Open showstoppre opened 2 years ago
PeakGymnast
commented
2 years ago It is normal for the private key to be longer than the public key.
So any idea of turning the warp private into the same length of public key, i suspect this could take effect on warp Team. Sorry for my weakness knowledge of coding and English level😢
01101sam
commented
2 years ago I'm not sure if this is anyway related. Cloudwarp windows client works fine for me. So I tried capturing traffic using wireshark to see if there is any difference in packets. What caught my eye was, there is a field called wg.reserved which has value b91981 in all "wireguard protocol" traffic via warp client. For the traffic via wireguard client, this value is 000000
That's Cloudflare's clientid, which is used for routing.
I've tried to verify your guessing, and you are right, and I had successfully modified the client and now I can use boringtun to connect through WARP
P.S. I actually wasted a lot of time to decompile APK & finding resources about the protocol, gave up a few times because most of the attempt failed, WireShark was my last tool I used since I'm not familiar with it.
As you may ask for a pre-compiled version, I won't release it because it may violate Cloudflare's TOS
dongle-the-gadget
commented
2 years ago I mean maybe someone would find the Client ID generator useful :)
01101sam
commented
2 years ago I mean maybe someone would find the Client ID generator useful :)
That may cool if someone actually found the algorithm of generating client jd
mishailovic
commented
2 years ago If someone tries to reverse-engineer warp app, I suggest using the https://httptoolkit.tech
dongle-the-gadget
commented
2 years ago Isn't that just a HTTP proxy?
edgiru
commented
2 years ago me too. I changed the endpoint (162.159.192.1) to ipv6 address (2606:4700:d0::a29f:c007) and it worked.
01101sam
commented
2 years ago 我不确定这是否相关。 Cloudwarp Windows 客户端对我来说很好用。所以我尝试使用wireshark捕获流量,看看数据包是否有任何差异。 引起我注意的是,有一个名为wg.reserved的字段在通过 warp 客户端的所有“wireguard 协议”流量中具有值b91981。 对于通过wireguard客户端的流量,这个值为000000
那是 Cloudflare 的 clientid,用于路由。
我已经尝试验证你的猜测,你是对的,我已经成功修改了客户端,现在我可以使用
boringtun通过 WARP 连接 PS我实际上浪费了很多时间来反编译APK和寻找有关协议的资源,因为大部分尝试都失败了,所以放弃了几次,这WireShark是我最后使用的工具,因为我不熟悉它。 由于您可能要求提供预编译版本,因此我不会发布它,因为它可能违反 Cloudflare 的 TOS我也尝试修改了boringtun
但是我将Reserved字段改为我自己的路由id的时候 客户端只能发送数据包,但是收不到任何回复,我非常确信reserved字段与warp客户端一致
但是我可能遗漏了一些细节
您可以透露更多细节吗:)
答案已经呼之欲出,我不觉得还有啥能补充的
n-buna404
commented
2 years ago Just experienced this issue recently also. I think basically cloudflare just shadowban all certain region unofficial client users for certain time after any abuse. Ways to bypass are : 1) use official client 2) mimic official client https://github.com/ViRb3/wgcf/issues/158#issuecomment-1058377722 (not recommended)
dongle-the-gadget
commented
2 years ago Some servers are currently rerouted.
PeakGymnast
commented
2 years ago Go ahead, and try to replace endpoint address to
[2606:4700:100::a29f:c101]:2408
[2606:4700:100::a29f:c102]:2408
........
[2606:4700:100::a29f:c109]:2408i have been using android studio to extract the config file from official client. it has been working for me for a long time.
dongle-the-gadget
commented
2 years ago Changing endpoints has never worked for me. If you had luck, Cloudflare would give you a fully operational server, but if you have bad luck and Cloudflare gives you a rerouted server then there's no choice but to use the official client.
Also the IPs you listed are IPv6 address, which my ISP doesn't support for some unknown reason.
PeakGymnast
commented
2 years ago Therefore, i use the private key which i have extracted from cf warp client, warp plus are now activated.
dongle-the-gadget
commented
2 years ago Cloudflare connects you to a different colocation (Los Angeles), which is fully operational. Cloudflare always attempts to connect me to HKG (Hong Kong), which is rerouted, hence why it doesn't work.
