Device client settings

Device client settings (formerly WARP) allow you to customize the Cloudflare One Client modes and permissions available to end users.

• Global device client settings are configurations which apply to all devices enrolled in your Zero Trust organization.
• Global disconnection settings allow administrators to force-disconnect all Cloudflare One Clients during an incident or outage.
• Device profile settings can vary across devices depending on which device profile is applied.

Note

It may take up to 10 minutes for newly updated settings to propagate to devices.

Global device client settings

Allow admin override codes

Feature availability

Operating Systems	Client modes	Zero Trust plans ↗
All systems	Any mode	All plans

Note

To use Allow admin override codes, you must first have enabled Lock WARP switch.

When Lock WARP switch is enabled, users cannot toggle the Cloudflare One Client on and off on their device. Enabling Allow admin override codes gives users the ability to temporarily connect or disconnect the Cloudflare One Client using an override code provided by an admin. Allow admin override codes is only needed in a configuration where Lock WARP switch is enabled.

Example use cases for Allow admin override codes include:

• Allowing users to momentarily disconnect the Cloudflare One Client to work around a temporary network issue such as an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection.
• Allowing test users to connect the Cloudflare One Client while a global disconnect is in effect.

As admin, you can set a Timeout to define how long a user can toggle the client's connection toggle on or off after entering the override code. Cloudflare generates a new override code every hour that an admin can send to end users. The override code's validity adheres to fixed-hour time blocks and aims to be generous to the end user.

Troubleshooting

To learn more about override code timeouts and how Cloudflare calculates an override code's valid duration, refer to Troubleshooting.

If Auto connect is enabled, the Cloudflare One Client will automatically reconnect, according to the value set for the auto connect timeout, even when using Allow admin override codes. Refer to Troubleshooting for more information.

Retrieve the override code

To retrieve the one-time code for a user:

1. Enable Allow admin override codes.
2. Go to Team & Resources > Devices.
3. Select View details for a connected device.
4. Scroll down to User details and select the user's name.
5. Copy the 7-digit Override code shown in the side panel.
6. Share this code with the user for them to enter on their device.

The user will have an unlimited amount of time to activate their code.

Enter the override code

To activate the override code on a user device:

Version 2026.2+

1. Open the Cloudflare One client and go to Settings.
2. In Temporarily disconnect Cloudflare One Client, select Enter admin code.
3. Enter the override code and select Disconnect.

Version 2026.1 and earlier

1. In the Cloudflare One Client, go to Settings > Preferences > Advanced.
2. Select Enter code.
3. Enter the override code.

The user can now toggle the client's connection toggle or use the warp-cli connect command. The client will automatically reconnect after the Auto connect period, but the user can continue to connect or disconnect the Cloudflare One Client until the override expires.

Install CA to system certificate store

Feature availability

Client modes	Zero Trust plans ↗
Traffic and DNS mode, Local proxy mode	All plans

System	Availability	Minimum client version
Windows	✅	2024.12.554.0
macOS	✅	2024.12.554.0
Linux	✅	2024.12.554.0
iOS	❌
Android	❌
ChromeOS	❌

When Enabled, the Cloudflare One Client will automatically install your organization's root certificate on the device.

Assign a unique IP address to each device

Feature availability

Operating Systems	Client modes	Zero Trust plans ↗
Windows, macOS, Linux	Traffic and DNS mode, Traffic only mode	All plans

Overrides the default IP address of the Cloudflare One Client's virtual network interface such that each device has its own unique local interface IP.

This setting is primarily used as a prerequisite for WARP Connector and MASQUE. You can also use it when the default IP conflicts with other local services on your network.

Value:

• Disabled: (default) Sets the local interface IP to 172.16.0.2 on all devices. This configuration is only respected by devices using WireGuard and does not affect devices using MASQUE.

• Enabled: Sets the local interface IP on each device to its CGNAT IP or to a custom device IP.

The IP assigned to a device is permanent until the device unregisters from your Zero Trust organization or switches to a different registration. Disconnects and reconnects do not change the IP address assignment.

Allow all Cloudflare One traffic to reach enrolled devices

Feature availability

Operating Systems	Client modes	Zero Trust plans ↗
All systems	Traffic and DNS mode	All plans

Allows traffic on-ramped using WARP-to-WARP, WARP Connector, or Cloudflare WAN to route to devices enrolled in your Zero Trust organization.

