Cloudflare One Client
The Cloudflare One Client (formerly WARP) securely and privately sends traffic from your devices to Cloudflare's global network, where Cloudflare Gateway can apply advanced web filtering. The Cloudflare One Client also enables you to use posture checks in Access and Gateway policies so that you can check a device's health before it connects to corporate applications.
The Cloudflare One Client is a device client that builds proxy tunnels using either Wireguard or MASQUE, and builds a DNS proxy using DNS-over-HTTPS. The Cloudflare One Client supports all major operating systems, all common forms of endpoint management tooling, and has a robust series of management parameters and profiles to accurately scope the needs of a diverse user base.
The Cloudflare One Client consists of:
- Graphical User Interface (GUI): Control panel that allows end users to view the client's status and perform actions such as connecting or disconnecting.
- WARP daemon (or service): Core background component responsible for establishing secure tunnels (using WireGuard or MASQUE) and handling all client functionality on your device.
For more information on how the Cloudflare One Client routes traffic, refer to the client architecture page and watch the video below.
Chapters
The GUI and daemon (or service) have different names and are stored in the following locations:
Windows
| Windows | |
|---|---|
| Service / Daemon | C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe |
| GUI application | C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe |
| Logs Location | DaemonC:\ProgramData\Cloudflare\GUI LogsC:\Users\<USER>.WARP\AppData\Localor %LOCALAPPDATA%\Cloudflare |
macOS
| macOS | |
|---|---|
| Service / Daemon | /Applications/Cloudflare WARP.app/Contents/Resources/CloudflareWARP |
| GUI application | /Applications/Cloudflare WARP.app/Contents/MacOS/Cloudflare WARP |
| Logs Location | Daemon/Library/Application Support/Cloudflare/GUI Logs~/Library/Logs/Cloudflare/ |
Linux
| Linux | |
|---|---|
| Service / Daemon | /bin/warp-svc |
| GUI application | /bin/warp-taskbar |
| Logs Location | /var/log/cloudflare-warp//var/lib/cloudflare-warp |
Along with the Cloudflare One Client GUI and daemon, warp-cli and warp-diag are also installed on the machine and added to the system path for use from any terminal session.
warp-diag is a command-line diagnostics tool that collects logs, configuration details, and connectivity data from the Cloudflare One Client to help troubleshoot issues.
warp-cli is the command-line interface (CLI) for managing and configuring the Cloudflare One Client, allowing users to connect, disconnect, and adjust settings programmatically.
Deploying the Cloudflare One Client significantly enhances your organization's security and visibility within Cloudflare Zero Trust:
-
Unified security policies everywhere: With the Cloudflare One Client deployed in the Traffic and DNS mode, Gateway policies are not location-dependent — they can be enforced anywhere.
-
Advanced web filtering and threat protection: Activate Gateway features for your device traffic, including:
-
Application and device-specific insights: With the Cloudflare One Client installed on your corporate devices, you can view detailed application and user-level activity on the Zero Trust Shadow IT Discovery page, while also monitoring device and network performance with Digital Experience Monitoring (DEX) to proactively detect and resolve issues.
-
Device posture checks: The Cloudflare One Client provides advanced Zero Trust protection by making it possible to check for device posture. By setting up device posture checks, you can build Access or Gateway policies that check for a device's location, disk encryption status, OS version, and more.
-
Secure private and infrastructure access: The Cloudflare One Client lets devices connect to private networks over Cloudflare Tunnel and is required for Access for Infrastructure, enabling secure SSH with short-lived certificates and detailed logging.
The Cloudflare One Client offers flexible operating modes to suit your specific needs. The client can control device traffic as a full proxy, manage only DNS traffic as a DNS proxy, or both. The Cloudflare One Client is the most common method for sending user device traffic through Cloudflare Gateway for filtering and decryption.
- Review the first-time setup guide to install and deploy the Cloudflare One Client on your corporate devices.
- Review possible client modes and settings to best suit your organization's needs.
- Explore Cloudflare Gateway to enforce advanced DNS, network, HTTP, and egress policies with the Cloudflare One Client.