Preface
I have been constantly thinking and practicing how to make full use of the Tencent Cloud lightweight server with 2 cores, 2G and 4M bandwidth that I had to spend a huge amount of money to buy for filing. I have put some important applications that need to run 24 hours a day or hot standby systems for some key applications (to prevent power outages in the home data center) on it. Currently, I have built: a hot standby source for the registered domain name www, a tailscale derp relay server, uptime-kuma health monitoring, a bark-server alarm system, a mirror site for blogs, and a bitwarden password management system.
But yesterday I suddenly thought, if there is a power outage at home, won't my Tencent Cloud server be able to use magic? (After all, mobile phones, tablets, and computers can use warp or magic directly, only Tencent Cloud Server uses proxychains and tailscale to use the magic at home) This loophole is too big and must be filled, so the cloud server cannot rely entirely on the magic at home, and must be able to stand on its own.
But which method is better? Docker version of openwrt and then use openclash? I don’t like the docker version of openwrt. I think it’s troublesome. I have to set the network card to promiscuous mode, create macvlan, and change the network card configuration inside the container. Finally, I have to install and configure openclash... The cloud server is stable, so I don’t want to go through all this trouble; or directly use clash for linux? This is not complicated, but there is also a problem. If there is a problem at the upper level (it has to be prevented), the cloud server and the home will be ruined together... So according to the industry, it is best to find a "heterogeneous" one. In the end, I chose warp under Linux. In this way, even if there is a problem at the upper level, it will not affect the normal external access of the cloud server. After all, warp is not an ordinary way.
Deploy warp
Install related tools and dependencies (optional)
This step is not necessary. If you have already installed the relevant tools and dependencies, you can skip it.
apt update apt install curl wget gnupg dpkg apt-transport-https lsb-release ca-certificates
Install warp according to the official website steps
Add the cloudflare gpg key:
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
Add this repository to your apt repository:
echo "deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt /sources.list.d/cloudflare-client.list
Install warp-cli:
sudo apt-get update && sudo apt-get install cloudflare-warp
Check whether the warp service is running properly:
systemctl status warp-svc
If normal, it will be displayed as follows:
Note: If you are installing with a root account, please remove sudo yourself.
Register and start warp connection
Register warp
The warp-cli register # command prompt said that in future versions the command will become warp-cli registration new, and suggested that I use this, but strangely, I can't connect using this command~
At this point, the initial communication between the local warp client and cloudflare has been completed, but the connection has not yet been established. Use the commandwarp-cli statusYou can see the following display:
2 common ways of use
Because warp will take over all outgoing traffic from the host by default (based on the target IP, not the session), the result is that as soon as a connection is made, all connections to the host via remote means (not in the LAN) will be interrupted (because the host's response is intercepted by warp and processed according to its own policy, and the result of the processing is that the "normal range IP" is sent out in the form of NAT). For normal local terminals, this has little impact (of course, remote access outside the LAN range is also useless), but it is very painful for cloud hosts: the connection is directly disconnected. . Then it can only be accessed through the vnc access method provided by the cloud host manufacturer.
Note: Warp also has target IPs and fallback domains that are not processed by default, but unfortunately they are of no use for normal public network communications, so I mentioned "normal range of IPs" above. You can use the commandwarp-cli settingsCheck:
warp mode (default mode, not recommended unless there is a special need)
This is the default mode of warp, which directly intercepts all outbound traffic except for the target addresses excluded by default. It has little impact on terminals used locally. For vps, normal remote access will be directly interrupted and inaccessible (if unfortunately interrupted, you can disconnect the warp connection in the vnc provided by the cloud host to restore it).
Add excluded target IP addresses (optional):
warp-cli tunnel ip add # adds excluded IP and network segments to warp, so that even after warp is connected, the added network segment can still access the host normally
Connecting warps:
warp-cli connect # is equivalent to dial-up. If you need to disconnect the wapr connection, use warp-cli disconnect
Note 1: Why do I say it is not recommended? The only advantage of this method is that it is simple and does not require any configuration. It is simple and crude: all outbound traffic goes out of the warp. However, the disadvantages are obvious:
1. For vps, the main purpose is to provide inbound access, and the warp method will make all normal remote access through the public network invalid. After all, most of the access users have dynamic IP addresses, and it is impossible to allow access by adding and excluding target IP addresses.
2. For general Linux terminals, outbound access is the main purpose, and warp does not have the diversion function provided by clash, so it will cause access to domestic websites to be very slow. Of course, if you do not use warp and need to access domestic websites at the same time, it does not matter.
Note 2: In fact, warp essentially uses wireguard technology, and only considers normal outbound access requests (after all, only one or two countries in the network world use wall). So if you really want to use warp more flexibly, you can directly use wireguard client to replace warp. However, this method requires reading the wireguard information in warp first and generating a configuration file. There are corresponding scripts on the Internet. If you have needs, you can search for it yourself. It’s just that I have some technical cleanliness and don’t want to use unofficial scripts casually. So I don’t know how stable these scripts are. You can only try it yourself.
Note 3: The so-called special needs are that pure IPv4 devices want to obtain IPv6 outbound access capabilities; or pure IPv6 devices want to obtain IPv4 inbound access capabilities. This is suitable for using warp mode (in fact, in proxy mode, the system can also use warp's socks5 proxy globally, but there are still a small number of applications that do not support this global proxy method).
