Connecting to Cloudflare Warp directly via
wg can have advantages in flexibility or specific scenarios. For example, the Warp client,
warp-cli would refuse to establish connection if it can’t override
/etc/resolve.conf. By connecting directly using WireGuard, you get control over all that.
The first step is to install
warp-cli and register using
warp-cli register. This will create the WireGuard private-key used for the connection and register it with Cloudflare. The private key can be found in
/var/lib/cloudflare-warp/reg.json. The endpoint data and Cloudflare’s public key should be constant. Alternative endpoints are listed in
An easy way to read the
json configuration files is using
$ sudo jq . /var/lib/cludflare-warp-/conf.json
Adjust the following template accordingly, and put in int
[Interface] PrivateKey = XXXXXXXXXXXX Address = 172.16.0.2/32 Address = 2606:4700:110:892f:607d:85a6:5e07:70cf/128 [Peer] PublicKey = bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo= AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = engage.cloudflareclient.com:2408
You can start the tunnel using
$ sudo wg-quick up warp`
Alternatively, you can import it to NetworkManager and be able to easily start it from the Gnome Quick Settings.
$ sudo nmcli connection import type wireguard file /etc/wireguard/warp.conf
You can easily check that the tunnel works, by visiting https://www.cloudflare.com/cdn-cgi/trace/ and looking for the line that says
Sometimes, IPv4 won’t work while IPv6 works. Restarting the VPN several times can resolve the issue.
while ! ping -w1 -c1 126.96.36.199; do wg-quick down wgcf-profile; wg-quick up wgcf-profile; done
while ! ping -w1 -c1 188.8.131.52; do nmcli connection down wgcf-profile; nmcli connection up wgcf-profile; done
Disabling the Cloudflare client
The Cloudflare client might interfere with the Wireguard profile. It’s best to didable it:
$ sudo systemctl disable --now warp-svc.service $ systemctl --user disable --now warp-taskbar.service