Support Teams/Zero Trust

[sitepodmatt]

Is there any plans to support Teams? (i.e. Warp for business)

[ViRb3]

Not in the foreseeable future, but I am happy to take PRs.

[C018]

I also need and are willing to provide a team account for testing. Use Registration ID to return 400

[jasmas]

I could also spend weekend cycles on this

[sitepodmatt]

Cloudflare teams for linux has been released. https://blog.cloudflare.com/announcing-warp-for-linux-and-proxy-mode/

[Manouchehri]

@sitepodmatt It'd still be nice if we could use native WireGuard with Cloudflare for Teams.

[sitepodmatt]

Agreed but I'm happy at least now there is official linux support - that can also run headless too

[jasmas]

@sitepodmatt only amd64 binaries published for now..

[perillamint]

Reverse engineered API using Frida and Android App. Teams login utilizes JWT token obtained from .cloudflareaccess.com/warp to fetch Bearer token.

After that, the flow is same as normal one.

The problem is, I am very new to Go, so I need someone's help to implement teams login.

(sorry for bad English, I stay up whole night to make mitmproxy and frida hook working and my brain is not working properly now)

[perillamint]

To implement this, I need some help. The Teams API returns different scheme when I supplied Cf-Access-Jwt-Assertion header to /{ApiVersion}/reg, compared to normal registration process.

@ViRb3 Can you instruct me how I can support this kind of behavior using current test-suite based API doc generation?

Also, when I try to generate API using the script, my result completely breaks API compatibility between current version. How can I fix this? (version info: useoptic/cli/10.3.0, opanapi-generator-cli 5.2.1)

[AD2011]

Would be very helpful if cloudflare for teams is supported. As in India, Jio is blocking Warp ports, so warp (even warp +) does not work. Only way to bypass Jio block is to use warp for teams.

[ivanjx]

@AD2011 sorry for being a bit out of context but how does Teams help circumventing ISP blocking in India? As far as I know they are blocking the UDP ports for the Wireguard protocol. Correct me if I am wrong.

[AD2011]

Yeah you are correct. According to this post: https://broadbandforum.co/threads/reliance-jio-is-blocking-cloudflare-warp-nextdns.212012/ Jio is blocking warp ports: 2408,1701,500,4500 for Warp Ingress IP Range: 162.159.193.0/24 As of now (14-05-2022) the block is no longer in place. This happened just after govt. asked all VPN providers to log data of users for 5 years.

[nwpr]

Can someone provide more details on the current registration flow for zero trust accounts? Dumps/differences to the normal flow would be great.

I guess we'll need a sso auth flow like the official warp-cli.

[karuboniru]

@nwpr API endpoint changed to https://api.cloudflareclient.com/v<xxxx>/reg and you have to set Cf-Access-Jwt-Assertion to provide token from xxx.cloudflareaccess.com/warp I believe other part are exact from ordinary client registration.

[nwpr]

@karuboniru when did you check this? According to the Cloudflare Zero Trust docs, the orchestration API endpoint should be located at zero-trust-client.cloudflareclient.com. This is listed here for firewall configuration.

The endpoint could have changed since you've looked into that, or there is some other magic going on here. I've seen both endpoints appear in warp client logs - maybe depending on which type of account is used? Or it's just a fallback if the primary endpoint is not working.

[karuboniru]

According to the Cloudflare Zero Trust docs, the orchestration API endpoint should be located at zero-trust-client.cloudflareclient.com.

Ah, my mistake, I pasted wrong piece of my notes. You are right.

But it seems that api.cloudflareclient.com works for this, just tested and registration succeed.

[nwpr]

I've just dived into the Zero Trust/Access documentation. In theory it should be possible to use cloudflared for acquiring a service token instead of grabbing the jwt from somewhere.

@karuboniru: Could you try the registration again using the cf_access_token header and the token provided by the command cloudflared access token --app=https://xxx.cloudflareaccess.com/warp?

If this works, the implementation may be very easy.

(Doc Reference)

[poscat0x04]

I did some packet sniffing on an iPad and was able to make a simple POC (repo here). Currently it can complete the first request that uses the token you get from https://*.cloudflareaccess.com/warp to get the bearer token among other credentials, but I think more requests is needed to complete the registration cause the profile it generates doesn't work. I'll dig deeper into wgcf to figure out how to complete the registration.

[nwpr]

[...], but I think more requests is needed to complete the registration cause the profile it generates doesn't work.

Only the single request to /reg is required. After that the public key is registered and the connection should establish. Tested it and works for me.

[poscat0x04]

Only the single request to /reg is required.

Huh. Did you try my tool? If not then it might be bugged.

[poscat0x04]

Ok I figured out why It failed to register. Turns out the "key" field is for public keys, not private keys.

[norbertjoni]

I don't know but I found this maybe it helps https://parkercs.tech/cloudflare-for-teams-wireguard-config/

[eximius313]

've just dived into the Zero Trust/Access documentation. In theory it should be possible to use cloudflared for acquiring a service token instead of grabbing the jwt from somewhere.

@karuboniru: Could you try the registration again using the cf_access_token header and the token provided by the command cloudflared access token --app=https://xxx.cloudflareaccess.com/warp?

I've tried:

cloudflared access login https://<myaccount>.cloudflareaccess.com/warp

and indeed it shows:

but unfortunatelly after I click "Approve" it displays:

ERR Could not verify token error="failed to verify token"
failed to verify token

in the console

[cpedia]

I don't know but I found this maybe it helps https://parkercs.tech/cloudflare-for-teams-wireguard-config/

I tried this mehod, but could not find the Client Private Key in the com.cloudflare.onedotonedotonedotone_preferences.xml file.

[MiGoller]

@cpedia Didn't find the private key, too.

[milindpatel63]

This works... https://github.com/rany2/warp.sh super simple and no fiddling around in any android app data.

[sruehl]

@milindpatel63 Script is awesome, works perfectly to create a new profile. However not sure what to do with the wgcf-account.toml. What did you do to get it working?

[milindpatel63]

@milindpatel63 Script is awesome, works perfectly to create a new profile. However not sure what to do with the wgcf-account.toml. What did you do to get it working?

No need to use this tool for generating wireguard config. https://github.com/rany2/warp.sh will generate one for Cloudflare Teams/ZeroTrust