Device to device

Create a secure connection between two devices so they can communicate directly through Cloudflare's network, without needing to be on the same physical network. This is useful when you need to remotely access a specific device, for example connecting to a home computer from a laptop at a coffee shop.

To explore other connection scenarios, refer to Replace your VPN.

This guide follows the same steps as the Get Started onboarding wizard in the Cloudflare One dashboard ↗.

How it works

The WARP client is an app that you install on each device you want to connect. When you sign in to your Cloudflare account through WARP (called "enrolling"), each device is assigned a virtual IP address.

Devices use these virtual IPs to communicate with each other through Cloudflare's network. This works for most common types of network traffic, including web requests, remote desktop, file sharing, and ping.

Only devices signed in to your Cloudflare account can reach these addresses, so they are not accessible to anyone outside your organization. No tunnel infrastructure or network configuration is required, and the connection does not disrupt existing traffic on your network.

Prerequisites

• A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to Get started.
• Two Linux, Windows, macOS, Android, or iOS devices you want to connect together.

Step 1: Enroll your first device

Enrollment permissions control which users can connect devices to your account. In this step, you set an enrollment email and download the WARP client. The email you provide becomes the first allowed login for your organization, and anyone with that email address can enroll a device.

1. In Cloudflare One ↗, select the Get Started tab.
2. For Replace my client-based or site-to-site VPN, select Get started.
3. For Device to device, select Continue.
4. On the Create a device mesh on Cloudflare's network screen, select Continue.
5. Enter the email you want to use to enroll your first device.
6. Select your device's operating system.
7. Select Download to continue to download the WARP client, or copy the download link to send to a different device.
8. Select Continue.

Note

You can manage device enrollment permissions later in Team & Resources > Devices.

Step 2: Complete WARP setup

On your first device, complete the WARP installation wizard. Then connect WARP to your Zero Trust organization. For comprehensive OS-specific instructions, refer to Manual deployment.

1. Open the WARP client. On macOS, select the Cloudflare icon in your status bar. On Windows, select the Cloudflare icon in your system tray.

2. Go to Preferences > Account > Login to Cloudflare Zero Trust.

3. Enter your team name when prompted. Your team name is the unique identifier for your Zero Trust organization and was set when the organization was created. The dashboard displays your team name on this screen for easy reference.

   Note

   To find or change your team name, go to Settings > Team name and select Edit.

4. Complete the authentication steps.

5. The WARP client should show as Connected.

6. Select Continue in the dashboard.

Step 3: Enroll and set up your second device

Both devices must be enrolled in your Cloudflare account for the connection to work.

1. Select the operating system of your second device.
2. Copy the download link and send it to your second device (for example, by email or messaging app), or select Download to continue if you are on that device.
3. On the second device, follow the same WARP installation and login steps from Step 2.
4. The WARP client should show as Connected on the second device.
5. Select Continue in the dashboard.

Step 4: Verify your connection

The dashboard confirms that your devices can securely communicate. Both devices are now connected through Cloudflare's network using their assigned virtual IPs.

To view your device's assigned virtual IP:

1. In Cloudflare One ↗, go to Team & Resources > Devices.
2. Select a device.
3. Select View details.

Recommended next steps

After verifying your connection, consider securing your connected devices with policies and access controls:

• Set up Gateway policies: By default, all enrolled devices can reach each other over the virtual IP space. Gateway policies let you scan, filter, and log traffic between your devices. For more information, refer to DNS policies, Network policies, and HTTP policies.
• Create an Access application: Restrict access to specific destinations on enrolled devices with identity-based rules. For more information, refer to Secure a private IP or hostname.
• Explore more with Zero Trust: Review your policies and connected devices in the Cloudflare One dashboard ↗.

For in-depth guidance on policy design and device posture checks, refer to the Replace your VPN learning path.

Troubleshoot

If you have issues connecting, try these steps:

• Windows users: Windows Firewall blocks device-to-device traffic by default. You may need to add a firewall rule that allows incoming traffic from 100.96.0.0/12. For details, refer to Peer-to-peer connectivity.
• Troubleshoot WARP: resolve WARP client connection and enrollment issues.
• Peer-to-peer connectivity: review WARP-to-WARP setup details and firewall requirements.