Setup with ZeroTrust

[open5443]

Thank you for this great project, its very exciting to have MASQUE tunnel available on OpenWRT!

Not sure exactly where to write this, but maybe others also want to run/test usque with ZeroTrust instead of regular Warp. This is how i made it work:

1. setup warp-cli with your ZeroTrust account on a linux machine. After you can successfully connect, continue.

2. sudo cat /var/lib/cloudflare-warp/reg.json
   [registration_id], [api_token] and [secret_key] is what we need.

3. [secret_key] needs to be converted into a different format:

4. echo "[secret_key]" | base64 -d > pkcs8.key

5. openssl pkcs8 -inform DER -in pkcs8.key -out ec_private_key.pem -nocrypt

6. openssl ec -in ec_private_key.pem -outform DER -out ec_private_key.der

7. base64 ec_private_key.der
   This will output [secret_key_new] which we will need in a moment.

8. create a new config.json if not already present:
   usque register

9. edit config.json like this:
   {
   "private_key": "[secret_key_new]",
   "endpoint_v4": "162.159.197.1",
   "endpoint_pub_key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIaU7MToJm9NKp8YfGxR6r+/h4mcG\n7SxI8tsW8OR1A5tv/zCzVbCRRh2t87/kxnP6lAy0lkr7qYwu+ox+k3dr6w==\n-----END PUBLIC KEY-----\n",
   "id": "[registration_id]",
   "access_token": "[api_token]",
   "ipv4": "172.16.0.2",
   "ipv6": "..."
   }

10. now you have a config.json that will work with your ZeroTrust account. Start usque with this config file in the mode you prefer and add -s zt-masque.cloudflareclient.com at the end, for example:
    usque -c .usque/config.json nativetun -s zt-masque.cloudflareclient.com

11. Verify usque with ZeroTrust is properly working:
    curl --interface tun0 https://cloudflare.com/cdn-cgi/trace
    should show
    warp=plus

Hope that helps.

[tredntredn]

Hello! Is your instruction 100% correct? I have no luck with it... Even AI can't help to convert secret key from reg.json to correct size key. I got only very short key and different errors. So for now I can't enroll Team with Usque...

[open5443]

I just tested it again, works as described. I ran the key conversion on Debian 11, if that makes a difference. Openssl version is 1.1.1w (11 Sep 2023).

BTW, just updating the id- and access_token-parameter in config.json and leaving everything else unchanged, and running usque enroll as described in the readme didn't work, as it always gave the error Failed to enroll key: failed to update: 401 Unauthorized (API errors: Not authorized).

[tredntredn]

Hello again. Secret key from reg.json has length only 44, the secret key from target config.json for usque is 164.
Even if I reproduce all steps you advise I got very short key and usque shows me an error.
And yes if I enroll config.json without changing secret key I also got error.
So as for me now it's very unclear procedure of enroll key of Team to existing usque config.

[open5443]

Hi, let's do an example from an actual [secret_key] from /var/lib/cloudflare-warp/reg.json with outputs in between to verify the intermediate results:

1. echo "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgP+iYuHHXoJzo0oG2cpDpo7FEInyYB0ufe+cSybHXMlGhRANCAAR8OcTZMCB8hBAfSnQ8ul6ixXnvTKD7tCPoRCPW7qfjZ4XCO+qwbSZl70wkqxdwXtp/o0/StTn1xa7dDZ6LjT0A" | base64 -d > pkcs8.key
2. openssl pkcs8 -inform DER -in pkcs8.key -out ec_private_key.pem -nocrypt
3. cat ec_private_key.pem

-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgP+iYuHHXoJzo0oG2
cpDpo7FEInyYB0ufe+cSybHXMlGhRANCAAR8OcTZMCB8hBAfSnQ8ul6ixXnvTKD7
tCPoRCPW7qfjZ4XCO+qwbSZl70wkqxdwXtp/o0/StTn1xa7dDZ6LjT0A
-----END PRIVATE KEY-----

4. openssl ec -in ec_private_key.pem -outform DER -out ec_private_key.der
5. hexdump ec_private_key.der

0000000 7730 0102 0401 3f20 98e8 71b8 a0d7 e89c
0000010 81d2 72b6 e990 b1a3 2244 987c 4b07 7b9f
0000020 12e7 b1c9 32d7 a051 060a 2a08 4886 3dce
0000030 0103 a107 0344 0042 7c04 c439 30d9 7c20
0000040 1084 4a1f 3c74 5eba c5a2 ef79 a04c b4fb
0000050 e823 2344 eed6 e3a7 8567 3bc2 b0ea 266d
0000060 ef65 244c 17ab 5e70 7fda 4fa3 b5d2 f539
0000070 aec5 0ddd 8b9e 3d8d 0000               
0000079

7. base64 ec_private_key.der
MHcCAQEEID/omLhx16Cc6NKBtnKQ6aOxRCJ8mAdLn3vnEsmx1zJRoAoGCCqGSM49AwEHoUQDQgAE fDnE2TAgfIQQH0p0PLpeosV570yg+7Qj6EQj1u6n42eFwjvqsG0mZe9MJKsXcF7af6NP0rU59cWu 3Q2ei409AA==

This last key is the one that corresponds to [secret_key_new] from the first post and has to be the new private_key value in the config.json file for usque.

Hope that helps.

[tredntredn]

Thank you for detailed explanation! Now I see the difference: my secret key is....smth different:

Don't know why but it's so strange. Will find different way than...

[tredntredn]

Hello
Finally I did it! The performance is the same so for now I prefer to use Plus account instead of Team.

[Diniboy1123]

Hey there,

Thanks for the great tutorial! I’ll investigate the issue with the documented method—it was working fine for me a few weeks ago, so if something has changed, a fix would be appropriate. Since this isn’t a direct bug or issue, I’m moving the conversation to the Discussions tab for further follow-up.