Connect a remote device to a private network so your users can securely access internal applications and services from anywhere, without the security risks and performance bottlenecks of a traditional VPN.

To explore other connection scenarios, refer to Replace your VPN.

This guide follows the same steps as the Get Started onboarding wizard in the Cloudflare One dashboard ↗.

How it works

Cloudflare Tunnel is a network connector that creates an outbound-only connection between your private network and Cloudflare. No open inbound ports or firewall changes are required.

The WARP client is an app that you install on each user's device. It routes traffic through Cloudflare and into the tunnel, so users can reach internal resources from anywhere.

Prerequisites

A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to Get started.

A Linux, Windows, or macOS device on your private network to run the tunnel.

A Linux, Windows, or macOS device to install the WARP client on.

Step 1: Assign a Tunnel

Cloudflare Tunnel establishes an outbound connection between your resources and Cloudflare. This is how new devices can reach your private network. You can install Tunnel on any Windows, Mac, or Linux device currently in your private network.

In Cloudflare One ↗ , select the Get Started tab. For Replace my client-based or site-to-site VPN, select Get started. For Device to network, select Continue. On the Connect a remote device to a private network screen, select Continue. On the Assign a Tunnel screen, use the dropdown to choose an existing tunnel or create a new one. Select Continue.

Step 2: Set your Tunnel's IP range

Add the IP range of your private network to the tunnel. This defines which internal resources your remote users can reach. Your tunnel accepts traffic to this range from devices enrolled in your Zero Trust organization.

Enter your IP range (for example, 10.0.1.0/24 ). Select Continue.

Note If you are not sure of your IP range, check your router or network settings. Common private network ranges include 10.0.0.0/8 , 172.16.0.0/12 , and 192.168.0.0/16 .

Step 3: Deploy your Tunnel

Install the cloudflared connector on a device in your private network and run the tunnel. This service creates the secure connection between your network and Cloudflare.

Select your device's operating system and architecture. Copy the install command and run it on your device. For Windows, open Command Prompt as an administrator. For all other operating systems, use a terminal window. For macOS, the command looks similar to: Terminal window brew install cloudflared && sudo cloudflared service install <YOUR_TUNNEL_TOKEN> For Windows and Linux, the dashboard provides a download link and install command for your selected architecture. For more download options, refer to Downloads. After cloudflared connects, the dashboard confirms the tunnel is active. Select Continue.

Step 4: Enroll your devices

Device enrollment controls which users can connect their devices to your private network through Cloudflare. In this step, you register your first device by providing an email address and installing the WARP client.

Enter the email you want to use to enroll your first device. Select your device's operating system. Select Download to continue to download the WARP client, or copy the download link to send to a different device. Select Continue.

Note You can manage device enrollment permissions later in Team & Resources > Devices.

Step 5: Complete WARP setup

On your device, complete the WARP installation wizard. Then connect WARP to your Zero Trust organization. For comprehensive OS-specific instructions, refer to Manual deployment.

Open the WARP client. On macOS, select the Cloudflare icon in your status bar. On Windows, select the Cloudflare icon in your system tray. Go to Preferences > Account > Login to Cloudflare Zero Trust. Enter your team name when prompted. Your team name is the unique identifier for your Zero Trust organization and was set when the organization was created. The dashboard displays your team name on this screen for easy reference. Note To find or change your team name, go to Settings > Team name and select Edit. Complete the authentication steps. The WARP client should show as Connected. Select Continue in the dashboard.

Step 6: Verify your connection

The dashboard confirms that you are securely connected. You now have remote access between your device and your private network resources.

To verify connectivity, try reaching a resource on your private network (for example, http://10.0.1.100 or ssh 10.0.1.50 ).

Recommended next steps

After verifying your connection, consider securing your private network with policies and access controls:

Set up Gateway policies : By default, all enrolled devices can reach your entire private network. Gateway policies let you inspect traffic and control access based on user identity and network attributes. For more information, refer to DNS policies and Network policies.

: By default, all enrolled devices can reach your entire private network. Gateway policies let you inspect traffic and control access based on user identity and network attributes. For more information, refer to DNS policies and Network policies. Create an Access application : Restrict access to specific applications or hostnames on your private network with identity-based rules. For more information, refer to Secure a private IP or hostname.

: Restrict access to specific applications or hostnames on your private network with identity-based rules. For more information, refer to Secure a private IP or hostname. Explore more with Zero Trust: Review your tunnel, policies, and connected devices in the Cloudflare One dashboard ↗ .

For in-depth guidance on policy design and device posture checks, refer to the Replace your VPN learning path.

Troubleshoot

If you have issues connecting, refer to these resources: