Tips and best practices
Operational guidance for managing Cloudflare Mesh deployments — updating the client, configuring cloud providers, running alongside Cloudflare Tunnel, and common troubleshooting.
Updating a Mesh node means updating the cloudflare-warp package on the Linux host. The node briefly disconnects during the update, which interrupts traffic routed through it. If you have high availability enabled, traffic fails over to a standby replica automatically.
-
Check the current version:
Terminal window warp-cli --version -
Update the package:
Terminal window sudo apt-get update && sudo apt-get install --only-upgrade cloudflare-warp
-
Check the current version:
Terminal window warp-cli --version -
Update the package:
Terminal window sudo yum update cloudflare-warp
-
Verify the node has reconnected:
Terminal window warp-cli statusYou should see
Status update: Connectedin the output.
When deploying Mesh nodes in a cloud VPC, you may need to configure additional provider settings so the node can forward traffic for other devices on the subnet.
Enable IP forwarding ↗ on the VM instance where you installed the Mesh node.
- Disable source/destination checking ↗ on the EC2 instance.
- In your subnet route table ↗, add a route for Mesh traffic (for example,
100.96.0.0/12) pointing to the EC2 instance.
- Enable IP forwarding ↗ on the network interface of the VM.
- Add a user-defined route ↗ for Mesh traffic pointing to the VM's private IP.
A Mesh node (warp-cli) and Cloudflare Tunnel (cloudflared) can run on the same Linux host. This is useful when you want to use the Mesh node as a gateway for your private network while also using Cloudflare Tunnel to publish specific applications.
The Mesh node captures outbound traffic and routes it through Cloudflare, which can prevent cloudflared from making its required outbound connections. To resolve this, use Split Tunnels to exclude the hostnames and IPs listed in Tunnel with firewall.
To route traffic between Cloudflare Mesh and Cloudflare WAN (for example, reaching a Mesh node from a WAN-connected site or vice versa), your account must be on Unified Routing mode (beta). Unified Routing uses a single routing fabric for all connection types (Cloudflare One Client, Cloudflare Tunnel, IPsec, GRE, CNI). Without it, Mesh and WAN connections cannot exchange traffic.
Cloudflare Workers can connect to your Mesh network using VPC Network bindings. Bind to cf1:network to reach any Mesh node, client device, or subnet route in your account — without specifying a particular tunnel UUID.
For setup instructions and examples, refer to Connect Workers to Cloudflare Mesh.
When Cloudflare services (such as Load Balancing health checks or Workers) send traffic to your private network through a Mesh node, the traffic originates from the Cloudflare source IP range (default 100.64.0.0/12). You may need to configure Cloudflare source IPs to avoid IP conflicts.
Mesh nodes use encapsulation to route traffic, which adds overhead to each packet. This is especially relevant for traffic between two Mesh participants, where the packet may be encapsulated twice (once by the sending node, and again by Cloudflare before delivery to the receiving side).
If source devices send packets near the maximum size (1,460 bytes or more), the double encapsulation can push packets over 1,500 bytes, causing them to be dropped.
- Set the MTU on source devices (servers, cameras, IoT devices) to 1,280 bytes to ensure packets fit after encapsulation.
- For TCP-only traffic, apply MSS clamping on your router with a value of 1,240 bytes (1,280 MTU - 20 byte IP header - 20 byte TCP header).
- Modern applications using Path MTU Discovery (PMTUD) ↗ typically handle this automatically.