WARP with legacy VPN
We understand that you may be required to run a legacy third-party VPN alongside the Cloudflare WARP client. Because the WARP client and third-party VPN both enforce firewall, routing, and DNS rules on your local device, the two products will compete with each other for control over network traffic.
For the most stable and consistent connection, we recommend using Cloudflare Tunnel to to our global edge network. However, until you can migrate, the following guidelines will help get your Zero Trust deployment up and running.
The Cloudflare WARP client is compatible with most third-party VPN configurations assuming the following requirements are met:
WARP must be responsible for resolving all DNS traffic on your device. The WARP client captures all DNS traffic and sends it to Gateway for policy enforcement. For WARP to function, DNS configuration settings must be disabled on your VPN. You can use features like to route DNS requests to a server behind your third-party VPN or firewall, but the WARP client must still proxy that traffic.
Configuring for compatibility
We recommend the following workflow when configuring WARP alongside a third-party VPN service.
Disable DNS configuration in your third-party VPN.
- The IP address of the server your third-party VPN connects to.
- The private IP address space your third-party VPN exposes.