Routing Cloudflare Traffic Through Cloudflare WARP in Your Local Network

Motivations

Recently, my sites hosted behind Cloudflare tunnels mysteriously stopped working—not once, but twice. The first outage occurred about a week ago. Interestingly, when I switched to using the 1.1.1.1 WARP VPN on my cellphone or PC, the sites became accessible again. Clearly, the issue wasn't with the sites themselves but something about the routing. This led me to the brilliant (or desperate) idea of routing all Cloudflare-bound traffic through a WARP tunnel in my local network.

Prerequisites

• A "server" with an amd64 processor (the WARP client only works on amd64 architecture). I'm using an old mac mini, but really, anything with an amd64 processor will do.
• Basic knowledge of Linux commands.
• Access to your Wi-Fi router's settings (if you plan to configure routes there).

Step 1: Installing the WARP CLI

1. Update your system packages:

   sudo apt update && sudo apt upgrade -y
   

2. Download and install the WARP CLI:

   curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
   
   echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
   
   sudo apt-get update && sudo apt-get install cloudflare-warp
   

3. Register and connect to WARP:

Run the following commands to register and connect to WARP:

sudo warp-cli register
sudo warp-cli connect

Confirm the connection with:

warp-cli status

Step 2: Routing Traffic on the Server Machine

Now that WARP is connected, let's route the local network's Cloudflare-bound traffic through this tunnel.

1. Enable IP forwarding:

   sudo sysctl -w net.ipv4.ip_forward=1
   

   Make it persistent after reboot:

   echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
   sudo sysctl -p
   

2. Set up firewall rules to forward traffic:

   sudo nft add rule ip filter FORWARD iif "eth0" oif "CloudflareWARP" ip saddr 192.168.31.0/24 ip daddr 104.0.0.0/8 accept
   sudo nft add rule ip filter FORWARD iif "CloudflareWARP" oif "eth0" ip saddr 104.0.0.0/8 ip daddr 192.168.31.0/24 ct state established,related accept
   

   Replace eth0 with your actual network interface if different.

3. Make rules persistent:

   sudo apt install nftables
   sudo nft list ruleset > /etc/nftables.conf
   

Step 3: Configuring the Route on a Local PC (Linux)

On your local Linux machine:

1. Add a static route:

   sudo ip route add 104.0.0.0/24 via <SERVER_IP>
   

   Replace <SERVER_IP> with the internal IP of your WARP-enabled server. This should be a temporary solution, since it only effects a local machine. For a solution that can effect the whole local network, please see next step.

Step 4: Configuring the Route on Your Wi-Fi Router (Recommended)

If your router allows adding static routes:

1. Log in to your router's admin interface.
2. Navigate to the Static Routing section. (This may vary depending on the router model.)
3. Add a new static route:
   • Destination Network: 104.0.0.0
   • Subnet Mask: 255.255.255.0
   • Gateway: <SERVER_IP>
   • Metric: 1 (or leave it default)
4. Save and apply the settings.

One of the key advantages of this method is how easy it is to disable once your ISP's routing issues are resolved. Since the changes affect the entire network at once, you can quickly restore normal network behavior by simply removing the static routes or disabling the forwarding rules, all without the need for complex reconfigurations.

Final Thoughts

Congratulations! You've now routed all your Cloudflare-bound traffic through a secure WARP tunnel, effectively bypassing mysterious connectivity issues. If the sites ever go down again, at least you’ll have one less thing to blame—and one more thing to debug.