|
| 1 | +--- |
| 2 | +reviewed: 2025-09-26 |
| 3 | +category: 🔐 Zero Trust |
| 4 | +difficulty: Beginner |
| 5 | +pcx_content_type: tutorial |
| 6 | +title: Deploy WARP on headless Linux machines |
| 7 | +--- |
| 8 | + |
| 9 | +import { Render, GlossaryTooltip } from "~/components"; |
| 10 | + |
| 11 | +This tutorial explains how to deploy the Cloudflare WARP client on Linux devices using a service token and an installation script. This deployment workflow is designed for headless servers which do not have access to a browser for identity provider logins. Because users are not required to log in to an identity provider, identity-based policies and logging will not be available on these devices. |
| 12 | + |
| 13 | +## Prerequisites |
| 14 | + |
| 15 | +- [Cloudflare Zero Trust account](/cloudflare-one/setup/#create-a-zero-trust-organization) |
| 16 | + |
| 17 | +## 1. Create a service token |
| 18 | + |
| 19 | +A service token consists of a Client ID and a Client Secret. We will be using a service token to enroll the WARP client in your Zero Trust organization. |
| 20 | + |
| 21 | +To create a new service token: |
| 22 | + |
| 23 | +<Render file="access/create-service-token" product="cloudflare-one" /> |
| 24 | + |
| 25 | +## 2. Configure device enrollment permissions |
| 26 | + |
| 27 | +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**. |
| 28 | +2. In **Device enrollment permissions**, select **Manage**. |
| 29 | +3. In the **Policies** tab, select **Create new policy**. A new tab will open with the policy creation page. |
| 30 | +4. For **Action**, select _Service Auth_. |
| 31 | +5. For the **Selector** field, you have two options: you can either allow all service tokens (`Any Access Service Token`) or specific service tokens (`Service Token`). In this example, we will choose the token created earlier: |
| 32 | + |
| 33 | + | Rule Action | Rule type | Selector | Value | |
| 34 | + | --------- | ---------| ------ | -- | |
| 35 | + | Service Auth | Include | Service Token | `<TOKEN-NAME>` | |
| 36 | +6. Save the policy. |
| 37 | +7. Go back to **Device enrollment permissions** and add the newly created policy. |
| 38 | +8. Select **Save**. |
| 39 | + |
| 40 | +## 3. Create an installation script |
| 41 | + |
| 42 | +You can use a shell script to automate WARP installation and registration. The following example shows how to deploy WARP on Ubuntu 24.04. |
| 43 | + |
| 44 | +1. In a terminal, create a new `.sh` file using a text editor. For example: |
| 45 | + ```sh |
| 46 | + vim install_warp.sh |
| 47 | + ``` |
| 48 | +2. Press `i` to enter insert mode and add the following lines: |
| 49 | + |
| 50 | + ```bash |
| 51 | + #!/bin/bash |
| 52 | + set -e |
| 53 | + |
| 54 | + function warp() { |
| 55 | + curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg |
| 56 | + echo "deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list |
| 57 | + sudo apt-get update --assume-yes |
| 58 | + sudo apt-get install --assume-yes cloudflare-warp |
| 59 | + } |
| 60 | + |
| 61 | + function mdm() { |
| 62 | + sudo touch /var/lib/cloudflare-warp/mdm.xml |
| 63 | + cat > /var/lib/cloudflare-warp/mdm.xml << "EOF" |
| 64 | + <dict> |
| 65 | + <key>auth_client_id</key> |
| 66 | + <string>88bf3b6d86161464f6509f7219099e57.access</string> |
| 67 | + <key>auth_client_secret</key> |
| 68 | + <string>bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5</string> |
| 69 | + <key>auto_connect</key> |
| 70 | + <integer>1</integer> |
| 71 | + <key>onboarding</key> |
| 72 | + <false/> |
| 73 | + <key>organization</key> |
| 74 | + <string>your-team-name</string> |
| 75 | + <key>service_mode</key> |
| 76 | + <string>warp</string> |
| 77 | + </dict> |
| 78 | + EOF |
| 79 | + } |
| 80 | +
|
| 81 | + #main program |
| 82 | + warp |
| 83 | + mdm |
| 84 | + ``` |
| 85 | +
|
| 86 | +3. If you are using Debian or RHEL / CentOS, modify the `warp()` function so that it installs the correct [WARP package](https://pkg.cloudflareclient.com/) for your OS. |
| 87 | +
|
| 88 | +4. Modify the values in the `mdm()` function: |
| 89 | + 1. For `auth_client_id` and `auth_client_secret`, replace the string values with the Client ID and Client Secret of your [service token](/cloudflare-one/tutorials/warp-on-headless-linux/#1-create-a-service-token). |
| 90 | + 2. For `organization`, replace `your-team-name` with your Zero Trust <GlossaryTooltip term="team name">team name</GlossaryTooltip>. |
| 91 | + 3. (Optional) Add or modify other [WARP deployment parameters](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/) according to your preferences. |
| 92 | +
|
| 93 | +5. Press `esc`, then type `:x` and press `Enter` to save and exit. |
| 94 | +
|
| 95 | +## 4. Install WARP |
| 96 | +
|
| 97 | +1. Make the script executable: |
| 98 | +
|
| 99 | + ```sh |
| 100 | + chmod +x install_warp.sh |
| 101 | + ``` |
| 102 | +
|
| 103 | +2. Run the script: |
| 104 | + ```sh |
| 105 | + sudo ./install_warp.sh |
| 106 | + ``` |
| 107 | +
|
| 108 | +The script will install WARP and apply the configuration parameters stored in `/var/lib/cloudflare-warp/mdm.xml`. Assuming [`auto_connect`](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/#auto_connect) is configured, WARP will automatically connect to your Zero Trust organization. The device will appear in [Zero Trust](https://one.dash.cloudflare.com) under **My Team** > **Devices**. |
0 commit comments