|
1 | 1 | --- |
2 | 2 | pcx_content_type: how-to |
3 | | -title: Site-to-site connectivity |
| 3 | +title: Connect two or more private networks |
4 | 4 | sidebar: |
5 | | - order: 5 |
6 | | - badge: |
7 | | - text: Beta |
8 | | -head: |
9 | | - - tag: title |
10 | | - content: Set up WARP Connector |
| 5 | + label: Site-to-site |
| 6 | + order: 3 |
11 | 7 | --- |
12 | 8 |
|
13 | 9 | import { Details, GlossaryTooltip, TabItem, Tabs } from "~/components"; |
14 | 10 |
|
15 | | -<Details header="Feature availability"> |
| 11 | +This guide will cover how to connect two independent subnets with WARP Connector. Each subnet must run its own WARP Connector on a Linux host. Installing on your router is the simplest setup, but if you do not have access to the router, you may choose any other machine on the subnet. |
16 | 12 |
|
17 | | -| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | |
18 | | -| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- | |
19 | | -| Gateway with WARP | All plans | |
20 | | - |
21 | | -| System | Availability | |
22 | | -| -------- | ------------ | |
23 | | -| Windows | ❌ | |
24 | | -| macOS | ❌ | |
25 | | -| Linux | ✅ | |
26 | | -| iOS | ❌ | |
27 | | -| Android | ❌ | |
28 | | -| ChromeOS | ❌ | |
29 | | - |
30 | | -</Details> |
31 | | - |
32 | | -Cloudflare WARP Connector is a piece of software [^1] that enables site-to-site, bidirectional, and mesh networking connectivity without requiring changes to underlying network routing infrastructure. WARP Connector establishes a secure Layer 3 connection between a private network and Cloudflare, allowing you to: |
33 | | - |
34 | | -- Connect two or more private networks to each other. |
35 | | -- Connect IoT devices that cannot run external software, such as printers and IP phones. |
36 | | -- Filter and log server-initiated traffic, such as VoIP and SIP traffic. |
37 | | -- Apply Zero Trust security policies based on the source IP of the request. |
38 | | - |
39 | | - |
40 | | - |
41 | | -As shown in the diagram, WARP Connector acts as a router for a subnet within the private network to on-ramp and off-ramp traffic through Cloudflare. All devices on the subnet can access any services connected to Cloudflare, and all devices connected to Cloudflare can access any services on the subnet. Each subnet runs a WARP Connector on a designated Linux machine (typically the default gateway router), but other devices on the network do not need to install software. |
| 13 | +```mermaid |
| 14 | + flowchart LR |
| 15 | + subgraph subnet1[Subnet 10.0.0.0/24] |
| 16 | + router1["WARP Connector #1 |
| 17 | + 10.0.0.1"] |
| 18 | + end |
| 19 | + subgraph subnet2[Subnet 192.168.1.0/24] |
| 20 | + router2["WARP Connector #2 |
| 21 | + 192.168.1.97"] |
| 22 | + end |
| 23 | + router1<-->C((Cloudflare))<-->router2 |
| 24 | +``` |
42 | 25 |
|
43 | | -This guide will cover how to connect two independent subnets, for example `10.0.0.0/24` and `192.168.1.0/24`. Each subnet must run its own WARP Connector on a Linux host. Installing on your router is the simplest setup, but if you do not have access to the router, you may choose any other machine on the subnet. In this example, we will create a WARP Connector for subnet `10.0.0.0/24` and install it on `10.0.0.1`. We will then create a second WARP Connector for subnet `192.168.1.0/24` and install it on `192.168.1.97`. |
| 26 | +In this example, we will create a WARP Connector for subnet `10.0.0.0/24` and install it on `10.0.0.1`. We will then create a second WARP Connector for subnet `192.168.1.0/24` and install it on `192.168.1.97`. |
44 | 27 |
|
45 | 28 | ## Prerequisites |
46 | 29 |
|
47 | | -- A Linux host [^2] on each subnet |
| 30 | +- A Linux host [^1] on each subnet |
48 | 31 | - Verify that your firewall allows inbound/outbound traffic over the [WARP IP addresses, ports, and domains](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/). |
49 | 32 |
|
50 | 33 | ## 1. Install a WARP Connector |
51 | 34 |
