Fun(?) with IP ranges

So, I had this interesting idea with Cloudflare WARP+ with Zero Trust… I usually use WARP to secure my Internet when I’m off my trusted networks, but sometimes I also want to use WARP to connect to internal resources.

In general, tunneling IP in WARP works in one of two ways, Exclude and Include, the names describe what they do pretty well.

In Exclude mode, when WARP routes everything except internal networks, the exclude list is a complete list of IP ranges that are not generally routed over the Internet, such as private IP range, DHCP stuff and the like. In Include mode, where WARP only routes the ranges in the list, the default include list basically just includes non-Internet IPs. All simple and clear.

But wait! I want both worlds.

At first, I experimented with using Exclude mode and then punching holes in the pre-defined list, but this made for a very long and unwieldly exclude list because I generally use about 20 to 25 private networks in total.

Then I had an idea. What if I use Include mode and just add the whole Internet as include entries? Not as in 0.0.0.0/0, but the actual Internet around the non-Internet ranges? Then, as I need to add routing to specified private networks, I can just add those to the list.

Ummm… dude, you okay?

At first, doing this may seem a bit of a daunting task, but it turned out simpler than I thought. I simply made a little text file and added all the entries from the default Exclude mode list to it and marked each one with a couple of asterisks at the start.

Next, I fired up my favourite CIDR calculator and just calculated what needs to go in the gaps and added those without the marker. The list was about 1/3 as long as punching all those holes in the default Exclude mode list would have been.

Just so you, my dear reader, don’t have to go through this process too, here’s the default (as at 18 October 2023) Cloudflare WARP Exclude mode list inverted into an Include mode list. The entries with asterisks at the start are the original Exclude mode entries and must not actually be used, three of these (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) are where your private networks can go, the others are special and should generally not be messed with.

CIDR - Range end
1.0.0.0/5 - 7.255.255.255
8.0.0.0/7 - 9.255.255.255
*** 10.0.0.0/8 - 10.255.255.255 (RFC1918 private network)
11.0.0.0/8 - 11.255.255.255
12.0.0.0/6 - 15.255.255.255
16.0.0.0/4 - 31.255.255.255
32.0.0.0/3 - 63.255.255.255
64.0.0.0/3 - 95.255.255.255
96.0.0.0/6 - 99.255.255.255
100.0.0.0/10 - 100.63.255.255
*** 100.64.0.0/10 - 100.127.255.255 (RFC6598 carrier-grade NAT)
100.128.0.0/9 - 100.255.255.255
101.0.0.0/6 - 103.255.255.255
104.0.0.0/5 - 111.255.255.255
112.0.0.0/4 - 127.255.255.255
128.0.0.0/3 - 159.255.255.255
160.0.0.0/5 - 167.255.255.255
168.0.0.0/8 - 168.255.255.255
169.0.0.0/9 - 169.127.255.255
169.128.0.0/10 - 169.191.255.255
169.192.0.0/11 - 169.223.255.255
169.224.0.0/12 - 169.239.255.255
169.240.0.0/13 - 169.247.255.255
169.248.0.0/14 - 169.251.255.255
169.252.0.0/15 - 169.253.255.255
*** 169.254.0.0/16 - 169.254.255.255 (DHCP Unspecified)
169.255.0.0/16 - 169.255.255.255
170.0.0.0/7 - 171.255.255.255
172.0.0.0/12 - 172.15.255.255
*** 172.16.0.0/12 - 172.31.255.255 (RFC1918 private network)
172.32.0.0/11 - 172.63.255.255
172.64.0.0/10 - 172.127.255.255
172.128.0.0/9 - 172.255.255.255
173.0.0.0/8 - 173.255.255.255
174.0.0.0/7 - 175.255.255.255
176.0.0.0/4 - 191.255.255.255
192.0.0.0/9 - 192.127.255.255
192.128.0.0/11 - 192.159.255.255
192.160.0.0/13 - 192.167.255.255
*** 192.168.0.0/16 - 192.168.255.255 (RFC1918 private network)
192.169.0.0/16 - 192.169.255.255
192.170.0.0/15 - 192.171.255.255
192.172.0.0/14 - 192.175.255.255
192.176.0.0/12 - 192.191.255.255
192.192.0.0/10 - 192.255.255.255
193.0.0.0/8 - 193.255.255.255
194.0.0.0/7 - 195.255.255.255
196.0.0.0/6 - 199.255.255.255
200.0.0.0/5 - 207.255.255.255
208.0.0.0/4 - 223.255.255.255
*** 224.0.0.0/24 - 244.0.0.255 (IP multicast)
225.0.0.0/8 - 225.255.255.255
226.0.0.0/7 - 227.255.255.255
228.0.0.0/6 - 231.255.255.255
232.0.0.0/5 - 239.255.255.255
*** 240.0.0.0/4 - 255.255.255.255 (reserved for future use)

I found it interesting that the default Cloudflare exclude list doesn’t have absolutely all the reserved IP space in it, but it probably doesn’t route stuff like loopback and test nets anyway.

Now I just have to type all that into a split tunnels list and then add entries for my private networks and I’m good to go.


Posted

in

,

by