Opens an external site in a new window
Pride Month Hold my hand šŸ«±šŸ¾ā€šŸ«²šŸ¼
RODNEY LAB
  • Home
  • Plus +
  • Newsletter
  • Links
  • Profile
RODNEY LAB
  • Home
  • Plus +
  • Newsletter
  • Links

How To Set up Cloudflare Warp on OpenBSDĀ # How To Set up Cloudflare Warp on OpenBSDĀ #

blurry low resolution placeholder image How To Set up Cloudflare Warp on OpenBSD
  1. Home Rodney Lab Home
  2. Blog Posts Rodney Lab Blog Posts
  3. OpenBSD OpenBSD Blog Posts
<PREVIOUS POST
NEXT POST >
LATEST POST >>

How To Set up Cloudflare Warp on OpenBSDĀ #

Published: 5 years ago
5 minute read
Gunning Fog Index: 8.8
Content by Rodney
blurry low resolution placeholder image Author Image: Rodney from Rodney Lab
SHARE:

What is Cloudflare Warp?Ā #

Cloudflare were already running global internet infrastructure as part of their regular business when they set up Warp. Offering a VPN service on top did not significantly change the costs of the network already existing  under their business model.

Cloudflare runs BoringTun  which is their own implementation of the WireGuard protocol coded in Rust. WireGuard is a modern and also secure VPN protocol. It eschews compatibility with existing services in favour of providing cutting edge security. This how-to takes you through creating Cloudflare Warp credentials and setting up the service on your OpenBSD machine. You do not need to provide any personal information (email, for example) to be able to set up and use Cloudflare Warp.

Why Use Cloudflare Warp on OpenBSD?Ā #

There is currently no official version of Cloudflare Warp for OpenBSD, though you should download the official 1.1.1.1 App  if you want to use Warp on your Mac, Phone or PC. We will use an unofficial CLI in this how-to. A typical use case would be to add Cloudflare Warp to an existing self-hosted VPN providing additional privacy, security, and speed.

How to Install Cloudflare Warp VPN on OpenBSD: OverviewĀ #

You don't need existing Cloudflare Warp credentials to follow this guide. This is because we will set some up in the first step of our how-to. We are going to use the wgcf repo to create the Warp credentials. This is an unofficial, cross-platform CLI for Cloudflare Warp . Warp uses the WireGuard VPN protocol, as mentioned above. OpenBSD 6.8 comes with in-built kernel support for WireGuard. So you will need to be using OpenBSD 6.8 to follow this how-to guide. Once we have credentials, we will configure the new interface then update kernel parameters and firewall settings. You need no expert knowledge of WireGuard, just some familiarity with using bash scripts and comfort with using with git. With the introduction out of the way, let’s get on to how to set up Cloudflare Warp on OpenBSD.

How to Set up Cloudflare Warp on OpenBSDĀ #

Set upĀ wgcfĀ #

  1. Let's start by creating a new directory to keep the files we generate. Then we change into that directory. At the command line type:
        
    mkdir warp && cd $_
  2. Next we clone the repo:
        
    git clone https://github.com/ViRb3/wgcf.git
  3. There is currently no pre-compiled OpenBSD version of wgcf on the repo. But, despite this, it is still easy to get going. First, we need to install go (assuming you do not already have it installed):
        
    pkg_add go
    Simples! With that done, let’s move on to the next step and generate some credentials so that we can use the Cloudflare Warp service.

šŸš€ Generate Cloudflare Warp CredentialsĀ #

  1. Now we will register as a Warp user and generate credentials with the commands below. You will need to accept the Terms of Service, when prompted, to be able to complete this step.
        
    cd wgcf
    go run main.go register
    go run main.go generate
    You should now have a wgcf-profile.conf file. This contains the credentials which we will use in the next step.

