Skip to content
Cloudflare Docs
Docs DirectoryAPIsSDKs

Connect client devices

Client devices — laptops, phones, and desktops — join your Mesh network by installing the Cloudflare One Client and enrolling. Each device receives a Mesh IP and can immediately communicate with every other enrolled device and Mesh node.

Prerequisites

1. Enroll the Cloudflare One Client

Connect a laptop or phone to your Mesh network:

Windows, macOS, and Linux

To enroll your device using the client GUI:

  1. Download and install the Cloudflare One Client.

  2. Launch the Cloudflare One Client.

  3. On the What would you like to use the Cloudflare One Client for? screen, select Zero Trust security.

  4. Enter your team name.

  5. Complete the authentication steps required by your organization.

    Once authenticated, you will see a Success page and a dialog prompting you to open the Cloudflare One Client.

  6. Select Open the Cloudflare One Client to complete the registration.

iOS and Android

  1. Download and install the Cloudflare One Agent app.
  2. Launch the Cloudflare One Agent app.
  3. Select Next.
  4. Review the privacy policy and select Accept.
  5. Enter your team name.
  6. Complete the authentication steps required by your organization.
  7. After authenticating, select Install VPN Profile.
  8. In the Connection request popup window, select OK.
  9. If you did not enable auto-connect, manually turn on the switch to Connected.

After enrollment, the device receives a Mesh IP and connects to your Mesh network.

2. Verify connectivity

Test that the device can reach a Mesh node or another client device:

Terminal window
ping <MESH-IP>

Replace <MESH-IP> with the Mesh IP of a node (visible on the Mesh overview page) or another enrolled device. Any TCP, UDP, or ICMP traffic works — you can SSH, connect to databases, call APIs, or run any protocol over Mesh IPs.

What devices can reach

Once connected, a client device can:

  • Other client devices — Reach any enrolled device by its Mesh IP. No Mesh nodes involved.
  • Mesh nodes — Reach any online node by its Mesh IP. SSH, database connections, API calls all work.
  • Subnets behind nodes — Access hosts on private networks that a node advertises via CIDR routes (for example, printers, databases, or servers that cannot run the client).

All traffic is subject to your Gateway network policies, so you can control which users and devices can reach specific resources.

Split Tunnel configuration

For client devices to reach Mesh IPs, the Mesh IP range must route through Cloudflare. How you configure this depends on your Split Tunnel mode.

Exclude mode (default)

In Exclude mode, the CGNAT range (100.64.0.0/10) is excluded from Cloudflare by default. Remove the CGNAT range from your exclude list so that Mesh IP traffic routes through Cloudflare.

If you used the Mesh setup wizard, the wizard creates a device profile in Include mode for Mesh nodes. However, your client devices may still use the default profile with Exclude mode. Verify that 100.96.0.0/12 (or your custom device IP range) is not in the exclude list.

Depending on your Cloudflare networking configuration, you may need to remove additional IPs from your exclude list. For a list of IPs to check, refer to Reserved IP addresses.

Include mode

In Include mode, add the following to your include list:

  • 100.96.0.0/12 — Mesh IPs (device IPs)
  • 100.80.0.0/16 and 2606:4700:0cf1:4000::/64 — Hostname routing (if used)
  • Any CIDR routes you have configured for your Mesh nodes

Firewall considerations

Some operating systems block inbound traffic from the Mesh IP range by default:

  • Windows — Windows Firewall blocks inbound traffic from 100.96.0.0/12. Add a firewall rule that allows incoming requests from 100.96.0.0/12 for your desired protocols and ports.
  • macOS / Linux — Most configurations allow this traffic by default. If you have custom firewall rules, ensure 100.96.0.0/12 is permitted.