Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ZT] New captive portal detection behavior #18926

Merged
merged 2 commits into from
Jan 6, 2025
Merged

[ZT] New captive portal detection behavior #18926

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ed7d41f
PCX-14531
ranbel Dec 23, 2024
2389224
remove flowchart
ranbel Jan 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 4 additions & 18 deletions ...nnections/connect-devices/warp/configure-warp/warp-settings/captive-portals.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,27 +25,13 @@ To allow users to connect through a captive portal, administrators can configure

If WARP cannot establish a connection to Cloudflare, it will:

1. Temporarily open the [system firewall](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#ip-traffic) so that the device can send traffic outside of the WARP tunnel. The firewall only allows the following traffic:
1. Start the captive portal timer.

- HTTP/HTTPS on TCP ports `80`, `443`, `8080`, and `8443`
- DNS on UDP port `53`
2. Send a series of requests to the [Cloudflare captive portal URLs](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#captive-portal) and other OS and browser-specific captive portal URLs. These requests are sent outside of the WARP tunnel.

2. Send a series of requests to the [captive portal test URLs](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#captive-portal). If the HTTPS request is intercepted, WARP assumes the network is behind a captive portal.
3. If a request is intercepted, WARP assumes the network is behind a captive portal and fully opens the [system firewall](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#ip-traffic). While the firewall is open, all device traffic will bypass WARP.

3. Open a browser window with the captive portal login screen if the captive portal sends a redirect HTTP response code (`302`, `303`, `307`, or `308`).

4. Automatically re-enable the firewall after the configured timeout period.

```mermaid
flowchart TB
accTitle: Captive portal detection


A[Send DNS request] -- Succeed --> B[Send HTTPS request]-- Fail --> C[Send HTTP request] -- Succeed --> D[Captive portal detected]-- Receive HTTP redirect -->I[Redirect to captive portal login]
A -- Fail --> F(CF_NO_NETWORK error)
C -- Fail --> F
B -- Succeed --> G[No captive portal]--> H[Retry connection to Cloudflare]
```
4. Re-enable the firewall after the user successfully connects to the portal or after the timeout period expires.

## Limitations

Expand Down
Loading