It's quite unlikely that changing endpoints will change the fact that it always picks HKG as my colocation. Again, it always picks whatever server that the Anycast network can connect to, and satisfy peering requirements (typically this is the nearest server, but it might not be).
The single point of failure in using unofficial clients is the colocation...
dongle-the-gadget
commented
2 years ago [Windows NT] This line in the driver looks interesting https://github.com/WireGuard/wireguard-nt/blob/9dfa703c396d7365bb9d8c08e73301d6363f8ecd/api/wireguard.h#L240
xqdoo00o
commented
2 years ago Therefore, i use the private key which i have extracted from cf warp client, warp plus are now activated.
Lax works. Hi, do you have any hkg machine to test with the config, thanks
dongle-the-gadget
commented
2 years ago No, Cloudflare's Anycast network picks a colocation for you, not your machine.
xqdoo00o
commented
2 years ago No, Cloudflare's Anycast network picks a colocation for you, not your machine.
I mean, I still could't use wireguard warp on the machine in hkg.
dongle-the-gadget
commented
2 years ago I mean, I still could't use wireguard warp on the machine in hkg.
I don't understand what you mean.
PeakGymnast
commented
2 years ago No, Cloudflare's Anycast network picks a colocation for you, not your machine.
I mean, I still could't use wireguard warp on the machine in hkg.
neither do i know why the server located in us instead of hkg.
And even located in hk, warp client will get good connection
xqdoo00o
commented
2 years ago Tried to modify and compile wireguard kernel module to set wg.reserved. Now using wireguard wireshark shows same value as warp-cli, but still not work in HK...... Very confused😂.
dongle-the-gadget
commented
2 years ago HKG was apparently fully operational, however my situation with routing was still rather strange, as I was still unable to connect using an unofficial client. One another thing is that when I turn on the official client, the ip field in https://cloudflare.com/cdn-cgi/trace now returns a Cloudflare IP. It used to point to my true IP.
And also warp was off, despite the client was on.
Wamy-Dev
commented
2 years ago Therefore, i use the private key which i have extracted from cf warp client, warp plus are now activated.
How did you get the private key?
bachvnnvn
commented
1 year ago Is there any update for this? Seems all unofficial clients are not working now. Only the official Warp app is working.
PeakGymnast
commented
1 year ago Is there any update for this? Seems all unofficial clients are not working now. Only the official Warp app is working.
Working a long time for me,tunsafe running good as well
bachvnnvn
commented
1 year ago Is there any update for this? Seems all unofficial clients are not working now. Only the official Warp app is working.
Working a long time for me,tunsafe running good as well
I tried with the endpoint[2606:4700:100::a29f:c104]:2408, but it even couldn't connect to that IP.
Besides the endpoint, did you change anything of the default wgcf-profile.conf?
Thanks!
PeakGymnast
commented
1 year ago I tried with the endpoint
[2606:4700:100::a29f:c104]:2408, but it even couldn't connect to that IP.Besides the endpoint, did you change anything of the default wgcf-profile.conf?
Thanks!
Nothing changed, have you ever tried to check your router?Does it support ipv6 ?
Run this web to confirm whether your router/your ISP can support ipv6 or not
http://test-ipv6.epic.network/
bachvnnvn
commented
1 year ago I tried with the endpoint
[2606:4700:100::a29f:c104]:2408, but it even couldn't connect to that IP. Besides the endpoint, did you change anything of the default wgcf-profile.conf? Thanks!Nothing changed, have you ever tried to check your router?Does it support ipv6 ? Run this web to confirm whether your router/your ISP can support ipv6 or not http://test-ipv6.epic.network/
Yes, it is supported IPv6. Quite strange.
Test with IPv4 DNS record | | ok (0.628s) using ipv4 -- | -- | -- Test with IPv6 DNS record | | ok (0.688s) using ipv6 Test with Dual Stack DNS record | | ok (0.700s) using ipv6 Test for Dual Stack DNS and large packet | | ok (0.617s) using ipv6 Test IPv6 large packet | | ok (0.657s) using ipv6 Test if your ISP's DNS server uses IPv6 | | ok (1.004s) using ipv6 Find IPv4 Service Provider | | ok (1.198s) using ipv4 ASN 7552 Find IPv6 Service Provider | | ok (2.026s) using ipv6 ASN 7552Click to see
xqdoo00o
commented
1 year ago Is there any update for this? Seems all unofficial clients are not working now. Only the official Warp app is working.
