloudflareclient.com:2408
You can start the tunnel using
$ sudo wg-quick up warp`
Alternatively, you can import it to NetworkManager and be able to easily start it from the Gnome Quick Settings.
$ sudo nmcli connection import type wireguard file /etc/wireguard/warp.conf
You can easily check that the tunnel works, by visiting https://www.cloudflare.com/cdn-cgi/trace/ and looking for the line that says warp=on.