CloudFlare Warp+ for RT-AC86U (or RT-AX88U)

  • SNBForums will be unavailable for about 2 hours TODAY 23 January starting around 2PM EDT for a server changeover.

    All accounts and posts will be preserved.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Aikinai

New Around Here
I just set up my RT-AC86U with Warp+ from CloudFlare and thought I'd share how in case anyone else is interested. This is only for RT-AC86U (and RT-AX88U I assume though haven't tested) since it relies on the experimental WireGuard posted by @Odkrys. Here are the setup instructions:
  1. Sign up for Warp+ on an officially supported device like iOS or Android

  2. Install wgcf
    1. Download the latest release (currently 2.14)
    2. Copy it to your router, rename (to wgcf to match the commands below) and move to a folder in your PATH if you like, and don't forget to make it executable (chmod +x wgcf)
  3. Generate the WireGuard config file with wgcf
    1. Register a new device with
      wgcf register
    2. Update the wgcf config with your existing Warp+ license key (found in the account settings in your signed-in app)
      WGCF_LICENSE_KEY="0123456789abcedf" wgcf update
    3. Generate a WireGuard configuration profile
      wgcf generate
  4. Install WireGuard
    1. Follow the instructions in the first post in [Experimental] WireGuard for RT-AC86U/AX88U
  5. Update the wgcf-generated config to match the format WireGuard is expecting
    (wgcf generates a format meant for wg-guick, but that's not available in this version of WireGuard)
    1. The Warp+ config is is now in wgcf-profile.conf, which you should edit according to the instructions in the first post in [Experimental] WireGuard for RT-AC86U/AX88U, but just to reiterate, make sure you comment-out or delete Address (both IPv4 and v6), DNS, and MTU. I also found I had to delete AllowedIPs = ::/0, but maybe that's just because my ISP doesn't support IPv6? Then update /opt/etc/init.d/S50wireguard with the IP and DNS you had to remove from the config. You want client mode.
    2. You can also update the MTU in /opt/etc/wireguard/wg-up to match the one you had to delete from wgcf's config (1280), but I'm not sure if that's required. I did it since I assume that's optimal for Warp+ if it was in the original config.
    3. Copy wgcf-profile.conf to /opt/etc/wireguard/wg0.conf
  6. Start the service
    1. /opt/etc/init.d/S50wireguard start
      There's basically no output, so you just have to hope it works and imagine what might be wrong if it's not working. If you have a problem, disconnect with
      /opt/etc/init.d/S50wireguard stop
  7. Confirm you're connected to Warp+
    1. Check the CloudFlare trace, and if you see warp=plus, you're good! You can either navigate here in a browser or straight from your router with
      curl https://cloudflare.com/cdn-cgi/trace
  8. Enable script to connect automatically
    1. Also mentioned in the first post in [Experimental] WireGuard for RT-AC86U/AX88U, create the nat-start script to connect automatically
Remember you can also set your phone to not connect to Warp when you're on certain Wi-Fi networks, so it's probably best to add your network there so you're not double Warping. I doubt that causes a problem, but it's at least not necessary.

Enjoy!
 

heysoundude

Very Senior Member
I'm not going to try and deny it, but I was a fanboy for this sort of thing not so long ago.
My perspective has changed:
Cloudflare is just as bad as Google/Alphabet and the socials.

Wireguard server on routers that can run it, absolutely...but not a client to an endpoint you don't control.
make that wireguard server/router your DNS with unbound...become your own quad1, 8, etc.
 

gspannu

Regular Contributor
I just set up my RT-AC86U with Warp+ from CloudFlare and thought I'd share how in case anyone else is interested. This is only for RT-AC86U (and RT-AX88U I assume though haven't tested) since it relies on the experimental WireGuard posted by @Odkrys. Here are the setup instructions:
  1. Sign up for Warp+ on an officially supported device like iOS or Android