|
52 | | -To install WARP Connector on a host machine: |
53 | | - |
54 | | -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Network** > **Tunnels**. |
55 | | -2. Select **Create a tunnel**. |
56 | | -3. For the tunnel type, select **WARP Connector**. |
57 | | -4. You will be prompted to turn on **Warp to Warp** and [**Override local interface IP**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip) if they are currently turned off. These settings allow Cloudflare to assign a unique <GlossaryTooltip term="CGNAT IP">CGNAT IP</GlossaryTooltip> to each WARP device and route traffic between them. |
58 | | -5. Give the tunnel any name (for example, `Subnet-10.0.0.0/24`) and select **Create tunnel**. |
59 | | -7. Select the operating system of your host machine. |
60 | | -8. On your host machine, open a terminal window and run the commands shown in the Zero Trust dashboard. Those commands will install the WARP Connector, enable IP forwarding on the host, and connect WARP Connector to your Zero Trust organization. |
61 | | - |
62 | | - :::note[Remote SSH connections] |
63 | | - |
64 | | - If you are managing the deployment remotely over SSH, your connection may drop when you install the WARP Connector. Because the WARP connector immediately starts forwarding traffic to Cloudflare, the remote SSH server's traffic will now route to Cloudflare instead of via the server's public IP. To work around the issue: |
65 | | - - **Option 1**: In your WARP Connector [device profile](#3-recommended-create-a-device-profile), temporarily add the public IP of your local machine to the [Split Tunnel Exclude list](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/). |
66 | | - |
67 | | - - **Option 2**: If your local machine is connected to Zero Trust (for example, via the WARP client), you can SSH to the <GlossaryTooltip term="CGNAT IP">CGNAT IP</GlossaryTooltip> of the WARP Connector. Traffic to the CGNAT IP must [route through the WARP tunnel](#4-configure-split-tunnels). |
68 | | - ::: |
69 | | - |
70 | | -9. (Optional) Configure IP forwarding: |
71 | | - |
72 | | - <Details header="Enable IP forwarding to persist after reboot"> |
73 | | - ```sh |
74 | | - echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-warp-svc.conf |
75 | | - sudo sysctl -p /etc/sysctl.d/99-warp-svc.conf |
76 | | - ``` |
77 | | - </Details> |
78 | | - |
79 | | - <Details header="Configure IP forwarding with iptables"> |
80 | | - If you are setting up WARP Connector on a host with iptables enabled, make sure that your iptables FORWARD chain includes rules to accept the desired traffic. For testing and troubleshooting purposes, you can set the default policy for the WARP interface to ACCEPT: |
81 | | - ```sh |
82 | | - iptables -A FORWARD -i CloudflareWARP -J ACCEPT |
83 | | - iptables -A FORWARD -o CloudflareWARP -J ACCEPT |
84 | | - ``` |
85 | | - </Details> |
86 | | - |
87 | | - |
88 | | - |
89 | | -10. To verify that the WARP Connector is connected to Cloudflare: |
90 | | - ```sh |
91 | | - $ warp-cli status |
92 | | - Status update: Connected |
93 | | - Success |
94 | | - ``` |
95 | | - |
96 | | - <Details header="Troubleshoot connection"> |
97 | | - |
98 | | - If WARP is disconnected, try the following troubleshooting strategies: |
99 | | - |
100 | | - - Run `warp-cli connect`. |
101 | | - |
102 | | - - If your private network uses a firewall to restrict Internet traffic, ensure that it allows the [WARP ports and IPs](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/). |
103 | | - |
104 | | - - Review your [WARP daemon logs](/cloudflare-one/connections/connect-devices/warp/troubleshooting/warp-logs/) for information about why the connection is failing. |
105 | | - |
106 | | - </Details> |
107 | | - |
108 | | -WARP Connector software is now installed but not yet routing traffic. |
| 35 | +<Render file="tunnel/install-warp-connector" /> |
109 | 36 |
|
110 | 37 | ## 2. Add private network routes |
111 | 38 |
|
