A containerized WARP client with gost proxy. (ubuntu:22.04 + warp-svc + gost) for use Zero Trust and private network inside container project and k8s.
Working with free or warp+ and zero Trust network.
Only start warp use proxy mode at 41080 in the contrainer (for rootless, no iptables, no systemctl, no networkManager, no dbus service)
Use gost to open socks5:1080 http:1081 https:1082 and all forward-chain to warp-svc at 41080.
It can running with docker or podman or k8s on linux platform.
You can use PORXY_AUTH to set a proxy's authentication if need.
- WARP_ORG_ID - WARP MDM organization ID. (E.g.
deepwn) - WARP_AUTH_CLIENT_ID - WARP MDM client ID. (E.g.
[a-z0-9]{32}with subfix.access) - WARP_AUTH_CLIENT_SECRET - WARP MDM client secret. (E.g.
[a-z0-9]{64}) - WARP_UNIQUE_CLIENT_ID - WARP MDM unique client ID.
- WARP_LICENSE - WARP MDM license key.
- WARP_LISTEN_PORT - warp-svc listen port. (default:
41080) WARP_LISTEN_ADDR - warp-svc listen address. (service not support yet, hardcode tolocalhost)- SOCK_PORT - local socks5 listen port. (default:
1080) - HTTP_PORT - local http listen port. (default:
1081) - HTTPS_PORT - local https listen port. (default:
1082) - PROXY_AUTH - local proxy's authentication. (default
None, E.g.user:password)
-
freemode is default if noIDorLICENSEbe set. it will register new account (free network) -
mdmmode auto be using whenWARP_ORG_IDWARP_AUTH_CLIENT_IDWARP_AUTH_CLIENT_SECRETset. (zero Trust network) -
warp+mode auto be using whenWARP_LICENSEset. (warp+ network)
For some reason, highly recommend you use mdm mode with WARP_ORG_ID WARP_AUTH_CLIENT_ID WARP_AUTH_CLIENT_SECRET set.
And do set a policy of proxy from cloudflare Zero Trust dashboard, or use warp+ mode with WARP_LICENSE set.
if you need add other organization in
mdmmode, or write more custom settings, you can modify this example file add a<dict>part.
cloudflare MDM document here. cloudflare MDM parameters document here.
but for not break the entrypoint.sh flow. plase do NOT change this part:
<array>
# don't modify this part
<dict>
<key>organization</key>
<string>ORGANIZATION</string>
<key>display_name</key>
<string>ORGANIZATION</string>
<key>auth_client_id</key>
<string>AUTH_CLIENT_ID</string>
<key>auth_client_secret</key>
<string>AUTH_CLIENT_SECRET</string>
<key>unique_client_id</key>
<string>UNIQUE_CLIENT_ID</string>
<key>onboarding</key>
<false />
</dict>
# add your custom part down here
</array>- go cloudflare Zero Trust dashboard.
- create your org team in words range:
[a-zA-Z0-9-]and remember yourORGANIZATION(set org name to ./secrets). - create a
Access -> Service Authentication -> Service Tokenand getAUTH_CLIENT_IDandAUTH_CLIENT_SECRETfrom dashboard. (set to ./secrets) - goto
Settings -> Warp Client -> Device settingsand add a new policy (E.g.: named "mdmPolicy"). - into the policy config page, add a rule to let
email-is-non_identity@[your_org_name].cloudflareaccess.comin expression. (Or filter by device uuid) - go down and find
Service modeto setproxymode and port41080. why must set proxy mode in policy? - modify other settings if your want.
- then save it.
docker pull ghcr.io/deepwn/warpod:latestthen follow the Environment Variables to run it.
docker run -d --name warpod --hostname warpod --network warpod \
-e WARP_ORG_ID=WARP_ORG_ID \
-e WARP_AUTH_CLIENT_ID=WARP_AUTH_CLIENT_ID \
-e WARP_AUTH_CLIENT_SECRET=WARP_AUTH_CLIENT_SECRET \
-p 1080-1082:1080-1082 \
ghcr.io/deepwn/warpod:latestto testing to set WARP_ORG_ID WARP_AUTH_CLIENT_ID WARP_AUTH_CLIENT_SECRET in your environment.
but you'd better use docker secret create to set it in production.
script: autorun.sh required curl wget jq commands, and container runtime docker or podman.
full auto build image with docker or podman just need you run:
./autorun.sh -q (quite mode, only build image)or you can download gost.tar.gz from other source at first. but carefully, you need choose the right linux_amd64 platform for Dockerfile's base image ubuntu:22.04
and you can use -h to see more help. and you can use -r to run container after build.
