Service Token auth

[gunzino]

Hello,

Would it be possible implement Service Token auth for "WARP Connector" so this would allow us to create true Site-to-Site VPN with pure WireGuard.

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/warp-connector/

[rany2]

I'll have to research it, I don't know what this is

[MeesJ]

I attempted using the CF_Authorization cookie obtained by authorizing with a service token at the TEAMNAME.cloudflareaccess.com/warp endpoint. However, it seems the current version of the warp.sh script isn't compliant with this authorization method. The following error is returned:

curl: (22) The requested URL returned error: 500

[rany2]

I doubt that that cookie is used to obtain a WG config. I'll have a look myself but my assumption is that everything is going to be different in terms of generating the config and it will not be a straightforward modification.

[MeesJ]

I doubt that that cookie is used to obtain a WG config

Not directly, but the output of that cookie returns a JWT token as usual (https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/).

[GaryChicago]

@MeesJ I did get this working (Cloudflare ZT/Teams w/ Service Auth) by pulling information from the cloudflare warp linux client. I can provide feedback here or we can start a group chat if we're interested in getting this working natively in this script.

My UDM Pro Max is natively connected via its wireguard client to cloudflare.

[rany2]

@GaryChicago Do you know how to MITM it? warp-svc on Linux seems to embed the trusted certificates into the binary itself so it's not trivial to modify it. If you have any tips I'd appreciate it.