  2. Install wgcf
    1. Download the latest release (currently 2.14)
    2. Copy it to your router, rename (to wgcf to match the commands below) and move to a folder in your PATH if you like, and don't forget to make it executable (chmod +x wgcf)
  3. Generate the WireGuard config file with wgcf
    1. Register a new device with
      wgcf register
    2. Update the wgcf config with your existing Warp+ license key (found in the account settings in your signed-in app)
      WGCF_LICENSE_KEY="0123456789abcedf" wgcf update
    3. Generate a WireGuard configuration profile
      wgcf generate
  4. Install WireGuard
    1. Follow the instructions in the first post in [Experimental] WireGuard for RT-AC86U/AX88U
  5. Update the wgcf-generated config to match the format WireGuard is expecting
    (wgcf generates a format meant for wg-guick, but that's not available in this version of WireGuard)
    1. The Warp+ config is is now in wgcf-profile.conf, which you should edit according to the instructions in the first post in [Experimental] WireGuard for RT-AC86U/AX88U, but just to reiterate, make sure you comment-out or delete Address (both IPv4 and v6), DNS, and MTU. I also found I had to delete AllowedIPs = ::/0, but maybe that's just because my ISP doesn't support IPv6? Then update /opt/etc/init.d/S50wireguard with the IP and DNS you had to remove from the config. You want client mode.
    2. You can also update the MTU in /opt/etc/wireguard/wg-up to match the one you had to delete from wgcf's config (1280), but I'm not sure if that's required. I did it since I assume that's optimal for Warp+ if it was in the original config.
    3. Copy wgcf-profile.conf to /opt/etc/wireguard/wg0.conf
  6. Start the service
    1. /opt/etc/init.d/S50wireguard start
      There's basically no output, so you just have to hope it works and imagine what might be wrong if it's not working. If you have a problem, disconnect with
      /opt/etc/init.d/S50wireguard stop
  7. Confirm you're connected to Warp+
    1. Check the CloudFlare trace, and if you see warp=plus, you're good! You can either navigate here in a browser or straight from your router with
      curl https://cloudflare.com/cdn-cgi/trace
  8. Enable script to connect automatically
    1. Also mentioned in the first post in [Experimental] WireGuard for RT-AC86U/AX88U, create the nat-start script to connect automatically
Remember you can also set your phone to not connect to Warp when you're on certain Wi-Fi networks, so it's probably best to add your network there so you're not double Warping. I doubt that causes a problem, but it's at least not necessary.

Enjoy!
Q1) Is there a way to run this without a WARP+ subscription, i.e. with just WARP to begin with.
I want to be able to successfully set it up on my Asus AX88U and if all goes well, I will then subscribe to the Warp+ version.

I am currently running WireGuard as a server on my router (and use this to route all my devices traffic when I'm mobile) but this means that I also have to figure out how to run WireGuard both as a server and as a client on the router.
Q2) Any help there also would be much appreciated.
 

gspannu

Regular Contributor
I just set up my RT-AC86U with Warp+ from CloudFlare and thought I'd share how in case anyone else is interested. This is only for RT-AC86U (and RT-AX88U I assume though haven't tested) since it relies on the experimental WireGuard posted by @Odkrys. Here are the setup instructions:
  1. Sign up for Warp+ on an officially supported device like iOS or Android

