Cloudflare Gateway Free Plan
- Thread starter rashmi
- Start date
My ISP's router is basic, which doesn't allow much. I've YogaDNS and WARP installed. I used YogaDNS with a Cloudflare "Location" and blocked the following domains for that location in Cloudflare. The internet didn't work when I connected to Gateway with DoH, and Gateway with WARP failed to connect.I'm actually trying to find a way to block the WARP app for users of my router's Guest Wi-Fi. Basically, want to block it for everyone but me. But it seems to be simply impossible with any DNS providers to block WARP, at least impossible to block the phone's 1.1.1.1 app.
Zero Trust permanently whitelists some Cloudflare WARP domains by default which cannot be blocked. So, blocking it via ZeroTrust is out of the question. But even with other DNS providers I cannot freaking block WARP. Even if I block all the IPs required by WARP in my router's firewall, it still finds a way to connect
cloudflareclient.com
pkg.cloudflareclient.com
warp.cloudflare.com
Blocking ZeroTrust is simple. Only blocking cloudflareclient.com at DNS level is enough, I think. But the default WARP without any account or Zero Trust doesn't get blocked no matter what I have tried so far. Even when I blocked UDP port 443 which is used by the MASQUE protocol, the Android 1.1.1.1 app successfully connects and even shows that it's using MASQUE. But if I don't connect to WARP, no sites can use QUIC. They fall back to using HTTP/2. So it means, my firewall rule is working as intended but somehow the WARP app can tunnel the traffic in some alternative way.
Oh btw, I have made some non-critical updates to the update_gateway script.
The section of the code where Hagezi filters URLs and configuration resides has been moved near the start of the code and the empty list deleting logic has been improved. Previously, a list that has been emptied after patching would not delete sometimes.
The section of the code where Hagezi filters URLs and configuration resides has been moved near the start of the code and the empty list deleting logic has been improved. Previously, a list that has been emptied after patching would not delete sometimes.
Yes.
In my settings (NextDNS in web browser + Gateway with WARP) Zero Trust does not log domains of websites from the web browser.
AdGuard application does this.
Last edited:
Of course, WARP can be configured not to redirect traffic to Cloudflare. Instead of using "Gateway with WARP" one can use "Gateway with DOH". However, in both cases, the web browser's DNS settings can bypass Zero Trust. In the second case, the user's IP is not hidden.
Can I just update update_gateway.py or do I need to delete already created lists as well?
Last edited:
Filtering on domain name containing country codes does work, but geo location filtering (resolved IP country code) does not seem to work in the free plan.
Anyone else tried it?
Anyone else tried it?
Just update. Deleting lists is not required.
It worked when I tested. But I think I saw you using both source county and resolved county IP Geolocarion selector. If you did then don't use the source county IP. Source is your location so it is not what you're looking to block. Only use the resolved IP country geolocation selector in your policy.
It was an OR relation you saw previously, but after reading the documentation I changed it to resolved and did not work either (for me).
In the query log, it should show short country code beside the resolved IP. If it matches the country you're blocking, then it should've been blocked
. However, not all sites resolve by the country of their origin due to the use of CDNs and other factors. So it's not going to be very reliable anyway. The IP address of MalwareTips forum itself is a good example of that.The mentioned domains blocked the WARP client irrespective of the business or consumer version. Are you talking about the WARP client for Android? I haven't tested it on Android.
I was talking about this, as I also use Cloudflare Gateway for parental control.
You need to update the "update_gateway.py" script, or are you referencing @SeriousHoax's script in your YAML file?
Last edited:
I asked about script but mistakenly added .yml extension. Sorry for confustion.
Updated. Script still works perfectly.
1.1.1.1 Android client. The one anyone can download and immediately start using. I haven't found a way to block that. On android there also a separate zero WARP app exclusively for Zero Trust. That one is blocked easily via DNS. But everyone uses the vanilla 1.1.1.1 app which is harder to block.
