Tiernan's Comms Closet

Geek, Programmer, Photographer, network egineer…

Currently Viewing Posts Tagged networking

How to use Cloudflare Warp with a UDM Pro

If you’re considering using Cloudflare Wrap for specific machines on your network, you can easily install the Warp client directly on them. It supports various operating systems, including Windows, Linux, Mac, iOS, and Android. However, if you need to use it on devices that aren’t compatible with the client installation, for example, NAS Devices or Smart TVs, this tutorial may be helpful.

First, please note that this is not an officially supported option. Cloudflare might modify their configurations at some point, potentially causing this feature to break. You have been informed about this possibility.

What do you need:

  • UDM Pro (it can work on any Ubiquiti Unifi gateways, but this is the one I have).
  • Wireguard Configuration File Generator (WGCF). This tool will generate a Wireguard configuration file based on the Cloudflare settings.
  • I’ve created a script that executes the following commands. It worked on my MacBook Pro, and it should also work on Windows or Linux.

First, install WGCF. I installed it by running

brew install wgcf

on my Mac Book Pro.

Next, run:

wgcf register

This will register a client on your machine. A wgcf-account.toml file will be left in your running folder. Next, run the script again.

wgcf generate

You’ll be left with a wgcf-profile.config file in your running folder. Open this file in a text editor to access the necessary details for your next steps.

Go to your Unifi Network Dashboard, click on “Settings,” and then select “VPN” and “VPN Client.” Click on “Create New” and choose “Wireguard” as the protocol. Then, change the “Setup” to “Manual.”

The configuration file you created earlier should resemble this:

[Interface]
PrivateKey = <PRIVATEKEY>
Address = <IPv4Address>, <IPV6Address>
DNS = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001
MTU = 1280
[Peer]
PublicKey = <ServerPublicKey>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <ServerEndpoint>

Use the contents of PrivateKey to overwrite the existing Private Key. This will automatically fill in your Public Key. Next, set your Tunnel IP to the value listed for IPv4Address. Remove the trailing slash and use that in the Netmask (my Netmask was a /32). Server Address is the value listed as ServerEndpoint. Check the port and include it as well. The Public Server Key is ServerPublicKey. Finally, add your DNS settings for IPv4 in the configuration and click Apply Changes.

After a few seconds, the status should change to “Connected”.

Next, you need to configure the Policy-Based Routes. This is located under the routing section, specifically under the heading “Policy-Based Routes.”

Here, you can name the rule and decide whether you want to send all traffic or specific traffic.

For all traffic, you can select a specific device or the entire network. For instance, in this example, all traffic from my Guest network will be routed through Warp:

You can also set it to send traffic to specific destinations:

Fallback allows it to fail back to one of the other connections if the Warp connection fails.

Finally, click Add Entry at the bottom. Now, run some tests on that machine and see the traffic counts increase.

That is now it. You can select what devices or networks, or even what destinations you want to send over Cloudflare. Happy hunting.

Day 59 of #100daysofhomelab – Proxmox Updates, LTT Hacked, New Framework Laptops

Day 59 of and Proxmox released 7.4 of their Virtual Environment. I have not upgraded any of my machines to it, just yet, but that’s the plan for the weekend. Other than that, some links:

Day 58 of #100daysofhomelab

Day 58 of and today is mostly a retrospective of what I did over the last few days, with some links thrown in for good measure…

Given I am going to keep GodBoxV3 running Windows Server 2022 for the foreseeable future, I installed Veeam Availability Suite (through their NFR program) and got it to backup up my Hyper-V VMs, along with my ESXi VMs to both local and Backblaze B2 storage. So far, so good.

Also, Ubiquiti released Unifi OS 3.0 for the UDM Pro, which I upgraded this morning. Links for that are below. Some nice bits in here, like:

  • Added Wireguard VPN Server support.
  • Added VPN Client Routing.
  • Added Ad-blocking feature.
  • Added support for OpenVPN tunnel in Traffic Routes.
  • Allow adding multiple VPN Clients.

the 2.5 release OS had the VPN Client option, but ALL traffic went over the VPN, whether you wanted it to or not. This release gives you the option to say that traffic from a given host, network or even traffic to a given IP or range, goes over the VPN link. The Ad Block feature is nice too, but I have not tried it yet (still using PiHole for the moment) and the Wireguard VPN option is going to be VERY handy. More testing coming soon…

Anyway, on to the links.

Day 51 of #100daysofhomelab

Day 51 of and I am planning my move of some of my Docker instances in the house to new machines… GodBoxV3 is currently running Windows Server 2022 with a couple of HyperV VMs on it. One runs docker containers and the other USIP from Ubiquiti for managing my EdgeSwitches. I am trying to move these VMs off that machine and do a clean-up, and the plan is to either install Proxmox with TrueNAS as a VM with disks passed directly into it, plus some other VMs or TrueNAS direct with VMs on there… Suggestions? Anyway, as part of the clean-up, I put my custom WordPress Container up on GitHub and it builds new builds nightly. The move is going to be fun, so my weekend will be busy… So, other than that, some links.

Day 31 of #100daysofhomelab

Day 31 of and I am going through the config from my CHR to bring over to my RB5009, and, well, I have no idea what I was doing when I built the original config… Now to try and figure out what the config did, since I want to document it here so I know what I was thinking, but to also possibly help someone else… Mind you, at this stage, it won’t be much help… I also need to figure out how to add my Zerotier Bridge into the mix.