  2. Install wgcf
    1. Download the latest release (currently 2.14)
    2. Copy it to your router, rename (to wgcf to match the commands below) and move to a folder in your PATH if you like, and don't forget to make it executable (chmod +x wgcf)
  3. Generate the WireGuard config file with wgcf
    1. Register a new device with
      wgcf register
    2. Update the wgcf config with your existing Warp+ license key (found in the account settings in your signed-in app)
      WGCF_LICENSE_KEY="0123456789abcedf" wgcf update
    3. Generate a WireGuard configuration profile
      wgcf generate
  4. Install WireGuard
    1. Follow the instructions in the first post in [Experimental] WireGuard for RT-AC86U/AX88U
  5. Update the wgcf-generated config to match the format WireGuard is expecting
    (wgcf generates a format meant for wg-guick, but that's not available in this version of WireGuard)
    1. The Warp+ config is is now in wgcf-profile.conf, which you should edit according to the instructions in the first post in [Experimental] WireGuard for RT-AC86U/AX88U, but just to reiterate, make sure you comment-out or delete Address (both IPv4 and v6), DNS, and MTU. I also found I had to delete AllowedIPs = ::/0, but maybe that's just because my ISP doesn't support IPv6? Then update /opt/etc/init.d/S50wireguard with the IP and DNS you had to remove from the config. You want client mode.
    2. You can also update the MTU in /opt/etc/wireguard/wg-up to match the one you had to delete from wgcf's config (1280), but I'm not sure if that's required. I did it since I assume that's optimal for Warp+ if it was in the original config.
    3. Copy wgcf-profile.conf to /opt/etc/wireguard/wg0.conf
  6. Start the service
    1. /opt/etc/init.d/S50wireguard start
      There's basically no output, so you just have to hope it works and imagine what might be wrong if it's not working. If you have a problem, disconnect with
      /opt/etc/init.d/S50wireguard stop
  7. Confirm you're connected to Warp+
    1. Check the CloudFlare trace, and if you see warp=plus, you're good! You can either navigate here in a browser or straight from your router with
      curl https://cloudflare.com/cdn-cgi/trace
  8. Enable script to connect automatically
    1. Also mentioned in the first post in [Experimental] WireGuard for RT-AC86U/AX88U, create the nat-start script to connect automatically
Remember you can also set your phone to not connect to Warp when you're on certain Wi-Fi networks, so it's probably best to add your network there so you're not double Warping. I doubt that causes a problem, but it's at least not necessary.

Enjoy!
Also... just to check....

1) The wgcf is only used to register a device and generate the necessary configs. The wgcf command is not actually used for establishing the tunnel or anything else. Correct?

2) The actual tunnel is being made by the WireGuard binaries (Experimental WireGuard for RT-AC86U/AX88U) and it uses the edited /opt/etc/wireguard/wg0.conf for the new settings. Correct ?

3) I understand that by item 5.3 above (highlighted); you mean - Copy the contents of wgcf-profile.conf to /opt/etc/wireguard/wg0.conf

4) Can I delete the wgcf-profile.conf or is this used by the WireGuard binaries?

5) Would you mind posting your 3 files (with all sensitive information masked)
- /opt/etc/wireguard/wg0.conf
- /opt/etc/init.d/S50wireguard
- wgcf-profile.conf
so that I can use these as a reference point.

Thank you in advance.
 

heysoundude

Very Senior Member
You realize that WARP is just tunnelling you to a DNS server that's more than likely mining your data, right?

maybe you can explain better why you want your router tunnelling to CloudFlare first. Your AX88 is quite a machine and it can probably do what you're proposing with relative ease; I'm not entirely sure it's necessary, and I'm not sure you're absolutely clear on why you want to do what you propose.

I get the WireGuard server tunnel for clients away from your network; I also get you'd rather your ISP didn't see what your lookups are: You can set up DNS over TLS to Cloudflare on your router (Merlin firmware - not sure about factory) - much easier than a full WireGuard client tunnel to a service you pay for and have to trust to not breach your privacy.

Better (from a privacy and security aspect) would be running unbound on the router (in addition to the WG server), so that your router is your network's (and remote devices') own DNS resolver, with cache-miss queries going to Authoritative servers (the same ones that CloudFlare gets its info from, BTW). These Auth servers are even starting to implement DoT too, and IPSec and DNSSEC work very well (and I want to say especially on an IPv6 connection, with each device's IP address (with the v6 privacy settings correctly applied by you) in the galactically IMMENSE v6 address space, where it would be like trying to find a particular grain of sand in the metaphorical Saharan sand storm of the internet - easier than a WG client tunnel to a service you seem to trust), but again, you need to clarify your use case and threat model to find a "best fit" solution for you.

OK, so maybe that's a run-on...paragraph. (sorry)
Hopefully I make some sense and/or give you some things to consider. It's better (in my opinion) to make yourself harder to find than to try and shield yourself from prying eyes...but if you can shield yourself WHILE being harder to find, you've quite probably hit on the ultimate solution.