🧱 Create WireGuard Configuration #

  1. With OpenBSD 6.8 came a much easier way to configure WireGuard, as well as improved performance over the previous user space implementation. You put the configuration in a hostname file (like for other interfaces) and that is pretty much all you need to do. If you have other WireGuard interfaces which you want to update to use kernel support, see this top guide from Thomas Ward's guide on Securely Tunnelling Traffic with WireGuard on OpenBSD . Here I will give you a configuration file without much explanation, so take a look at the guide or the OpenBSD wg man page if you are keen to learn more. OK, let's get going. Create a hostname.wg0 file and add the following to it (we will run a script in the next step to fill in the credentials, so no need to make any substitutions. Just type it in as it is):
    hostname.wg0
    plaintext
        
    wgkey WARP_PRIVATE_KEY
    inet WARP_ADDRESS 255.255.255.255 NONE mtu 1280 description "trans warp conduit"
    wgpeer WARP_PUBLIC_KEY wgendpoint WARP_ENDPOINT WARP_PORT wgaip 0.0.0.0/0
    !/sbin/ifconfig $if mtu 1280
    Note, we are creating an interface called wg0. Change the file extension if you need to call it something else. Also, tweak it if you want to enable IPv6. And, of course, you can change the description if you are not into Star Trek!
  2. Next, we run a script to take the parameters we generated and place them in our configuration file. Paste the following code into a new file and name it cloudflare-warp-setup.sh :
    cloudflare-warp-setup.sh
    shell
        
    #!/bin/sh
    HOSTNAME_FILE=hostname.wg0
    WG_CONF=wgcf-profile.conf
    WARP_ADDRESS=$(cat ${WG_CONF} | grep Address | grep -Eo "([0-9]{1,3}.){3}[0-9]{1,3}")
    WARP_ENDPOINT=$(cat ${WG_CONF} | grep Endpoint | grep -Eo "([a-z]+.)+[a-z]+")
    WARP_PORT=$(cat ${WG_CONF} | grep Endpoint | grep -Eo "[0-9]{3,5}$")
    WARP_PUBLIC_KEY=$(cat ${WG_CONF} | grep PublicKey | grep -Eo "[a-zA-Z0-9+/=]{44}$")
    WARP_PRIVATE_KEY=$(cat ${WG_CONF} | grep PrivateKey | grep -Eo "[a-zA-Z0-9+/=]{44}$")
    sed -i 's:WARP_ADDRESS:'"$(echo ${WARP_ADDRESS})"':g' ${HOSTNAME_FILE}
    sed -i 's:WARP_ENDPOINT:'"$(echo ${WARP_ENDPOINT})"':g' ${HOSTNAME_FILE}
    sed -i 's:WARP_PORT:'"$(echo ${WARP_PORT})"':g' ${HOSTNAME_FILE}
    sed -i 's:WARP_PUBLIC_KEY:'"$(echo ${WARP_PUBLIC_KEY})"':g' ${HOSTNAME_FILE}
    sed -i 's:WARP_PRIVATE_KEY:'"$(echo ${WARP_PRIVATE_KEY})"':g' ${HOSTNAME_FILE}
    Once the file is created, run the script:
        
    sh cloudflare-warp-setup.sh
  3. Now we move the interface specific config file to its correct location and secure it:
        
    mv hostname.wg0 /etc/.
    chown root:wheel /etc/hostname.wg0
    chmod 0640 /etc/hostname.wg0
  4. Next, we need to remember to bring the interface up. Type the command below into the terminal. Note, this is a one-off. It will automatically come up next time we reboot.
        
    sh /etc/netstart wg0
    Finally, to check the interface is up use ifconfig:
        
    ifconfig wg0
    If successful you will see something like: flags=8051<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1280 returned.

