Cloudflare Docs
Learning Paths
Cloudflare Docs
Replace your VPN (Learning Path)
GitHub icon
Edit this page on GitHub
Set theme to dark (⇧+D)
  1. Learning Paths
  2. Replace your VPN
  3. Configure the device agent
  4. Define Split Tunnel settings

Define Split Tunnel settings

  4 min read

Split tunnel settings determine which traffic WARP does and does not proxy.

WARP offers two different split tunnel modes:

  • If you intend to send all internal and external destination traffic through Cloudflare’s global network, opt for Exclude IPs and domains mode. This mode will proxy everything through the WARP tunnel with the exception of IPs and hosts defined explicitly within the Split Tunnel list.
  • If you intend to only use WARP to proxy private destination traffic, you can operate in Include IPs and domains mode, in which you explicitly define which IP ranges and domains should be included in the WARP routing table.

​​ Update Split Tunnels mode

To change your Split Tunnels mode:

  1. In Zero Trust, go to Settings > WARP Client.

  2. Under Device settings, locate the device profile you would like to modify and select Configure.

  3. Scroll down to Split Tunnels.

  4. (Optional) To view your existing Split Tunnel configuration, select Manage. You will see a list of the IPs and domains Cloudflare Zero Trust excludes or includes, depending on the mode you have selected. We recommend making a copy of your Split Tunnel entries, as they will revert to the default upon switching modes.

  5. Under Split Tunnels, choose a mode:

    • Exclude IPs and domains — (Default) All traffic will be sent to Cloudflare Gateway except for the IPs and domains you specify.
    • Include IPs and Domains — Only traffic destined to the IPs or domains you specify will be sent to Cloudflare Gateway. All other traffic will bypass Gateway and will no longer be filtered by your network or HTTP policies. In order to use certain features, you will need to manually add Zero Trust domains.

All clients with this device profile will now switch to the new mode and its default route configuration. Next, add or remove routes from your Split Tunnel configuration.

​​ Add a route

  1. In Zero Trust, go to Settings > WARP Client.

  2. Under Device settings, locate the device profile you would like to modify and select Configure.

  3. Under Split Tunnels, check whether your Split Tunnels mode is set to Exclude or Include.

  4. Select Manage.

  5. You can exclude or include routes based on either their IP address or domain. When possible we recommend adding an IP address instead of a domain. To learn about the consequences of adding a domain, refer to Domain-based Split Tunnels.

To add an IP address to Split Tunnels:

  1. Select IP Address.
  2. Enter the IP address or CIDR you want to exclude or include.
  3. Select Save destination.

Traffic to this IP address is now excluded or included from the WARP tunnel.

To add a domain to Split Tunnels:

  1. Select Domain.
  2. Enter a valid domain to exclude or include.
  3. Select Save destination.
  4. (Optional) If your domain does not have a public DNS record, create a Local Domain Fallback entry to allow a private DNS server to handle domain resolution.

When a user goes to the domain, the domain gets resolved according to your Local Domain Fallback configuration (either by Gateway or by your private DNS server). WARP Split Tunnels will then dynamically include or exclude the IP address returned in the DNS lookup.

You can add up to 1000 combined Split Tunnel and Local Domain Fallback entries to a given device profile.

We recommend keeping the Split Tunnels list short, as each entry takes time for the client to parse. In particular, domains are slower to action than IP addresses because they require on-the-fly IP lookups and routing table / local firewall changes. A shorter list will also make it easier to understand and debug your configuration.

​​ Configure Split Tunnels for private network access

By default, WARP excludes traffic bound for RFC 1918 space, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your private network, you must configure Split Tunnels so that the IP/CIDR of your private network routes through WARP.

  1. First, check whether your Split Tunnels mode is set to Exclude or Include mode.

  2. If you are using Include mode, add your network’s IP/CIDR range to the list. Your list should also include the domains necessary for Cloudflare Zero Trust functionality.

  3. If you are using Exclude mode:

    1. Delete your network’s IP/CIDR range from the list. For example, if your network uses the default AWS range of 172.31.0.0/16, delete 172.16.0.0/12.
    2. Re-add IP/CDIR ranges that are not explicitly used by your private network. For the AWS example above, you would add new entries for 172.16.0.0/13, 172.24.0.0/14, 172.28.0.0/15, and 172.30.0.0/16. This ensures that only traffic to 172.31.0.0/16 routes through WARP.

By tightening the private IP range included in WARP, you reduce the risk of breaking a user’s access to local resources.




Previous Next