OpSec and InfoSec (privacy and security) are tough things to get right (and not break - I've tried to do both and probably failed). Make sure you're using the right methods correctly. (this isn't even getting anywhere near firewalling your network - you DO run one of those, yes?) Then there's browser/Search engine choice, and video chat and messaging apps to discuss, not to mention unimpeachable chain of custody for every device in your family/organization...
 

Aikinai

New Around Here
Sorry for the very late response! Just noticed this.
Hope my answers can still be helpful!

Q1) Is there a way to run this without a WARP+ subscription, i.e. with just WARP to begin with.
I'm not sure; I already had Warp+ so I haven't tried without it. You could maybe try signing up and then just ask for a refund if it doesn't work. Or just pay for the one month and cancel. You pay through the App Store, so I think it might be possible to ask Apple for a refund. I have seen a lot of connectivity issues, even on the native app, so there's certainly margin for a refund to be justified.

1) The wgcf is only used to register a device and generate the necessary configs. The wgcf command is not actually used for establishing the tunnel or anything else. Correct?
Yes, it's only for generating configs and it's not involved in everyday operation of the tunnel.

2) The actual tunnel is being made by the WireGuard binaries (Experimental WireGuard for RT-AC86U/AX88U) and it uses the edited /opt/etc/wireguard/wg0.conf for the new settings. Correct ?
Yes, exactly.

3) I understand that by item 5.3 above (highlighted); you mean - Copy the contents of wgcf-profile.conf to /opt/etc/wireguard/wg0.conf
Yes, you can either copy the contents, overwriting everything in the original wg0.conf, or you can copy and overwrite the file itself (i.e. cp wgcf-profile.conf /opt/etc/wireguard/wg0.conf).

4) Can I delete the wgcf-profile.conf or is this used by the WireGuard binaries?
It's not needed anymore and can be deleted. Once you've copied the config into place, wgcf has done its job and you could delete its entire directory if you want.

5) Would you mind posting your 3 files (with all sensitive information masked)
- /opt/etc/wireguard/wg0.conf
- /opt/etc/init.d/S50wireguard
- wgcf-profile.conf
so that I can use these as a reference point.
Sure, I've copied all three with some data (probably more than necessary, but just to be safe without researching) redacted. Attachments don't seem to be working for me, so here they are in spoiler tags:

[Interface]
PrivateKey = [[REDACTED]]
[Peer]
PublicKey = [[REDACTED]]
AllowedIPs = 0.0.0.0/0
Endpoint = engage.cloudflareclient.com:2408
PersistentKeepalive = 25

#!/bin/sh

PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Mode=client #server or client

#server
export Subnet= #e.g.)10.50.50.1/24
export wgport=

#client
export LocalIP=[[REDACTED]]
Route=default #default or policy
export wgdns=1.1.1.1
export Nipset=wgvpn

case $1 in
start)
logger "Starting WireGuard service."
if [ "$Mode" == "server" ] ; then
/opt/etc/wireguard/wg-server

elif [ "$Mode" == "client" ] && [ "$Route" != "policy" ] ; then
/opt/etc/wireguard/wg-up
else
/opt/etc/wireguard/wg-policy
fi
;;
stop)
logger "Stopping WireGuard service."
/opt/etc/wireguard/wg-down
;;
restart)
logger "Restarting WireGuard service."
/opt/etc/wireguard/wg-down
sleep 2
if [ "$Mode" == "server" ] ; then
/opt/etc/wireguard/wg-server

elif [ "$Mode" == "client" ] && [ "$Route" != "policy" ] ; then
/opt/etc/wireguard/wg-up
else
/opt/etc/wireguard/wg-policy
fi
;;
*)
echo "Usage: $0 {start|stop|restart}"
;;
esac

[Interface]
PrivateKey = [[REDACTED]]
Address = [[REDACTED]]
Address = [[REDACTED]]
DNS = 1.1.1.1
MTU = 1280
[Peer]
PublicKey = [[REDACTED]]
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = engage.cloudflareclient.com:2408
 

Similar threads

Top