Network to network
Connect two separate private networks so devices on each network can send and receive traffic in both directions through Cloudflare. This is useful when you need to link office locations, data centers, or cloud environments. For example, employees in one office could access a file server, printer, or internal application in another office.
To explore other connection scenarios, refer to Replace your VPN.
Cloudflare Mesh (formerly WARP Connector) lets you deploy mesh nodes — lightweight network connectors that you install on a single Linux device in each network. That device handles traffic for the entire network: it sends outbound traffic to Cloudflare and receives inbound traffic back, then passes it to the right device on the network. Because of this, other devices on the network do not need to install any software.
- A Cloudflare account ↗.
- A Linux device or virtual machine on your first private network. This is where you install your first mesh node.
- A second Linux device or virtual machine on a separate private network. This is where you install your second mesh node.
-
In the Cloudflare dashboard, go to Networking > Mesh.
Go to Mesh -
Select Add a node.
-
Enter a name for the node (for example,
office-a). -
Follow the wizard to configure enrollment and device profile settings.
-
Copy the install commands from the wizard and run them on your Linux device.
-
After the node connects, the dashboard confirms it is online.
- Go to the node detail page for your first node.
- Select the Routes tab.
- Select Add a route.
- Enter the IP range of your first network (for example,
10.0.0.0/24). - Select Create.
Repeat Step 1 on a Linux device in your second network. Give it a distinct name (for example, office-b).
Repeat Step 2 for your second node, entering the IP range of your second network (for example, 192.168.1.0/24). The IP range must not overlap with your first network.
If the mesh node is installed on your network's router (the device that serves as the default gateway), other devices on the network automatically send traffic through it. No additional configuration is needed, and you can skip this step.
If the mesh node is installed on a different device, other devices on the network need a static route so they know to send cross-network traffic to the mesh node. Without this route, devices do not know where to send traffic destined for the other network.
For details on routing options, refer to Routes.
Devices on both networks can now communicate through Cloudflare. To verify connectivity, try reaching a device on the opposite network (for example, ping 192.168.1.100 from a device on your first network).
After verifying your connection, consider securing your connected networks with policies and access controls:
- Set up Gateway policies: By default, all traffic between your network segments flows through Cloudflare without restriction. Gateway policies let you scan, filter, and log traffic between your networks. For more information, refer to DNS policies, Network policies, and HTTP policies.
- Create an Access application: Restrict access to specific services or hosts on your connected networks with identity-based rules. For more information, refer to Secure a private IP or hostname.
- Enable high availability: Deploy multiple replicas of each mesh node for automatic failover. For more information, refer to High availability.
For in-depth guidance on policy design and device posture checks, refer to the Replace your VPN learning path.
If you have issues connecting, refer to these resources:
- Tips and best practices: review common Cloudflare Mesh configuration tips and troubleshooting strategies.
- Troubleshoot tunnels: diagnose tunnel connectivity and routing problems.