support Teams

Dockerfile

@@ -2,10 +2,12 @@ FROM ubuntu:22.04
 
 ARG GOST_VERSION
 
+COPY entrypoint.sh /entrypoint.sh
+
 # install dependencies
 RUN apt-get update && \
     apt-get upgrade -y && \
-    apt-get install -y curl gnupg lsb-release && \
+    apt-get install -y curl gnupg lsb-release sudo && \
     curl https://pkg.cloudflareclient.com/pubkey.gpg | gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg && \
     echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/cloudflare-client.list && \
     apt-get update && \
@@ -15,13 +17,16 @@ RUN apt-get update && \
     curl -LO https://github.com/ginuerzh/gost/releases/download/v${GOST_VERSION}/gost-linux-amd64-${GOST_VERSION}.gz && \
     gunzip gost-linux-amd64-${GOST_VERSION}.gz && \
     mv gost-linux-amd64-${GOST_VERSION} /usr/bin/gost && \
-    chmod +x /usr/bin/gost
+    chmod +x /usr/bin/gost && \
+    chmod +x /entrypoint.sh && \
+    useradd -m -s /bin/bash warp && \
+    echo "warp ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/warp
 
-# Accept Cloudflare WARP TOS
-RUN mkdir -p /root/.local/share/warp && \
-    echo -n 'yes' > /root/.local/share/warp/accepted-tos.txt
+USER warp
 
-COPY entrypoint.sh /entrypoint.sh
+# Accept Cloudflare WARP TOS
+RUN mkdir -p /home/warp/.local/share/warp && \
+    echo -n 'yes' > /home/warp/.local/share/warp/accepted-tos.txt
 
 ENV GOST_ARGS="-L :1080"
 ENV WARP_SLEEP=2

README.md

@@ -68,6 +68,23 @@ HEALTHCHECK --interval=15s --timeout=5s --start-period=30s --retries=3 \
 
 If you don't want the container to restart automatically, you can remove `restart: always` from the `docker-compose.yml`. You can also modify the parameters of the health check through the `docker-compose.yml`.
 
+### Use with Cloudflare Zero Trust
+
+If you want to use the WARP client with Cloudflare Zero Trust, just start the container without specifying license key, use `docker exec -it warp bash` to get into the container and follow these steps:
+
+1. `warp-cli registration delete` to delete current registration
+2. `warp-cli teams-enroll <your-team-name>` to enroll the device
+3. Open the link in the output in a browser and follow the instructions to complete the registration
+4. On the success page, right-click and select **View Page Source**.
+5. Find the HTML metadata tag that contains the token. For example, `<meta http-equiv="refresh" content"=0;url=com.cloudflare.warp://acmecorp.cloudflareaccess.com/auth?token=yeooilknmasdlfnlnsadfojDSFJndf_kjnasdf..." />`
+6. Copy the URL field: `com.cloudflare.warp://<your-team-name>.cloudflareaccess.com/auth?token=<your-token>`
+7. In the terminal, run the following command using the URL obtained in the previous step: `warp-cli teams-enroll-token com.cloudflare.warp://<your-team-name>.cloudflareaccess.com/auth?token=<your-token>`. If you get an API error, then the token has expired. Generate a new one by refreshing the web page and quickly grab the new token from the page source.
+8. `warp-cli connect` to reconnect using new registration.
+9. Wait untill `warp-cli status` shows `Connected`.
+10. Try `curl --socks5-hostname 127.0.0.1:1080 https://cloudflare.com/cdn-cgi/trace` to verify the connection.
+
+This is only needed for the first time. After the device is enrolled, the registration information will be stored in the `./data` directory, if you don't delete them, the container will automatically use the registration information to connect to the WARP service after restart or recreate.
+
 ### Use other versions
 
 The tag of docker image is in the format of `{WARP_VERSION}-{GOST_VERSION}`, for example, `2023.10.120-2.11.5` means that the WARP client version is `2023.10.120` and the GOST version is `2.11.5`. If you want to use other versions, you can specify the tag in the `docker-compose.yml`.

entrypoint.sh

@@ -4,19 +4,19 @@
 set -e
 
 # create a tun device
-mkdir -p /dev/net
-mknod /dev/net/tun c 10 200
-chmod 600 /dev/net/tun
+sudo mkdir -p /dev/net
+sudo mknod /dev/net/tun c 10 200
+sudo chmod 600 /dev/net/tun
 
 # start dbus
-mkdir -p /run/dbus
+sudo mkdir -p /run/dbus
 if [ -f /run/dbus/pid ]; then
-  rm /run/dbus/pid
+  sudo rm /run/dbus/pid
 fi
-dbus-daemon --config-file=/usr/share/dbus-1/system.conf
+sudo dbus-daemon --config-file=/usr/share/dbus-1/system.conf
 
 # start the daemon
-warp-svc &
+sudo warp-svc &
 
 # sleep to wait for the daemon to start, default 2 seconds
 sleep "$WARP_SLEEP"