I even created a javascript version (node.js) of the python script a few days ago. Currently I'm running it in a private repo for testing. It's the same script but written in js to be run with node.js. The time it takes for the actual update process is exactly the same as the python version. I mean the time you see for, "Run update script" in your GitHub Action. But the python script depends on two extra python libraries which are required to increase the speed of the script (The async patching process). But for the node.js, async is a built-in feature so, it doesn't need any extra libraries. So, the equivalent of "Cache pip packages" and "Install dependencies" are not required for it. On average this version sometimes saves between 3-6 seconds of GitHub Action time. So, nothing extraordinary.I asked about script but mistakenly added .yml extension. Sorry for confustion.
Updated. Script still works perfectly.
Python:
JavaScript:
Dunno what my work's IT does, but WARP and Zero Trust WARP+ refuse to connect; DoH works normally, though, blocked websites are still inaccessible. I believe they use some kind of DPI.
If I use Wireguard, turn off Wi-Fi, connect and then turn Wi-Fi on again, it works for some time, but sooner or later handshake fails and I'm stuck without internet for few minutes. After 10 minutes of repeated tries, handshake is completed successfully and then internet access works again, but it will again stop working after some time.
Last edited:
Cloudflare has a unified WARP app now; I couldn't find the consumer version on the Google Play Store. You get the consumer version on installation and the business version on logging into your Cloudflare account. Try DeepSeek or Gemini; they may be helpful in solving the problem.
Would you upload it to your personal branch?
Maybe create a test profile and look into the "Local Domain Fallback" and "Split Tunnels" options.
By the way, I noticed that blocking Google DNS affects YouTube videos; I got "This video is not available/restricted" for many videos. I have a policy for YouTube restricted mode, but I confirmed the policy was not the cause of the issue. YouTube shows this video is not available, retries it a few times, and the video plays. You can see the URL in the address bar; at the end of the URL, index=(number here), the number changes a few times. Unblocking Google DNS solved the issue.
Thanks for the reply, I asked AI and this is (I think) the explanation:In the query log, it should show short country code beside the resolved IP. If it matches the country you're blocking, then it should've been blocked
I simplified my firewall rules
(filter out = no block page)
If they are using DPI then anything is possible I assume. In my case, I think there is no easy way for us to know what method is Cloudflare using. I think I saw that they provide IP ranges for all their services. But blocking them would block any site using Cloudflare so that's not plausible for me. Anyway, no problem.
Not unified. If I tap on Login with ZeroTrust on the 1.1.1.1 app, it takes me to PlayStore to install their app named, "Cloudflare One". This app is needed to use ZeroTrust.
Not happening for me. dns.google as well as their dns ip 8.8.8.8 and 8.8.4.4 are blocked for me but I have not seen any issue myself and no one in my family has complained either. I don't like YouTube's restricted mode because if enabled then my father cannot even watch the news on YouTube. So I don't use it.
AI's info is inaccurate because country-based blocking works for me. I tested just now by blocking China and Russia and couldn't visit any of these sites.Thanks for the reply, I asked AI and this is (I think) the explanation:
View attachment 295089
I simplified my firewall rules
View attachment 295090
The Play Store on Android phones displays only the "Cloudflare One Agent" app here. When you install this app, its interface is orange, indicating the consumer version. It changes to blue, representing the business version, when you log in using your "Team" name and the code you received.
I don't know, but I tested multiple times, and the only solution that worked was unblocking Google DNS. I used the "Application" category to block Google DNS.
You may also like...
-
Evaluation of Cloudflare Zero Trust Free plan after using it for 3,5 months
- Started by LinuxFan58
- Replies: 7
-
Need guidance and advice from those knowledgeable about ad blocking
- Started by rashmi
- Replies: 55
-
Google Cloud and Cloudflare hit by widespread service outages- Started by Gandalf_The_Grey
- Replies: 22
-
Cloudflare tracked 230 billion daily threats and here is what it found- Started by Miravi
- Replies: 3
