Cloudflare Docs
Learning Paths
Cloudflare Docs
Replace your VPN (Learning Path)
GitHub icon
Edit this page on GitHub
Set theme to dark (⇧+D)
  1. Learning Paths
  2. Replace your VPN
  3. Connect your private network
  4. Manage overlapping IPs

Manage overlapping IPs

  2 min read

Virtual networks allow you to connect private networks that have overlapping IP ranges without creating conflicts for users or services. For example, an organization may want to expose two distinct virtual private cloud (VPC) networks which they consider to be “production” and “staging”. However, if the two private networks happened to receive the same RFC 1918 IP assignment, there may be two different resources with the same IP address. By creating two separate virtual networks, you can deterministically route traffic to duplicative private addresses like 10.128.0.1/32 staging and 10.128.0.1/32 production. These virtual networks will appear as user-selectable options within the WARP client GUI.

​​ Example

This example illustrates best practices for managing overlapping subnets. For this example, assume that you are connecting two different private networks: a production VPC that uses the 10.0.0.0/8 space holistically and a staging VPC that uses the 10.0.1.0/24 space. These networks are served by Tunnel-A and Tunnel-B respectively.

The following table shows the default configuration without a virtual network assigned:

Routes in Tunnel-AVirtual network
10.0.0.0/8default
Routes in Tunnel-BVirtual network
10.0.1.0/24default

In the above configuration, all user traffic to 10.0.1.0/24 takes the most specific path and routes to the staging VPC (Tunnel-B). All other 10.0.0.0/8 traffic routes to the production VPC (Tunnel-A). Users would not be able to reach the 10.0.1.0/24 subnet for the network served by Tunnel-A.

To solve this problem, add a 10.0.1.0/24 route to Tunnel-A and assign it the production virtual network. Next, assign the staging virtual network to 10.0.1.0/24 in Tunnel-B.

Routes in Tunnel-AVirtual network
10.0.0.0/8default
10.0.1.0/24production
Routes in Tunnel-BVirtual network
10.0.1.0/24staging

The user can now toggle between the two virtual networks in their WARP client, similar to the concept of switching VPN profiles in a VPN client. When a user selects production, they can connect to the entire 10.0.0.0/8 range served by Tunnel-A. When they select staging, they can connect to all of 10.0.0.0/8 in Tunnel-A except for 10.0.1.0/24, which will be served by Tunnel-B.

​​ Set up virtual networks

For setup instructions, refer to Create a virtual network.




Previous Next module