Connecting to Cloudflare Warp directly via wg can have advantages in flexibility or specific scenarios. For example, the Warp client, warp-cli would refuse to establish connection if it can’t override /etc/resolve.conf. By connecting directly using WireGuard, you get control over all that.
The first step is to install warp-cli and register using warp-cli register. This will create the WireGuard private-key used for the connection and register it with Cloudflare. The private key can be found in /var/lib/cloudflare-warp/reg.json. The endpoint data and Cloudflare’s public key should be constant. Alternative endpoints are listed in /var/lib/cloudflare-warp/conf.json.
An easy way to read the json configuration files is using jq:
$ sudo jq . /var/lib/cloudflare-warp/conf.json
Adjust the following template accordingly, and put in int /etc/wireguard/warp.conf:
[Interface]
PrivateKey = XXXXXXXXXXXX
Address = 172.16.0.2/32
Address = 2606:4700:110:892f:607d:85a6:5e07:70cf/128
[Peer]
PublicKey = bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = engage.cloudflareclient.com:2408
You can start the tunnel using
$ sudo wg-quick up warp`
Alternatively, you can import it to NetworkManager and be able to easily start it from the Gnome Quick Settings.
$ sudo nmcli connection import type wireguard file /etc/wireguard/warp.conf
You can easily check that the tunnel works, by visiting https://www.cloudflare.com/cdn-cgi/trace/ and looking for the line that says warp=on.
Sometimes, IPv4 won’t work while IPv6 works. Restarting the VPN several times can resolve the issue.
while ! ping -w1 -c1 1.1.1.1; do wg-quick down wgcf-profile; wg-quick up wgcf-profile; done
or using nmcli:
while ! ping -w1 -c1 1.1.1.1; do nmcli connection down wgcf-profile; nmcli connection up wgcf-profile; done
Disabling the Cloudflare client
The Cloudflare client might interfere with the Wireguard profile. It’s best to didable it:
$ sudo systemctl disable --now warp-svc.service
$ systemctl --user disable --now warp-taskbar.service