Exclude network traffic from WARP
When the WARP client is deployed, all DNS requests and/or network traffic on the device are processed by Cloudflare Gateway by default. However, under certain circumstances, you may need to exclude DNS requests and/or network traffic from being processed by Gateway.
To do that, there are two settings you can use depending on your needs:
- Use to instruct the WARP client to ignore DNS requests to a given list of domains. These DNS requests will be passed back to other DNS servers configured on existing network interfaces on the device.
This is useful when you have defined private hostnames that wouldn’t otherwise resolve on the public internet.
- Use the mode to instruct the WARP client to ignore traffic to a specified set of IP addresses or hostnames. Any traffic that is destined to an IP address or hostname defined in the split tunnel configuration will be ignored by the WARP client and handled by the local machine.
This is useful when you want to run another VPN alongside WARP or when you need traffic to flow over the open Internet.
Use WARP alongside a VPN
You may still be required to run WARP alongside a legacy VPN product, and we're working to make this experience as seamless as possible. When running in this configuration, there are two important considerations with your deployment:
- Start WARP first. WARP and your legacy VPN are both trying to route traffic and DNS requests over our respective networks. Some legacy VPN clients must be the last client to touch a network configuration or they will fail.
- Turn on Split Tunnel and DNS Fallback in your legacy VPN configuration. Your legacy VPN may try to route all network traffic and DNS requests through their product by default. For Gateway to function properly, the legacy VPN configuration needs to be set up to only handle the network traffic required for your LOB applications that still require the legacy VPN. All other traffic should fall back to the local machine, so it can be picked up by WARP and protected by Gateway.