Each device is assigned a virtual IP address in the CGNAT IP space (100.96.0.0/12) or a custom device IP range. With this setting Enabled, users on your private network will be able to connect to these device IPs and access TCP, UDP, and/or ICMP-based services on your devices. You can create Gateway network policies to control which users and devices can access the device IPs.

Note

Ensure that traffic destined to your device IPs routes from your private network to Cloudflare Gateway. For example, if you are making a WARP-to-WARP connection, you must configure your Split Tunnel settings so that traffic to your device IPs routes through the WARP tunnel.

Global disconnection settings

Disconnect WARP on all devices

Feature availability

Client modes	Zero Trust plans ↗
All modes	All plans

System	Availability	Minimum client version
Windows	✅	2025.2.600.0
macOS	✅	2025.2.600.0
Linux	✅	2025.2.600.0
iOS	❌
Android	❌
ChromeOS	❌

Note

Requires the Super Administrator role.

Disconnect WARP on all devices allows administrators to fail open the Cloudflare One Client in case of an incident occurring in your environment, independent from incidents or outages affecting Cloudflare's services. When you turn on Disconnect WARP on all devices, Cloudflare will disconnect all Windows, macOS, and Linux Cloudflare One Clients that are connected to your Zero Trust organization. This includes end user devices, WARP Connector hosts, and WARP-to-WARP devices. End users will receive a notification on their device and the Cloudflare One Client will display Admin directed disconnect.

To resume normal operations, turn off Disconnect WARP on all devices. The Cloudflare One Client will automatically reconnect.

For more information on how Disconnect WARP on all devices works with other device client settings, refer to Device client settings precedence.

Manage device connection using an external signal

Feature availability

Client modes	Zero Trust plans ↗
All modes	All plans

System	Availability	Minimum client version
Windows	✅	2025.10.186.0
macOS	✅	2025.10.186.0
Linux	✅	2025.10.186.0
iOS	❌
Android	❌
ChromeOS	❌

Allows administrators to disconnect and reconnect the Cloudflare One Client independently from any Cloudflare infrastructure. When Enabled, Cloudflare One Clients will periodically poll the configured HTTPS endpoint and disconnect when they receive a valid disconnect signal.

To set up the external HTTPS endpoint, refer to External emergency disconnect.

Device profile settings

Captive portal detection

Feature availability

Operating Systems	Client modes	Zero Trust plans ↗
All systems	Any mode	All plans

When Enabled, the Cloudflare One Client will automatically disconnect when it detects a captive portal, and it will automatically reconnect after the Timeout duration.

Since captive portal implementations vary, the Cloudflare One Client may not detect all captive portals. For more information, refer to Captive portal detection.

Mode switch

Feature availability

Operating Systems	Client modes	Zero Trust plans ↗
All systems	Any mode	All plans

When Enabled, users have the option to switch between Traffic and DNS mode and DNS only mode. This feature does not support switching between any other modes.

Device tunnel protocol

Feature availability

Client modes	Zero Trust plans ↗
Traffic and DNS mode Traffic only mode	All plans

System	Availability	Minimum client version
Windows	✅	2024.11.309.0
macOS	✅	2024.11.309.0
Linux	✅	2024.11.309.0
iOS	✅	1.7
Android	✅	2.0
ChromeOS	✅	2.0

Configures the protocol used to route IP traffic from the device to Cloudflare Gateway. To check the active protocol on a device, open a terminal and run warp-cli settings | grep protocol.

Value:

• WireGuard: Establishes a WireGuard ↗ connection to Cloudflare. The Cloudflare One Client will encrypt traffic using a non-FIPs compliant cipher suite, TLS_CHACHA20_POLY1305_SHA256. When switching from MASQUE to WireGuard, users may lose Internet connectivity if their Wi-Fi network blocks the ports and IPs required for WireGuard to function.
• MASQUE: (default) Establishes an HTTP/3 connection to Cloudflare. The Cloudflare One Client will encrypt traffic using TLS 1.3 and a FIPS 140-2 ↗ compliant cipher suite, TLS_AES_256_GCM_SHA384. Assign a unique IP address to each device is enabled by default for devices with MASQUE enabled.

