Forwarding traffic from OpenVPN through Cloudflare WARP

Question

I have an Ubuntu 22 node, and I'm trying new ideas to implement using Cloudflare WARP. Let's say I want to have an OpenVPN server running on the node, while Cloudflare WARP is installed and connected. What I'm trying to do here is to forward all the traffic from the OpenVPN client through the WARP tunnel. At first I tried setting the WARP mode to Proxy mode and setting the system-wide proxy to that local proxy, but it didn't seem to be working. Then, I tried setting it to the WARP mode but having MY public IP address excluded so I can SSH into the server without any problems, and that works just fine. I even tried running an OpenVPN server and I could easily connect to it, but then the traffic wouldn't pass through the WARP tunnel (it would just stop working as soon as I connected my node to WARP).

I wanna know if there's any way to implement this scenario, either with Proxy Mode or Warp Mode.

Thanks in advance.

score 0 · Answer 1 · answered Feb 16 '25 at 22:36

Step 1: Install and Configure Cloudflare WARP Install Cloudflare WARP:

Follow the official Cloudflare WARP installation guide for Ubuntu:

curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
sudo apt update
sudo apt install cloudflare-warp

Connect to WARP:

Register and connect to WARP:

warp-cli register
warp-cli connect

Exclude Your Public IP for SSH Access:

Exclude your public IP from the WARP tunnel to allow SSH access:

warp-cli add-excluded-route <your-public-ip>

Step 2: Install and Configure OpenVPN Install OpenVPN:

Install OpenVPN and EasyRSA for certificate management:

sudo apt update
sudo apt install openvpn easy-rsa

Set Up OpenVPN Server:

Follow the official OpenVPN guide to set up the server: OpenVPN Ubuntu Setup.

Configure OpenVPN:

Edit the OpenVPN server configuration file (/etc/openvpn/server.conf) to ensure it routes all client traffic through the VPN:

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"

Step 3: Configure Routing and Firewall Rules Enable IP Forwarding:

Enable IP forwarding on your Ubuntu server:

sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-ip-forward.conf

Configure NAT for OpenVPN Clients:

Set up NAT (Network Address Translation) to route OpenVPN client traffic through the WARP tunnel:

sudo iptables -t nat -A POSTROUTING -o warp+ -j MASQUERADE

Persist IPTables Rules:

Save the IPTables rules to ensure they persist after a reboot:

sudo apt install iptables-persistent
sudo netfilter-persistent save

Step 4: Test the Setup Connect to OpenVPN:

Use an OpenVPN client to connect to your server.

Verify Traffic Routing:

Check if the traffic from the OpenVPN client is routed through the WARP tunnel:

curl ifconfig.me

The output should show the IP address associated with the WARP tunnel.

Complete Example Here’s a summary of the commands and configurations:

Cloudflare WARP Setup

# Install WARP
curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
sudo apt update
sudo apt install cloudflare-warp
Connect to WARP
warp-cli register
warp-cli connect
Exclude your public IP for SSH
warp-cli add-excluded-route <your-public-ip>

OpenVPN Setup

# Install OpenVPN
sudo apt update
sudo apt install openvpn easy-rsa
Configure OpenVPN (edit /etc/openvpn/server.conf)
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"

Routing and Firewall

# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-ip-forward.conf
Configure NAT for OpenVPN clients
sudo iptables -t nat -A POSTROUTING -o warp+ -j MASQUERADE
Persist IPTables rules
sudo apt install iptables-persistent
sudo netfilter-persistent save

Forwarding traffic from OpenVPN through Cloudflare WARP

1 Answers1

Connect to WARP

Exclude your public IP for SSH

Configure OpenVPN (edit /etc/openvpn/server.conf)

Configure NAT for OpenVPN clients

Persist IPTables rules