At home, I have multiple IoT networks for devices like Google Home's, Smart Plugs, etc. that I; 1. want to be isolated from everything else. And 2. Don't want to have my public IP address. For years now I've had a custom linux box running PIA, and while I still use it for other devices, I wanted to try something new with lower latency and higher bandwidth.
Cloudflare has a product called WARP for phones and tablets that route internet and DNS traffic through their massive network to increase privacy and security while browsing the internet. After some research, I figured out that they have that available for linux as well. It ended up not taking too much time at all to setup a DHCP server as well as IP table routes to route traffic through CloudflareWARP on linux.
Since Cloudflare has a great guide here, I'm not going to go into too much detail about how to install it, but basically you add their repo and install it through apt and with a couple commands your ready to go.
Few notes about my install of WARP:
warp-cli set-families-mode off
.warp-cli enable-always-on
and that seems to work 100% of the time so far which is great.Now that CloudflareWARP is installed, I decided to configure Netplan. I'll attach a screenshot of what the config I ended up looks like. If you decide to copy this config, make sure to change the interface names and MAC addresses to the correct ones that match your NIC's. In my case, enp1s0 was the “WAN” interface. Interfaces enp7s0 and enp8s0 are the “LAN” interfaces. Technically the macaddress tag is optional, but I added it to ensure that my netplan config still works after reboot and Ubuntu updates since the interface names can change.
Part of the importance of this config is that you will want to specify the network for your “LAN” interface in the CIDR Notation. This will be needed later on when we configure isc-dhcp-server. Note: you can find the interface names and MAC addresses of your interfaces by running ip a
# /etc/netplan/00-installer-config.yaml
# This is the network config written by 'subiquity'
network:
ethernets:
enp1s0:
dhcp4: true
match:
macaddress: 52:54:00:00:7c:25
enp7s0:
dhcp4: false
addresses: [10.51.111.1/24]
match:
macaddress: 52:54:00:7b:19:98
optional: true
enp8s0:
dhcp4: false
addresses: [10.51.101.1/24]
match:
macaddress: 52:54:00:77:c4:08
optional: true
version: 2
Before configuring any routing, I configured the DHCP server. To do this, you can run sudo apt install isc-dhcp-server
.
Once it's installed, there'll be two config files you need to modify to set it up. The first one is /etc/default/isc-dhcp-server
and that'll tell the DHCP server what interfaces to listen on. The second one is /etc/dhcp/dhcpd.conf
and this one will be the configuration of your DHCP server.
For the isc-dhcp-server file, you'll want to find where it says INTERFACESv4="" and then you'll add your interface names inside of the parenthesis. My config looks like this: INTERFACESv4="enp7s0 enp8s0"
. Note: Don't add commas between the interfaces.
I'd recommend deleting the old file (or moving it) before setting up the new one as it will be easier to read. You can do this by running sudo mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.backup
and then sudo nano /etc/dhcp/dhcpd.conf
to setup the new one.
Once you open the new configuration file, you can paste the following in so you can modify it to fit your needs.
# Set the search domian and DNS servers given by the DHCP server.
option domain-name "cf.local";
option domain-name-servers 1.1.1.1, 1.0.0.1;
# Other DHCP settings
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
# Network 1 config
subnet 10.51.111.0 netmask 255.255.255.0 {
range 10.51.111.10 10.51.111.230;
option routers 10.51.111.1;
}
# Network 2 config
subnet 10.51.101.0 netmask 255.255.255.0 {
range 10.51.101.10 10.51.101.230;
option routers 10.51.101.1;
}
To configure this file, it's best to read the commented sections before each part of the config. Note: To get the DHCP server to work, you'll need to set the same network settings as you did in the Netplan file previously. The range of the network's doesn't matter, but the subnet and netmask does. For the “option routers” part, you need to specify the IP address you gave the Netplan file.
Here are a few helpful commands to debug isc-dhcp-server. If your having issues, it's best to lookup it's documentation. Also, make sure you run the restart command after setting up the configuration files. You might also have to reboot your linux computer.
View the status of the DHCP server: sudo systemctl status isc-dhcp-server
Restart the DHCP server: sudo systemctl restart isc-dhcp-server
Now that CloudflareWARP is installed and isc-dhcp-server is configured, we can proceed to configure the routing script.
In my home directory, I ran mkdir cloudflare-warp && cd cloudflare-warp
and ran nano route.sh
to configure the routing tables. Note: Don't run this script until you finish this “Setting up the routing” part of this guide. Here are the contents of my routing.sh file:
/usr/sbin/iptables --table nat --append POSTROUTING --out-interface CloudflareWARP -j MASQUERADE
/usr/sbin/iptables --append FORWARD --in-interface enp7s0 -j ACCEPT
/usr/sbin/iptables --append FORWARD --in-interface enp8s0 -j ACCEPT
Note: You will want to change your interfaces (enp7s0 and enp8s0) in lines 2-3. You also do not need line 3 if you are only creating one network.
After saving route.sh you can run sudo chmod +x route.sh
to make the script executable by root (for when we configure Crontab to run that script upon boot)
Now your done setting up route.sh, you can enable ipv4 forwarding. You can do this by running sudo nano /etc/sysctl.conf
. Uncomment the lines in that file to match this screenshot:
After saving that, you can run sudo sysctl -p
to enable it.
Once everything else is done, you can setup Crontab to auto configure your CloudflareWARP network on boot. You can run sudo crontab -e
to get started. (If it's your first time running Crontab and it asks what text editor to use, I'd recommend nano). Once again, I attached a screenshot of what my Crontab config looks like. Basically what it's saying is that at reboot (or boot), it'll sleep (wait) 2 seconds and then run the route.sh script. To find the directory your script is in, go to your cloudflare-warp folder and run pwd
. That'll show you the path and then you'll add route.sh to the end of the path once you add it to Crontab.
# crontab -e
@reboot sleep 2s && bash /home/beamnetworks/cloudflare-warp/route.sh
To test all this, I'd recommend rebooting your linux computer by running sudo reboot
, That way Crontab has a chance to run and setup your routes and CloudflareWARP has a chance to run on boot as well.
It's pretty simple to get this setup and for me at least it's working great and I'm getting over 150mbps through CloudflareWARP in this setup which is great for my IoT networks.