For more details on WireGuard versus MASQUE, refer to our blog post ↗.

Lock WARP switch

Feature availability

Operating Systems	Client modes	Zero Trust plans ↗
All systems	Any mode	All plans

Allows the user to disconnect the Cloudflare One Client.

Value:

• Disabled: (default) The user is able to connect or disconnect the Cloudflare One Client at their discretion. When the client is disconnected, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
• Enabled: The user is prevented from disconnecting the Cloudflare One Client. The client will always start in the connected state.

On MDM deployments, you must also include the auto_connect parameter with at least a value of 0. This will prevent clients from being deployed in the off state without a way for users to manually enable them.

Allow device to leave organization

Feature availability

Operating Systems	Client modes	Zero Trust plans ↗
All systems	Any mode	All plans

When Enabled, users can log out from your Zero Trust organization by selecting Logout from Zero Trust in the Cloudflare One Client UI. The Logout from Zero Trust button is only available for devices that were enrolled manually. Devices that enrolled using an MDM file are always prevented from leaving your Zero Trust organization.

Allow updates

Feature availability

Operating Systems	Client modes	Zero Trust plans ↗
macOS, Windows, Linux	Any mode	All plans

When Enabled, users will receive update notifications when a new version of the client is available. Only turn this on if your users are local administrators with the ability to add or remove software from their device.

Auto connect

Feature availability

Operating Systems	Client modes	Zero Trust plans ↗
All systems	Any mode	All plans

When Enabled, the client will automatically reconnect if it has been disabled for the specified Timeout value. This setting is best used in conjunction with Lock WARP Switch above.

We recommend keeping this set to a very low value — usually just enough time for a user to log in to hotel or airport Wi-Fi. If any value is specified, the client defaults to the Connected state (for example, after a reboot or the initial install).

Value:

• 0: Allow the switch to stay in the off position indefinitely until the user turns it back on.
• 1 to 1440: Turn switch back on automatically after the specified number of minutes.

Support URL

Feature availability

Operating Systems	Client modes	Zero Trust plans ↗
All systems	Any mode	All plans

When Enabled, the Send Feedback button in the Cloudflare One Client appears and will launch the URL specified. Example Support URL values are:

• https://support.example.com: Use an https:// link to open your companies internal help site.
• mailto:yoursupport@example.com: Use a mailto: link to open your default mail client.

Service mode

Feature availability

Operating Systems	Client modes	Zero Trust plans ↗
All systems	Any mode	All plans

Allows you to choose the operational mode of the client. Refer to Client modes for a detailed description of each mode.

Local Domain Fallback

Feature availability

Operating Systems	Client modes	Zero Trust plans ↗
All systems	Traffic and DNS mode, DNS only mode	All plans

Configures the Cloudflare One Client to redirect DNS requests to a private DNS resolver. For more information, refer to our Local Domain Fallback documentation.

Split Tunnels

Feature availability

Operating Systems	Client modes	Zero Trust plans ↗
All systems	Any mode	All plans

Configures the Cloudflare One Client to exclude or include traffic to specific IP addresses or domains. For more information, refer to our Split Tunnel documentation.

Directly route Microsoft 365 traffic

Feature availability

Operating Systems	Client modes	Zero Trust plans ↗
All systems	Any mode	All plans

Creates Split Tunnel Exclude entries for all Microsoft 365 IP addresses specified by Microsoft ↗. To use this setting, Split Tunnels must be set to Exclude IPs and domains. Once enabled, all Microsoft 365 network traffic will bypass the Cloudflare One Client and Gateway.

Note

Microsoft has recently made changes to the IPs used by their applications (such as Microsoft Teams). Until Microsoft updates their IP address and URL web service ↗, you will need to manually add the following IPs to your Split Tunnels Exclude list:

• 24.24.24.24/32
• 52.120.0.0/14

Allow users to enable local network exclusion

Feature availability

Client modes	Zero Trust plans ↗
Traffic and DNS mode Traffic only mode	All plans

System	Availability	Minimum client version
Windows	✅	2024.1.159.0
macOS	✅	2024.1.160.0
Linux	✅	2024.2.62.0
iOS	❌	N/A1
Android	✅	1.4
ChromeOS	✅	1.4

This setting is intended as a workaround for users whose home network uses the same set of IP addresses as your corporate private network. To use this setting, Split Tunnels must be set to Exclude IPs and domains.