So, as trying to get a high level overview of how this works, lets start with this:

  • The cable modem comes in at 1Gb/s down, 50Mb/s up. It hands off at 1Gb ethernet and plugs into a switch on VLAN 900. Anything on VLAN 900 can get a public IP from that modem (statically assigned, I have 5 usages, the first being the modem to act as a gateway).
  • FTTH comes in and goes to my small quad 2.5Gb box, which then, using CHR (we call this DUB1-BK01), hands off a /29 to VLAN 905. Again, any devices on VLAN 905 can get a public IP from there, and use BK01 as a gateway.
  • For the current CHR (DUB1-BGP01) it being a VM has currently got 3 connections: eth1 is connected to VLAN900, eth2 is connected to VLAN905 and eth3 is connected to VLAN901. VLAN901 has a /27 from my block of /24 addresses, and anything on that VLAN can use an IP from that pool and the IP from DUB1-BGP01 as its gateway.
  • DUB1-BGP01 does some BGP routing to my upstream servers. lon1, which is based in Vultr London, and fra3, which is based in M&M Networks in Frankfurt Germany. lon1 has transit from Vultr and fra3 gets transit from M&M Networks, but also connects to multiple Internet Exchanges: DE-CIX Frankfurt, DE-CIX Dusseldorf, DE-CIX Hamburg, DE-CIX Munich, KleyReX, LocIX and LocIX Dusseldorf. More details of the network and peers, etc, are available on as204994.net.
  • DUB1-BGP01 connects to both lon1 and fra3 over WireGuard connections. All traffic to lon1 is sent over the Cable Modem link. All traffic to fra3 is sent over the FTTH link. Currently, there is no automatic failover if one link dies… This is where (hopefully) Zerotier comes into play.
  • I have a VM running on my i7 2.5Gb box that has connections to both VLAN900 and VLAN905, along with VLAN911. I have a bridge on that box that connects VLAN911 to a Zerotier network which is used only for internal peering. It has a /28 Public IP Range and anything on that bridge can use an IP from that network and talk to other machines. Currently that bridge is directly connected to my UDM Pro, and it gets a public IP and uses fra3 as a gateway. Sometimes traffic goes though fra3 but comes back over lon1 (due to asymmetric routing). But because of the way the network is working, all traffic can flow without issues.
  • The plan is to use that VLAN along with the 2 WireGuard links and give me 2 connections to lon1 and fra3. In theory, if one connection goes down, the traffic should be able to flow the other way…

So, at least that is the theory… How well this will work is anyone’s guess… But more messing with configs is required.

Day 30 of #100daysofhomelab

Day 30 of and I tried to look into getting my RB5009 setup, and well… it has the wrong power supply! EU, not UK/Ireland… More messing is required! [Update] Found the right supply, but fell asleep watching TV… more messing tomorrow…

 

Day 28 of #100daysofhomelab

Day 28 of #100daysofhomelab and I got some benchmarks for the WordPress site. First, using ab, going directly to WordPress. It does have W3 Total Cache turned on, using Redis for DB and Object Cache, etc. 10000 requests at 100 a go, 682 requests a second, and meantime of 146ms per request. Total bandwidth is around 50Mbit/s.

CPU usage while running this is somewhat pegged around the 100% mark.

Next, we run the same but this time direct to Varnish. It is caching the requests and not hitting the Nginx box. We are now at 1899 requests per second (2.7X more) and our meantime is down to 52ms (nearly 3x faster). and the bandwidth is now nearly 140Mb/s, again, nearly 3x higher.

and CPU usage is a little bit lower too!

So, happy days! Tomorrow I will be working on my RB5009 install, so photos, shouting and more will be uploaded then… but for now, some links.

Day 27 of #100daysofhomelab

Day 27 of and it does look like WordPress is running correctly and quite fast… Yesterday’s messing with configs got Varnish, Memcached and Redis all running along with upgrading from PHP8.0 to 8.2. The problem now seems to be related to caching rules… So, some messing with that is required… My RB5009 is now stuck in France and has been there since Friday… It is scheduled for delivery on Wednesday, so that will be a fun day breaking stuff… Its been on quite the trip. Most of that was in 3 days, but it got stuck in France and hasnt moved over the weekend… Fingers crossed it arrives on Wednesday!

So, some links… yea, some are not exactly home lab, but its homelab adjacent?

Day 25 of #100daysofhomelab

Day 25 of #100daysofhomelab, and not done much in the way of home lab work today, but has tested the bejesus out of the internet connection! I bought a Backblaze License for my Mac Book Pro, which initially has around 2.3Tb to backup. There are my YouTube Videos along with code and other bits… It looks like it has uploaded 290 Gb in the last 24 hours…

I also bought an Xbox Series X, and have downloaded a few games to it too… I previously had an Xbox One S with the Games Pass Ultimate, so those games were downloaded. I think it’s downloaded nearly 200 GB in the last few hours! Finally, my mother got home from the hospital yesterday and found a Netflix TV show she wanted to watch and has binge-watched most of it. That seems to be a bit more sedate 20Gb since last night… Overall, the Zerotier-backed connection seems to be working well!

Other than that, watched the Techno Tim video on MaaS. Looks interesting. And I am also looking into the idea of using Mastodon/Fediverse replies in WordPress… I found this post about doing it on static sites. More digging required i think, but now I’m off to play Flight Simulator!

Day 22 of #100daysofhomelab

Day 22 of #100daysofhomelab and I have been planning out my network update for when my RB5009 arrives… Not ready to share, yet, but it should be here on the 2nd Feb, so I will have a plan (maybe) by the weekend… Other than that, it’s a link dump for today:

Ok, I kind of got the following diagram, but it only makes sense in my head, and I’m not even sure it makes sense there… I’ll leave this here without further explanation, till maybe the weekend…