Proxy mode (recommended mode)
The most reliable way is to use warp as a proxy instead of the default warp taking over all outbound communications. In this case, you only need to set the warp proxy as a proxy in the system. This mode is especially recommended for cloud hosts, as it is safe and flexible.
Set the warp mode to proxy and set the proxy port:
warp-cli mode proxy #Set the warp working mode to proxy mode warp-cli proxy port 56789 #If you need to specify the proxy port, use this command to specify it. If not specified, the default is 40000
Connecting warps:
warp-cli connect # If you need to disconnect the wapr connection, use warp-cli disconnect
Then check the connection status:
warp-cli status
Then check the connection status of this machine:
netstat -ntpl
The red box in the above figure is the address and port of the proxy service generated by warp. Let's compare and test it:
Normal access
https://ip.gs, the results are as follows:
You can see that the tested IP address is the public IP address of my cloud server.
Access through the socks5 proxy generated by warp:
You can see that the tested IP address has become the address after warp NAT.
You can also test the ipv6 access capabilities I mentioned above.
Test the reachability of IPv6 during normal access (Tencent lightweight server does not provide IPv6 address, it is estimated that it will cost extra):
Use the socks5 proxy generated by warp to test the reachability of ipv6:
So, both proxy mode and warp mode can turn a single-stack host into a dual-stack host with outbound access capabilities. Of course, which access method is ultimately used depends on the system's own v4 and v6 priority settings and whether the DNS resolution supports both A records and AAAA records.
I will not go into details about how to set up a proxy on Debian. There are many tutorials online. However, please note that some applications only support http or https proxies, such as apt and wget. Using socks5 proxy will result in an error. Therefore, it is best to deploy gost and convert warp's socks5 proxy to an http proxy for applications that do not support socks5 proxy but only support http proxy.
In fact, warp has other modes, which can be viewed using the following command:
warp-cli mode -h
The display content is as follows:
However, for most people, only warp mode and proxy are the most commonly used. If you are interested in other modes, you can study them on your own.
Advanced use: Use warp+ with zero trust (optional)
Normally used warps are just regular warps. If used through zero trust teams, they are warp+, assuming that cloudflare's zero trust and the warp client are set up properly (see article:Home Data Center Series Reasonable use of cloudflare WARP to improve the speed of accessing websites (desktop version)).
Optional: Delete the existing registration information (good news for people with obsessive-compulsive disorder)
warp-cli registration delete
Registering warp to zero trust teams in cli is more complicated than in desktop version. There are two ways:
1. Register directly using the team name (not recommended)
warp-cli teams-enroll teams-id
The trouble with this approach is:
a. The root user cannot be used. In order to use it, a user with general permissions must be added
b. This method requires URL authentication, but it is very troublesome to access the URL under cli. For example, I use w3m:
It's really a pain in the ass.
2. Register using token (recommended)
This method requires first obtaining a token registered with teams (note that this is time-limited), and accessing the following link on a host with a browser:
https://[teams-id].cloudflareaccess.com/warp
For example, use the Chrome browser, open the developer tools, and access the link above. When the following interface appears:
In the element menu of the developer tools, the red box in the "body" section of the figure below is the token:
warp-cli registration token xxxx
The results are as follows:
Now run the command:
warp-cli settings list
You can see that the warp client content you configured in cloudflare's zero trust has come over, and you can also see that it has joined the teams:
Then, just like the previous idea, you need to set warp to proxy mode. However, now you are a member of the organization and cannot do whatever you want, so you need to set it in zero trust.
In "Settings"-"WARP Client":
Then add the operating system requirements. I set Linux to use proxy mode, and others to use warp mode. The operating system can also set a specific version here (but generally there is no need to set it so detailed, this is only used by large organizations):
The most important thing here is to select "Proxy mode"
Finally, click the button in the red box at the bottom to create a configuration file:
Of course, you can also configure policies for other systems in this way. I use proxy for Linux and warp for other desktop systems:
In this way, different operating systems use warp client to connect in zero trust mode and adopt different modes according to pre-set policies, which is very convenient.
Finally use the command
warp-cli connectConnect and verify the effect:
Another: There was a command beforewarp-cli enable-always-on , you can keep the warp connected all the time, but now it has been cancelled. However, if your warp is already connected, it will still automatically connect after restarting the host, so it has no effect.
Afterword
In fact, enabling warp's proxy mode on a lightweight server is only the first step. There are many flexible ways to use it later, such as using the -F parameter of gost deployed on a lightweight server to set warp's socks5 proxy as the upper-level proxy (for detailed gost configuration, see:Home data center series uses gost to build its own proxy server and forwarding proxy chain), then other devices under the same tailscale account can use the proxy provided by gost through the tailscale address on the lightweight server (of course, limited by the 4M bandwidth of the cloud server, it can only be used as an emergency, but it is barely enough to run some chat software and visit the web page). You can also let gost enable authentication and encryption and publish the proxy service through the public IP (as long as you are brave enough). The so-called magic of application lies in one's heart, and it depends on what effect you want to achieve.
This article is about deploying warp on Linux CLI. For the desktop version, see:Home Data Center Series Reasonable use of cloudflare WARP to improve the speed of accessing websites (desktop version).
