Currently, Cloudflare WARP can be installed on Ubuntu, Debian, RHEL, and CentOS. See? Not many Linux distros are supported.
Cloudflare WARP is a very popular free VPN. It’s fast since it operates on Cloudflare’s global network through WireGuard connection. There’s no limit to bandwidth usage. But it can’t spoof your location, and it will not work very well with torrenting, since it doesn’t support port-forwarding.
However, we can set up WARP in a container, a Distrobox container to be specific, then proxy the host’s connection to the container through SOCKS5 port. This method would benefit unsupported system like Arch or openSUSE, for example. Also, immutable OSes like Fedora Silverblue, openSUSE MicroOS would be able to enjoy WARP connection easily.
Without further ado, let’s see how to set this up. 👉️
1. Install Distrobox
Distrobox is a container manager designed to integrate tightly with the host. Compared to Docker and Podman, it’s a lot easier to use, as most things are set up OOTB. Nevertheless, it still uses Docker or Podman behind the scene.
To install Distrobox on openSUSE Tumbleweed, for example:
On a very old point-release distro, current Ubuntu LTS for example, you might want to install the latest version of Distrobox using Homebrew: brew install distrobox.
On Tumbleweed, this will pull in Docker automatically.
However, I prefer Podman, so I install Podman with sudo zypper install podman, then in ~/.config/distrobox/distrobox.conf, I tell Distrobox to use Podman instead:
2. Create a Distrobox Container
First, we need to decide which OS image we’ll use for a container. See a list of supported containers here. I recommend the latest version of the official Ubuntu image from Docker Hub. So, I create a container with:
distrobox create is used to create a Distrobox container. See all options of this command here.
-i is used to specify the image we want to use for the container.
-n is used to specify the container name. In this case, I use cfw-dbx.
-H is used to separate the container $HOME from the host (I don’t want the container’s config files, which could be temporary, to be messed up with my system configs). In this case, I specify my host’s ~/distrobox/cfw-dbx to be my container’s $HOME. All the container’s configs will be in this folder.
–unshare-netns is used to separate the container internet from the host. So, the container’s internet configurations won’t conflict with the host.
–additional-packages “systemd libpam-systemd” is used to add required packages for systemd services in the container.
-I is used to tell Distrobox to create an init container. Basically, this allows the container to have its own systemd services separated from the host, which is required by the WARP client.
–additional-flags “-p 127.0.0.1:1080:1080” is used to add Docker/Podman flags that are not available in Distrobox. In this case, it’s necessary to map proxy’s SOCKS5 port (1080) on the host to the same port inside the container (we will config WARP’s proxy to use this port later).
After the creation process, enter the container by:
You can simply exit from the container by… using exit command inside the container 😂 However, the container will still be running in the background. To stop the container: distrobox stop <container name>.
3. Install Cloudflare WARP client in the Container
You can refer to the official WARP client installation instruction here.
To complete the instruction without any issue, we need to install these packages:
4. Enable WARP Service
First, we need to enable WARP service. Otherwise, we won’t be able to use warp-cli to make any connection at all:
5. Register the Client
6. Turn On Malware Filtering (optional)
This is completely optional, but it’s good to know that WARP use 1.1.1.1 as its DNS resolver by default. What I always use is 1.1.1.2, which is the same as 1.1.1.1 + malware filter at DNS level. So, why not? 😎
7. Enable Proxy Mode and Config Proxy Port
Since we want to reroute all the host’s internet connections to this container’s WARP tunnel, we need to enable the proxy mode and config the proxy port (SOCKS5 – port 1080).
warp-cli proxy port 1080
8. Connect to WARP
After that, we’re free to leave the container. It’s a one-time setup. We don’t have to enter this container ever again. Exit the container by running exit command.
9. Reroute Our Host’s Connection
Find your host’s proxy settings. For example, in GNOME, change your proxy to manual mode, then put in localhost IP (127.0.0.1) and SOCKS5 port (1080) as shown in the screenshots below:
10. Verify WARP Connection
According to this Cloudflare blog post, we can check WARP connection using their trace URL (in our case, from the host’s terminal):
If you’ve set up WARP successfully, this should return:
You can check your current IP and DNS resolvers that should now change to Cloudflare on dnscheck.tools.
11. Automatically Connect to WARP on System Startup + Kill Switch
Normally, you can connect to WARP in the container just by entering the container, since we already enable WARP service inside the container. And to disconnect from WARP, we can either stop the container or closing the host’s proxy.
However, if we want to connect to WARP automatically on boot (in fact, after we logged in to our user account), it’s just as easy. All we need to do is start the container on boot using a user’s systemd service.
Here’s the content of a user service file:
Description=Start cfw-dbx container for Cloudflare WARP connection.
[Service]
Type=oneshot
ExecStart=-bash -c “distrobox enter cfw-dbx”
ExecStop=-bash -c “distrobox stop cfw-dbx”
Restart=on-failure
RestartSec=1s
RemainAfterExit=yes
[Install]
WantedBy=default.target
Please change the container name according to your container name. Mine is cfw-dbx.
I warp the commands in bash shell, so they can be executed without issues.
I use Restart=on-failure, so I don’t have to pinpoint what services, sockets, etc. I’ll have to wait before I can run distrobox enter command. The command will simply keep executing until success. Since this is a user service, it runs when the user logged in to their user account. Therefore, it’s not related to the system’s booting order. Note, I use RestartSec=1s to prevent spamming from my own service file. 😂
RemainAfterExit=yes is necessary, since the container needs to keep running for the connection to continue working.
The [Install] is also necessary. Otherwise, we won’t be able to enable the service.
Save this service file as <container-name>.service (to avoid confusion). For example, in my case, it’s cfw-dbx.service. Then, put the file in ~/.config/systemd/user.
Reload the user service with:
Enable the service with:
Now, our WARP connection will automatically start on boot, along with the container.
And the kill switch part… If you don’t turn off the system proxy, you can’t connect to the internet at all without the container running 😮 In other word, you can flip-flop between WARP connection and your normal internet connection using the proxy switch.
Alternatives
Why do I recommend you all to set this up instead of all other alternatives out there?
Well, this method use the official Ubuntu image as a base for our container. It also uses the official WARP client from Cloudflare. So, you are not compromising your system security by running random images or scripts.
So, I won’t recommend the alternatives.
I hope this helps. If you like this article, please let me know in the comment section below. If you don’t, feel free to tell me why. Thanks for reading, bye 💨
Cover Photo by Pawel Czerwinski on Unsplash