Did you use in Hongkong?
bachvnnvn
commented
1 year ago Is there any update for this? Seems all unofficial clients are not working now. Only the official Warp app is working.
Did you use in Hongkong?
I am from Vietnam. I used "engage.cloudflareclient.com" and yes, I believe it points to Hongkong.
PeakGymnast
commented
1 year ago Yes, it is supported IPv6. Quite strange.
try this endpoint, if does not working, i guess you have to capture your individual ipv6 endpoint address by using Android Studio [2606:4700:d0::a29f:c102]:2408
bachvnnvn
commented
1 year ago 2606:4700:d0::a29f:c102
Sorry, still doesn't work. Yes, let me try Android Studio.
Thank you!
PeakGymnast
commented
1 year ago 2606:4700:d0::a29f:c102
Sorry, still doesn't work. Yes, let me try Android Studio.
Thank you!
here is the tutorial link https://parkercs.tech/cloudflare-for-teams-wireguard-config/
bachvnnvn
commented
1 year ago 2606:4700:d0::a29f:c102
Sorry, still doesn't work. Yes, let me try Android Studio. Thank you!
here is the tutorial link https://parkercs.tech/cloudflare-for-teams-wireguard-config/
I got the file, but the private key seems to be encrypted. Could you please tell me how to decrypt it?
string name="warp_private_key">XXXXXXXXXXXXXXXXXXXXX ]+yGW5Y6BignXXR3uZDB2MaM/pzj0Y0YThYezBYqGY84CQC/TUKHJ4bXDF8m3wL4VkP6qkVG3W2b3 y/5n
PeakGymnast
commented
1 year ago name="warp_private_key">XXXXXXXXXXXXXXXXXXXXX ]+yGW5Y6BignXXR3uZDB2MaM/pzj0Y0YThYezBYqGY84CQC/TUKHJ4bXDF8m3wL4VkP6qkVG3W2b3 y/5n
There is no way to decrypt private key unless using old android system version and specific device definition. That's the reason why I put the tutorial link
bachvnnvn
commented
1 year ago name="warp_private_key">XXXXXXXXXXXXXXXXXXXXX ]+yGW5Y6BignXXR3uZDB2MaM/pzj0Y0YThYezBYqGY84CQC/TUKHJ4bXDF8m3wL4VkP6qkVG3W2b3 y/5n
There is no way to decrypt private key unless using old android system version and specific device definition. That's the reason why I put the tutorial link
Yes, I could get the decrypted value with the old android version. Thank you very much for that!
But I still cannot connect, it shows "Failed to send handshake initiation" (from Wireguard android).
I used the below endpoint:
endpoint":{"v4":"162.159.192.8**:0**","v6":"[2606:4700:d0::a29f:c008**]:0**"}}]
I can see the port there is :0 and the config file also has the below value:
"services":{"http_proxy":"172.16.0.1:2480"}}</string>
So looks like it doesn't use the port 2408 directly but forward to the proxy 172.16.0.1:2480
PeakGymnast
commented
1 year ago But I still cannot connect, it shows "Failed to send handshake initiation" (from Wireguard android).
So you are running this config file on Android? If you are running on Android,you need to change your AllowedIPs to 0.0.0.0/1, ::/1. Therefore, you said that your endpoint port was an invalid value of zero which means that you are wrong to get your config. you should let official warp app connet vpn successfully or using global proxy in order to connect cloudflare warp, then pull the config file
endpoint":{"v4":"162.159.192.8:0","v6":"[2606:4700:d0::a29f:c008]:0"}}]
I do not know exactly what to do and how to fix. As far as i conclude, your ISP may block UDP Protocol or connection redirects to re-routed server.
