This guide outlines the process of installing and configuring the Cloudflare WARP client on Ubuntu 22.04. The steps are largely similar for Debian 12, with minor differences for CentOS and Red Hat Enterprise Linux.
Key Steps and Issues Covered:#
1. Downloading the Client#
- Search for “download client WARP for Linux.”
- Crucially, select the business/enterprise documentation, NOT the consumer documentation.
2. Terminal Commands for Installation#
The entire installation process is performed via the command line.
Install
curl(if not already present):sudo apt install curlThis package is necessary for downloading the repository key.
Download the repository key and add the repository: (Specific commands will be provided in the Cloudflare documentation. Example placeholders below for illustration)
curl -fsSL [https://pkg.cloudflareclient.com/pubkey.gpg](https://pkg.cloudflareclient.com/pubkey.gpg) | sudo gpg --dearmor -o /usr/share/keyrings/cloudflare-warp.gpg echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp.gpg] [https://pkg.cloudflareclient.com/](https://pkg.cloudflareclient.com/) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-warp.list > /dev/nullUpdate package lists:
sudo apt updateInstall the Cloudflare WARP client:
sudo apt install cloudflare-warp
3. Manual Device Enrollment#
As of June 23, 2023, automatic certificate deployment does not function, necessitating manual steps.
Enroll your team:
warp-cli teams enroll [your-team-name](The speaker used “sky-flash” as their team name.)
Handle browser authentication issues:
- The browser window launched by the
warp-cli teams enrollcommand typically fails to authenticate. - Copy the URL from the failed browser attempt and paste it into a working browser to authenticate.
- After successful authentication (using email and a 2FA code), the browser will again attempt to open the client, which will also fail.
- The browser window launched by the
Retrieve and use the authentication token:
- View the page source of the failed browser redirection page.
- Copy a specific token from the HTML tag. This token typically starts from “com.cloudflare.op” and extends to the end of the token, excluding the final double quote.
- Run the enrollment command with the copied token:
warp-cli teams enroll --token <copied-token>
4. SSL Certificate Installation#
Attempting to access a protected application (e.g., pgadmin.skyflash.co) will initially result in an SSL certificate error. The required certificate (managed-warp.pem) is on the machine but needs to be correctly placed and configured.
Navigate to the certificate directory:
cd /usr/local/share/ca-certificatesRename the certificate file:
sudo mv managed-warp.pem managed-warp.crtCopy the certificate to the system-wide certificate store:
sudo cp managed-warp.crt /usr/share/ca-certificates/Reconfigure CA certificates:
sudo dpkg-reconfigure ca-certificatesDuring this process, select
managed-warp.crtto trust the certificate.
5. Firefox Configuration#
Even after system-wide certificate installation, Firefox requires manual configuration due to its independent certificate store.
- Open Firefox settings: Go to
Preferences>Privacy & Security>Certificates>View Certificates. - Import the certificate:
- Under the “Authorities” tab, the Cloudflare certificate will not be present.
- Click “Import.”
- Navigate to
/usr/share/ca-certificates. - Select
managed-warp.crt. - Choose to trust it to “identify websites.”
6. Verification#
After successfully connecting the WARP client, the protected application should now be accessible. The speaker noted that Chrome’s behavior with these certificates was not tested during this demonstration.