āš™ļø Set up System and pf RulesĀ #

  1. This last step varies depending on your setup. I assume you are running a self-hosted VPN with a cloud provider. We have remote devices (e.g. mobile phones, tables, and laptops) connecting over an already established WireGuard connection, wg1. You should, of course, feel free to adjust to suite your own use case. Let me know if you would find a blog post on setting up a self-hosted OpenBSD cloud VPN useful. We want our packets sent out over Cloudflare Warp to be NAT'ed out. For that to happen, we need to allow packet forwarding and also set up pf firewall rules.
        
    sysctl net.inet.ip.forwarding=1
  2. Next we need to update the firewall rules. On a default setup, you will edit the /etc/pf.conf file. Add this line above any filtering rules:
    /etc/pf.conf
    plaintext
        
    # Translation
    match out on wg0 from wg1:network to ! wg1:network nat-to wg0 port 1024:65535
    Then add this line near the bottom:
    /etc/pf.conf
    plaintext
        
    # Filtering
    pass in on wg1 from wg1:network to ! wg1:network route-to (wg0 wg0:network) \
    modulate state (if-bound) tag WARP_OUT
    This takes incoming traffic from our remote devices (that is, on interface wg1) and routes the traffic to our Cloudflare Warp interface. The traffic will be NAT'ed out by the previous rule. Don't forget to load the new pf rules:
        
    pfctl -nf /etc/pf.conf
    pfctl -f /etc/pf.conf

ā˜‘ļø Test theĀ VPNĀ #

  1. From one of your remote devices, try checking your IP address by going to https://icanhazip.com/. Or, search for ‘IP Address’ on DuckDuckGo instead, if you prefer. If Cloudflare Warp is working, the IP will be different to your OpenBSD machine's IP address. For a further test, go to www.cloudflare.com/ssl/encrypted-sni/ on one of your devices connected to your VPN. You should have a green check mark next to Secure DNS once the test has run. You might need another way to test the connection if you have a different use case to the one assumed. Clean up the warp directory we created earlier once you are happy everything is working.
        
    ifconfig wg0
    ifconfig wg0 debug
    wg show wg0
    ifconfig wg0 down
    sh /etc/netstart wg0
    The first three commands will show diagnostics, which you can use in order to get some clues of what the issue is. The last two can be used together to restart the interface after fixing something in the config. With everything set up, it is finally time to sit back and enjoy fast and private internet access over your devices.
blurry low resolution placeholder image How To Set up Cloudflare Warp on OpenBSD: Test.
Screenshot of How To Set up Cloudflare Warp on OpenBSD: Test

šŸ™šŸ½ FeedbackĀ #

Have you found this post useful? Is there anything that I didn't explain too well? Please let me know. Also, get in touch if this post has spawned some new ideas for your next project. If you have found this post useful and can afford even a small contribution, please consider supporting me through Buy me a Coffee.

Finally, feel free to share the post on your social media accounts for all your followers who might find it useful. You can get in touch via @askRodney on Twitter and also askRodney on Telegram . Alternatively, see further ways to get in touch with Rodney Lab. We post regularly on accessible Gatsby website development as well as OpenBSD-centric content. Also, subscribe to the newsletter to keep up-to-date with our latest projects.

Thanks for reading this post. I hope you found it valuable. Please get in touch with your feedback and suggestions for posts you would like to see. Read more about me …

blurry low resolution placeholder image Rodney from Rodney Lab
TAGS:
OPENBSDONLINE-PRIVACY

Related Posts

blurry low resolution placeholder image Should you Worry about FLoC? How to Opt your Site out

Should you Worry about FLoC? How to Opt your Site out

online-privacy
<PREVIOUS POST
NEXT POST >
LATEST POST >>

Leave a comment …

Your information will be handled in line with our Privacy Policy .

Ask for more

1 Nov 2022 — Astro Server-Side Rendering: Edge SearchĀ Site
3 Oct 2022 — Svelte eCommerce Site: SvelteKit Snipcart Storefront
1 Sept 2022 — Get Started with SvelteKit Headless WordPress

Copyright Ā© 2020 – 2025 Rodney Johnson. All Rights Reserved. Please read important copyright and intellectual property information.

  • Home
  • Profile
  • Plus +
  • Newsletter
  • Contact
  • Links
  • Terms of Use
  • Privacy Policy
We use cookies Ā to enhance visitors’ experience. Please click the ā€œOptionsā€ button to make your choice.  Learn more here.