@@ -135,36 +62,10 @@ In your WARP Connector device profile, update [Split Tunnel settings](/cloudflar |
135 | 62 | 1. Route your private network CIDR (`10.0.0.0/24`) through the WARP tunnel. For example, if you are using **Exclude** mode, delete `10.0.0.0/8` from the list and re-add the following IPs: `10.0.1.0/24`, `10.0.2.0/23`, `10.0.4.0/22`, `10.0.8.0/21`, `10.0.16.0/20`, `10.0.32.0/19`, `10.0.64.0/18`, `10.0.128.0/17`, `10.1.0.0/16`, `10.2.0.0/15`, `10.4.0.0/14`, `10.8.0.0/13`, `10.16.0.0/12`, `10.32.0.0/11`, `10.64.0.0/10`, `10.128.0.0/9` |
136 | 63 | 2. Route the CGNAT IP space (`100.96.0.0/12`) through the WARP tunnel. For example, if you are using **Exclude** mode, delete `100.64.0.0/10` from the list and re-add `100.64.0.0/11` and `100.112.0.0/12`. |
137 | 64 |
|
138 | | -The `10.0.0.0/24` WARP Connector is now routing traffic from the host machine to Cloudflare. |
139 | | -```mermaid |
140 | | - flowchart LR |
141 | | - subgraph subnet1[Subnet 10.0.0.0/24] |
142 | | - router1["Device running |
143 | | - WARP Connector |
144 | | - 10.0.0.1"] |
145 | | - end |
146 | | - router1<-->C((Cloudflare)) |
147 | | -``` |
148 | | - |
149 | 65 | ## 5. Install another WARP Connector |
150 | 66 |
|
151 | 67 | Repeat Steps 1, 2, and 4 above to install an additional WARP Connector on subnet `192.168.1.0/24`. The device profile created in Step 3 will apply to all WARP Connectors. |
152 | 68 |
|
153 | | -```mermaid |
154 | | - flowchart LR |
155 | | - subgraph subnet1[Subnet 10.0.0.0/24] |
156 | | - router1["Device running |
157 | | - WARP Connector #1 |
158 | | - 10.0.0.1"] |
159 | | - end |
160 | | - subgraph subnet2[Subnet 192.168.1.0/24] |
161 | | - router2["Device running |
162 | | - WARP Connector #2 |
163 | | - 192.168.1.97"] |
164 | | - end |
165 | | - router1<-->C((Cloudflare))<-->router2 |
166 | | -``` |
167 | | - |
168 | 69 | ## 6. Route traffic through WARP Connector |
169 | 70 |
|
170 | 71 | Depending on where you installed the WARP Connector, you may need to configure other devices on the subnet to route traffic through WARP Connector. |
@@ -288,24 +189,4 @@ You can now test the connection between the two subnets. For example, on the `10 |
288 | 189 | If you are testing with curl using private hostnames, add the `--ipv4` flag to your curl commands. |
289 | 190 | ::: |
290 | 191 |
|
291 | | -## VPC deployments |
292 | | - |
293 | | -When setting up WARP Connector on a virtual private cloud (VPC), you may need to configure additional settings in the cloud service provider. |
294 | | - |
295 | | -### GCP |
296 | | - |
297 | | -For Google Cloud Project (GCP) deployments, [enable IP forwarding](https://cloud.google.com/vpc/docs/using-routes#canipforward) on the VM instance where you installed WARP Connector. |
298 | | - |
299 | | -### AWS |
300 | | - |
301 | | -For Amazon Web Services (AWS) deployments: |
302 | | -- Stop [source/destination checking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) on the EC2 instance where you installed WARP Connector. |
303 | | -- In your [subnet route table](https://docs.aws.amazon.com/vpc/latest/userguide/subnet-route-tables.html), route all IPv4 traffic to the EC2 instance where you installed WARP Connector. For example, |
304 | | - |
305 | | - | Destination | Target | |
306 | | - | ----------- | ------ | |
307 | | - | `0.0.0.0/0` | `eni-11223344556677889` | |
308 | | - |
309 | | -[^1]: WARP Connector is an extension of the [WARP client](/cloudflare-one/connections/connect-devices/warp/). |
310 | | - |
311 | | -[^2]: Check the [system requirements](/cloudflare-one/connections/connect-devices/warp/download-warp/#linux). Package dependencies are the following: `curl`, `gpg`, `iptables`, `iptables-persistent`, `lsb-core`, and `sudo`. |
| 192 | +[^1]: Check the [system requirements](/cloudflare-one/connections/connect-devices/warp/download-warp/#linux). Package dependencies are the following: `curl`, `gpg`, `iptables`, `iptables-persistent`, `lsb-core`, and `sudo`. |
0 commit comments