./autorun.sh -h
Usage: ./autorun.sh [options]
Options:
-h, --help Print this help message
-c, --command Set container runtime command (default: auto select from docker or podman)
-t, --tag Set image tag for warp image (default: warpod:latest)
-g, --gost Download gost binary from specified url (default: from github)
-r, --run Run warpod container after build. it will force renew network and container (default: false)
-q, --quiet Quiet mode (only build image, no input required, and force skip -r option)
Additional:
(If need run after build. you can add more options)
-n, --hostname Set hostname and container name (it will register to Zero Trust's Device ID)
-p, --ports Set ports expose (e.g.: -p 1080-1082:1080-1082, to expose to host server)
-e, --envs Set ENV for container (e.g.: -e WARP_LISTEN_PORT=41080 SOME_ENV=VALUE ...)
Example (run after build):
./autorun.sh -t beta-1 -c podman -r -n warpod-beta -p 2080-2082:1080-1082 -e WARP_LISTEN_PORT=21080 --secret WARP_LICENSE=LICENSE
test run with podman on rockylinux 8.9:
# build a test image
./autorun.sh -q >/dev/null 2>&1
# Or download from ghcr.io
# podman pull ghcr.io/deepwn/warpod:latest
# check image
podman image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/warpod latest 91f2fb3774ab 1 second ago 642 MB
# use env just for test, you can set it in ./secrets
export WARP_ORG_ID=deepwn
export WARP_AUTH_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxx.access
export WARP_AUTH_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
podman run -d --name warpod --hostname warpod --network warpod \
-e WARP_ORG_ID=WARP_ORG_ID \
-e WARP_AUTH_CLIENT_ID=WARP_AUTH_CLIENT_ID \
-e WARP_AUTH_CLIENT_SECRET=WARP_AUTH_CLIENT_SECRET \
-p 1080-1082:1080-1082 \
warpod:latest
# test in container for warp
podman exec -it warpod curl -x socks5://127.0.0.1:41080 http://cloudflare.com/cdn-cgi/trace
# test out container for gost
curl -x socks5://127.0.0.1:1080 http://ip-api.com/json
and you can see the output like this:
[+] Starting dbus...
[+] Bypassing warp's TOS...
[+] Starting warp-svc...
[+] Registering mdm save to: /var/lib/cloudflare-warp/mdm.xml
[+] you should set policy from Zero Trust dashboard.
documents: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/
[!] Careful: New service modes such as Proxy only are not supported as a value and must be configured in Zero Trust.
(https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/#service_mode)
[+] Set warp mode to proxy ... Success
[+] Set proxy listen to 41080 ... Success
[+] Turn ON warp ... Success
[+] Waiting for warp to connect...
[+] warp connected!
gost config generated: /var/lib/cloudflare-warp/gost.yaml
[+] All services started!
---
warp-svc config: /var/lib/cloudflare-warp/conf.json
gost config: /var/lib/cloudflare-warp/gost.yaml
---
[+] warp status: Status update: Connected
[+] You can check it with warp local proxy in container:
Or use gost proxy at 1080, 1081, 1082 with auth if set
E.g.:
curl -x socks5://127.0.0.1:41080 https://cloudflare.com/cdn-cgi/trace (inside container)
curl -x http://<auth:pass>@<container_ip>:<gost_port> https://ip-api.com/json (outside container)
Tip
you can use ADD sources.list /etc/apt/sources.list from Dockerfile if you need a apt source mirror by *.edu.cn.
and you can download another version of gost.tar.gz by yourself, and put it in the same directory with Dockerfile.
At last, you can modify the entrypoint.sh to add more gost listen port or args. for example, add a local dns server or local network proxy.