This program has continued a period of time for me, i used to suffer the same issue when using ipv4 on pc and mobile phone. But when i intend to run ipv6 ,it works for me even cellular network in China where it widely known that censorship and firewall block
My config 👇👇👇👇
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxx
Address = 172.16.0.2/32, fd01:5ca1:ab1e:8375:d934:d463:b549:855b/128
DNS = 1.1.1.1,2606:4700:4700::1111
MTU = 1280
[Peer]
PublicKey = bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
AllowedIPs = 0.0.0.0/1, ::/1
Endpoint = [2606:4700:100::a29f:c104]:2408
PersistentKeepalive = 25
::/1
Sorry, it still doesn't work for me. I decided to give it up.
Anyway, thank you very much for your great help!
n-buna404
commented
1 year ago Without changing any configuration, it just suddenly works. Warp connected me AMS colo instead of HKG. Hope that's the end of the issue
dongle-the-gadget
commented
1 year ago You didn’t?
ViRb3
commented
1 year ago Just to give some organization to all the "internet does not work" reports. There are two known cases when this may happen:
01101sam
commented
1 year ago Update: There's a project that re-written the whole ptorocol in Go, but it's half-sourced (core part, most were open-sourced). I've the source code and after audit it's safe to use. Project link here
Edit: This is also an unofficial client, use at your risk.
dongle-the-gadget
commented
1 year ago Looks like the HKG server once again went dark.
dongle-the-gadget
commented
1 year ago What’s the affected colocation, and how did they abuse it?
worstperson
commented
1 year ago What’s the affected colocation, and how did they abuse it?
DFW reroute to LAX afaict, with absolutely insane ~2TB monthly usage mostly through legit video services. But he hasn't had to reconnect his tunnel yet and reports working service for now.
ihipop
commented
1 year ago I'm not using a HK server but I still have this issue My server location is: United States California Los Angeles
4oct
commented
1 year ago endpoint 162.159.193.5:2408 repair my WG connection
onlyreportingissues
commented
1 year ago endpoint 162.159.193.5:2408 repair my WG connection
Very nice, works fine with Fedora 37. Only other setting I have changed is the MTU value from 1280 to 1420 (for PPPoE/DSL set it to 1412).
bczhc
commented
4 months ago I got lucky with endpoint [2606:4700:100::a29f:c102]:2408 (from comment1 and comment2).
❯ curl https://cloudflare.com/cdn-cgi/trace 00:01:05
fl=465f131
h=cloudflare.com
ip=2a09:bac5:21b1:123c::1d1:83
ts=1710604866.304
visit_scheme=https
uag=curl/8.6.0
colo=SJC
sliver=010-tier1
http=http/2
loc=CN
tls=TLSv1.3
sni=plaintext
warp=on
gateway=off
rbi=off
kex=X25519
...Also I tried 162.159.193.5:2408, wg will have handshakes and rx data, however there's no internet connection.
❯ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
❯ sudo wg
...
peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
endpoint: 162.159.193.5:2408
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 1 second ago
transfer: 552 B received, 97.27 KiB sentI got lucky with endpoint
[2606:4700:100::a29f:c102]:2408(from comment1 and comment2).❯ curl https://cloudflare.com/cdn-cgi/trace 00:01:05 fl=465f131 h=cloudflare.com ip=2a09:bac5:21b1:123c::1d1:83 ts=1710604866.304 visit_scheme=https uag=curl/8.6.0 colo=SJC sliver=010-tier1 http=http/2 loc=CN tls=TLSv1.3 sni=plaintext warp=on gateway=off rbi=off kex=X25519 ...Also I tried
162.159.193.5:2408, wg will have handshakes and rx data, however there's no internet connection.❯ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ❯ sudo wg ... peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo= endpoint: 162.159.193.5:2408 allowed ips: 0.0.0.0/0, ::/0 latest handshake: 1 second ago transfer: 552 B received, 97.27 KiB sent
For some reason, Cloudflare warp team has modified official wireguard protocol, which means you won't be able to connect wireguard to warp as usual. People found out a unique value unlike official wireguard protocol, you can see this link Xray-examples-reserved id
By this time, I'd like to suggest you using Sing-box(a powerful tool) to make connection because of its better performance than official wireguard client
0 B received. Handshake did not get completed.
I thought it could be account issue. Registered a new account from a VPN and tried connecting with the new config.
Still same.
Edit from maintainer:
Just to give some organization to all the "internet does not work" reports. There are two known cases when this may happen: