How To Use Cloudflare’s Warp+ VPN On Ubuntu Linux

Garikai Dzoma Avatar

I have a confession to make, I haven’t booted into Windows for over a year now. There is another confession I have to make: that is not at all unusual for me. For the past ten or so years, I have used Ubuntu Linux as my primary operating system.

These days I don’t even dual boot any more thanks to the cloud-the entire drive is a Btrfs. Everything I need either runs directly on Ubuntu or requires a bit of magic to have it working. Fortunately, I love doing magic. The latest trick I had to perform was finding a way to make Cloudflare Warp+ VPN to work on Ubuntu.

Cloudflare almighty

Cloudflare is one of those companies that everyone uses but few know about. Unlike Google that is always in everyone’s face, Cloudflare is more of a shadow entity, hiding behind the clouds and churning away to make sure everything works smoothly. At least that’s how it was until they launched their Warp and Warp+ services last year.

If you must know, Cloudflare is an infrastructure company that has traditionally provided Web Application Firewall services, CDN services (i.e. they make websites faster), DDoS protection and free SSL certificates among a host of other enterprise services that are loved by a lot of businesses. They are so popular to the extent that almost every internet access provider including, Liquid Telecoms which provides most of Zimbabwe’s internet, has direct peering with them.

The company recently leveraged this to create two customer tailored products called:

  • Warp – an encrypted public DNS service that uses easy to remember IP addresses:
    • 1.1.1.1 (fun fact, this IP address was not routed in Zimbabwe)
    • 1.0.0.1
    • 2606:4700:4700::1111
    • 2606:4700:4700::1001
    • The service also comes with apps that makes it easy to change DNS server addresses on Android, Windows and MacOS
  • Warp+ VPN-a bona fide VPN that comes with low-latency and 10GB of free VPN data

NB Warp+ VPN is not like DroidVPN which supposedly provides you with free internet. This service only works when you have actual data/connectivity on your device.

Why Warp+ VPN is awesome?

Remember the fact that almost every service provider has a fat pipe that connects directly into Cloudflare? Well, it’s not just that, in addition, Cloudflare has got multiple data centres across the world and over 16 in Africa. No one even comes close to this. They make use of Anycast technology to give very low latency.

So when you connect to Warp+ you are connected to the closest server resulting in very low latency. No other VPN service provider I know, including Nord, Express VPN and others comes even close to matching their figures. If that’s not enough to convince you here is what will: because a lot of sites use Cloudflare, most of your connections will probably be to another node in the same data centre!

Then there is the fact that the service comes with free IPV6 support. Although ZOL supports IPV6, other providers don’t. TelOne, Econet, NetOne and Telecel shamelessly implement CGNAT in this day and age! Worse they don’t even look like they are in a hurry to change that either. If you are a nerd like me, you probably hate double-NAT.

NB: VPN technically double or tripple NAT will still be happening even after you connect through VPN but your apps won’t mind.

So how can you do it on Ubuntu?

Using Warp+ VPN on Android, MacOS and Windows is easy. There are apps for that with the Windows app being in beta. Cloudflare has promised Linux apps but as always it seems like Linux is not a priority. We don’t mind this at all, in Linux there is almost always a way to do something.

Sadly the internet is replete with useless guides on how to use Warp+ on Linux based operating systems. Here we will share a working guide. We will assume you have a computer running Ubuntu 20.04 LTS.

  • First of all, install Wireguard (this is an awesome piece of VPN tech but that’s a story for another day). Open a terminal and run these commands.
    • sudo apt update
    • sudo apt install wireguard
    • Test to see if wireguard is installed properly by running wg-quick
  • Go to this repository on Github and familiarise yourself with the utility we are going to use called wgcf that is Wireguard Cloudflare
  • Go to the repository’s precompiled releases page https://github.com/ViRb3/wgcf/releases
  • Choose a binary that matches your system. For most people that is probably going to be the Linux amd64 binary but if you use an Arm processor download the Arm version
  • I will assume you have downloaded the Linux AMD64 binary which is currently wgcf_2.1.4_linux_amd64
  • Open the terminal and go to the downloads folder:
    • cd ~/Downloads
  • Make a new directory:
    • mkdir cloudflare
  • Move the binary into the cloudflare folder and make it executable
    • mv wgcf_2.1.4_linux_amd64 ./cloudflare/wgcf
    • cd ./cloudflare
    • chmod +x wgcf
  • Create a Warp+ account:
    • ./wgcf register
    • Press enter to accept Cloudflare’s Terms and conditions. Make sure to familiarise yourself with these.
  • Now generate a wireguard configuration file
    • ./wgcf generate
  • When all this is done you should have two newly created files in this folder. The one we need for the next step is called wgcf-profile.conf
  • Copy that file into the wireguard configuration folder:
    • sudo cp wgcf-profile.conf /etc/wireguard/

That completes the configuration part of this tutorial. Now to test and make sure your connection is working. Open a browser and check your IP. Note it down. If you are using Telecel, Econet, NetOne and TelOne you can also test by trying to visit https://ipv6.google.com. At this stage, the connection should fail.

Now go back to the terminal and bring up the connection:

  • sudo wg-quick up wgcf-profile you should see a series of commands executing in your terminal with the last one being probably [#] iptables-restore -n. You should now be connected via VPN. Those without IPV6 should now have it and checking your IP in your browser should show something different. Visiting https://ipv6.google.com should show you the Google Search page.

NB Sadly while IPV6 works, Cloudflare doesn’t give you a real routable address which is a shame. ZOL gives you an entire /64 block to play around with.

To disconnect from VPN open the terminal and run sudo wg-quick down wgcf-profile. That’s it.

5 comments

What’s your take?

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Keith

    Shamelessly implemented CGNAT…

    To be fair – CGNAT is the Only realistic way to work around IPv4 Exhaustion. Referring to it as a shameful act – without taking into account the bigger picture – of the world running out of V4 addresssed

    1. Garikai Dzoma

      It has been decades since qot.IPV6 and most operators are leaving it a little like Brexit. Most simply it off.

      1. Keith

        Even with V6 addressing, large portions of the internet run on V4 Only. One of the most critical services – email, is even further lagging behind.

        V6 is the solution, but there’s no way to drop & chop to V6-Only. CG-NAT, for many providers is the only way they can continue to provide service to their customers.

        And to be fair, CG-NAT when done properly works pretty damn well. Your main issues are with consoles – PS4/XBOX, however there are workarounds to make these work better in CG-NAT environments.

        Considering majority of customers generally maintain less than 100 active tcp/udp sessions at any one point, the allocation of a unique public IPv4 address per customer – is kind of wasteful 🙂

  2. Mr.Gk

    I got this error
    sudo: wg-quick: command not found

    1. Mr.Gk

      I forgot to install wireguard lol.

2023 © Techzim All rights reserved. Hosted By Cloud Unboxed