A containerized WARP client proxy. (ubuntu:22.04 + warp-svc) for use Zero Trust and private network inside container project and k8s.
Together with the docker-transparent-proxy project, implement assigning a public IP address to each container.
Working with free or warp+ and zero Trust network.
It can running with docker or podman or k8s on linux platform.
- WARP_ORG_ID - WARP MDM organization ID. (E.g.
paperdragon) - WARP_AUTH_CLIENT_ID - WARP MDM client ID. (E.g.
[a-z0-9]{32}with subfix.access) - WARP_AUTH_CLIENT_SECRET - WARP MDM client secret. (E.g.
[a-z0-9]{64}) - WARP_UNIQUE_CLIENT_ID - WARP MDM unique client ID.
- WARP_LICENSE - WARP MDM license key.
-
freemode is default if noIDorLICENSEbe set. it will register new account (free network) -
mdmmode auto be using whenWARP_ORG_IDWARP_AUTH_CLIENT_IDWARP_AUTH_CLIENT_SECRETset. (zero Trust network) -
warp+mode auto be using whenWARP_LICENSEset. (warp+ network)
For some reason, highly recommend you use mdm mode with WARP_ORG_ID WARP_AUTH_CLIENT_ID WARP_AUTH_CLIENT_SECRET set.
And do set a policy of proxy from cloudflare Zero Trust dashboard, or use warp+ mode with WARP_LICENSE set.
if you need add other organization in
mdmmode, or write more custom settings, you can modify this example file add a<dict>part.
cloudflare MDM document here. cloudflare MDM parameters document here.
but for not break the entrypoint.sh flow. plase do NOT change this part:
<array>
# don't modify this part
<dict>
<key>organization</key>
<string>ORGANIZATION</string>
<key>display_name</key>
<string>ORGANIZATION</string>
<key>auth_client_id</key>
<string>AUTH_CLIENT_ID</string>
<key>auth_client_secret</key>
<string>AUTH_CLIENT_SECRET</string>
<key>unique_client_id</key>
<string>UNIQUE_CLIENT_ID</string>
<key>onboarding</key>
<false />
</dict>
# add your custom part down here
</array>- go cloudflare Zero Trust dashboard.
- create your org team in words range:
[a-zA-Z0-9-]and remember yourORGANIZATION(set org name to ./secrets). - create a
Access -> Service Authentication -> Service Tokenand getAUTH_CLIENT_IDandAUTH_CLIENT_SECRETfrom dashboard. (set to ./secrets) - goto
Settings -> Warp Client -> Device settingsand add a new policy (E.g.: named "mdmPolicy"). - into the policy config page, add a rule to let
email-is-non_identity@[your_org_name].cloudflareaccess.comin expression. (Or filter by device uuid) - go down and find
Service modeto setGateway with WARPmode. why must set Gateway with WARP mode in policy? - modify other settings if your want.
- then save it.
docker build -t paperdragon/warp-tproxy .test run with docker on ubuntu 23.04:
# Or download from docker hub
# docker pull jockerdragon/warp-tproxy
# check image
root@user-VirtualBox:/home/user# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
jockerdragon/warp-tproxy latest 1cce82cba813 10 hours ago 570MB
# use env just for test, you can set it in ./secrets
export WARP_ORG_ID=paperdragon
export WARP_AUTH_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxx.access
export WARP_AUTH_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
docker run -d --name warp \
-e WARP_ORG_ID=WARP_ORG_ID \
-e WARP_AUTH_CLIENT_ID=WARP_AUTH_CLIENT_ID \
-e WARP_AUTH_CLIENT_SECRET=WARP_AUTH_CLIENT_SECRET \
--cap-add NET_ADMIN \
-v /dev/net/tun:/dev/net/tun \
jockerdragon/warp-tproxy
# test in container for warp
docker exec -it warp curl http://cloudflare.com/cdn-cgi/trace
# test out container for gost
curl http://ifconfig.icu
and you can see the output like this:
[+] Starting dbus...
[+] Bypassing warp's TOS...
[+] Starting warp-svc...
add environment to command line
- DEBUG - Set
DEBUG=Trueto env show more detail.
- This project is modified from the Warpod project, which implements a Warp container exposing an HTTP proxy for external container usage.