Skip to content

(docs) S2S WARP connector hint on iptables policy #15675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

(docs) S2S WARP connector hint on iptables policy #15675

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
886d2f3
Update warp-connector.md
noroutine Jul 18, 2024
6f37fe7
Header update
noroutine Jul 18, 2024
bc50e12
Wording change
noroutine Jul 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions content/cloudflare-one/connections/connect-networks/private-net/warp-connector.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,14 @@ Run the following commands on the machine where you installed WARP Connector. Yo
If you are setting up WARP Connector on a [virtual private cloud (VPC)](https://www.cloudflare.com/learning/cloud/what-is-a-virtual-private-cloud/), you may need to enable IP forwarding on the VM instance.
{{</Aside>}}

{{<Aside type="note" header="Note on iptables">}}
If you are setting up WARP Connector on a host with iptables enabled, you have to make sure that iptables FORWARD chain includes the rules to accept the desired traffic.
For testing/troubleshooting purposes you can set default policy of the chain to ACCEPT
```sh
iptables --policy FORWARD ACCEPT
Copy link
Contributor

@DevinCarr DevinCarr Aug 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we update this to be specific to the interface used by WARP?

Suggested change
iptables --policy FORWARD ACCEPT
iptables -A FORWARD -i CloudflareWARP -J ACCEPT
iptables -A FORWARD -o CloudflareWARP -J ACCEPT

Copy link
Contributor

@ranbel ranbel Aug 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added to #16486

Copy link
Author

@noroutine noroutine Sep 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DevinCarr not sure it add any meaningful value

For quick setup, just toggling policy should do, for anything more complicated it will vary and surely go beyond two rules on interface - if someone has iptables it sure as hell is complex and specific, plus forwarding would likely not be limited to just one interface. IF to put this into docs it should be a separate section covering firewalls imo

```
{{</Aside>}}

2. WARP's [virtual interface](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#virtual-interface) has a [maximum transmission unit (MTU)](https://www.cloudflare.com/learning/network-layer/what-is-mtu/) of 1280 bytes, whereas the standard Ethernet MTU is 1500 bytes. To avoid dropping packets that exceed 1280 bytes, clamp the [maximum segment size (MSS)](https://www.cloudflare.com/learning/network-layer/what-is-mss/) of the host machine so that incoming payloads are less than the MTU of WARP:

```sh
Expand Down