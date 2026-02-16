Cloudflare WAN (formerly Magic WAN) can work together with Cloudflare Tunnel to provide easy access between your networks and applications.

By default, Cloudflare Gateway proxies and filters TCP, UDP, and ICMP traffic routed through Cloudflare WAN tunnels and destined to routes behind Cloudflare Tunnel.

Route evaluation and precedence

Cloudflare evaluates private network routes together across the Cloudflare Tunnel and Cloudflare Virtual Network routing tables. If traffic matches either a Cloudflare Tunnel route (in any virtual network) or a Cloudflare Virtual Network route, the matched route determines the next hop.

When a destination IP matches both a Cloudflare Tunnel private network route and a Cloudflare Virtual Network route, Cloudflare Tunnel takes precedence. This happens whenever a cloudflared tunnel Classless Inter-Domain Routing (CIDR) matches a packet, regardless of prefix length. For example, a cloudflared tunnel with prefix 10.1.2.0/24 takes precedence over a static route configured to 10.1.2.4/32 , and Cloudflare sends packets over the tunnel instead of a GRE tunnel.

For complex deployments where you need overlapping routes in both Cloudflare Tunnel and Cloudflare Virtual Network, consult your Solutions Engineering team for guidance.

For more information about private network routes with cloudflared , refer to Connect with cloudflared.

Test cloudflared tunnel integration

To verify that a cloudflared tunnel works correctly with your Cloudflare WAN connection:

From a host behind your customer premises equipment, open a browser. Browse to an IP address or hostname that is reachable through a Cloudflare Tunnel private network route, such as the example destination 10.1.2.3 . Confirm that the application loads as expected. If it does, Cloudflare Tunnel is handling the traffic as configured.