When Enabled, users have the option to access local network resources (such as printers and storage devices) while connected to the Cloudflare One Client. When the user turns on Access Local Network, the Cloudflare One Client will detect the local IP range advertised by the user's home network (for example, 10.0.0.0/24) and temporarily exclude this range from the WARP tunnel. The user will need to re-request access after the Timeout expires. Setting Timeout to 0 minutes will allow LAN access until the next client reconnection, such as a reboot or a laptop waking from sleep.

Warning

Enabling this setting comes with two major consequences:

• Device is exposed to security threats. The user may be unaware that traffic to what used to be their company's private network is now actually being routed to their local network. This leaves the device vulnerable to on-path attackers ↗ and other security vulnerabilities. For example, imagine that a user's typical workflow involves logging into a remote desktop on the corporate network at 10.0.0.30. A bad actor could set up a fake server on the local network at 10.0.0.30. If the user goes to 10.0.0.30 while Access local network is enabled, the attacker can now steal their credentials.
• User loses access to corporate resources. — While accessing their local network, the user will be unable to connect to corporate resources that fall within the same IP/CIDR range.

Access local network as a user

To turn on local network access in the Cloudflare One Client:

Windows and macOS

1. Open the Cloudflare One client and go to Settings.
2. In Temporarily access local network resources, select Access resources.

Version 2026.1 and earlier

1. Open the Cloudflare One Client.
2. Select the gear icon.
3. Select Access Local Network.

Linux

1. Open a terminal window.
2. Run warp-cli override local-network start.

Android and ChromeOS

1. Open the Cloudflare One Agent app.
2. Go to Settings > Advanced > Connection Options.
3. Select Access Local Network.

Limitations

• The Cloudflare One Client will only exclude local networks in the RFC 1918 ↗ address space. Other IP addresses such as CGNAT are not supported.
• The maximum excluded subnet size is /24.
• If a device has multiple network interfaces with distinct local IP ranges, the Cloudflare One Client will only exclude one of those networks. To access a specific local network, disable the other interfaces and disconnect/reconnect the Cloudflare One Client.

Client interface IP DNS registration

Feature availability

Client modes	Zero Trust plans ↗
Traffic and DNS mode Traffic only mode	All plans

System	Availability	Minimum client version
Windows	✅	2025.2.600.0
macOS	❌
Linux	❌
iOS	❌
Android	❌
ChromeOS	❌

When Enabled, the operating system will register the Cloudflare One Client's local interface IP (CGNAT IP or 172.16.0.2) with your on-premise DNS server when the DNS server is reachable.

If you use on-premise DNS infrastructure (such as Active Directory), we recommend turning this setting on for remote device profiles and turning it off for managed network device profiles. In this configuration, remote devices will register their client interface IP, while on-premise devices will only register their local DHCP address. This allows the on-premise DNS server to resolve device hostnames no matter where the device is located.

SCCM VPN boundary support

Feature availability

Client modes	Zero Trust plans ↗
Traffic and DNS mode Traffic only mode	All plans

System	Availability	Minimum client version
Windows	✅	2025.5.735.1
macOS	❌
Linux	❌
iOS	❌
Android	❌
ChromeOS	❌

Microsoft's System Center Configuration Manager ↗ (SCCM) is used to manage software on Windows devices based on the boundary group ↗, or network location, to which they belong. You can assign Cloudflare One Clients to a SCCM boundary group based on their managed network and other device profile attributes. When SCCM VPN Boundary Support is turned on, the Cloudflare One Client will modify the description field on its virtual network interface. This allows you to define a VPN boundary group that matches on the network interface description.

Value:

• Disabled: (default) The client network interface description is Cloudflare WARP Interface Tunnel.

• Enabled: The client network interface description is (SCCM) Cloudflare WARP Interface Tunnel for devices which have the SCCM client ↗ installed. Devices without the SCCM client will still use the default Cloudflare WARP Interface Tunnel description. The Cloudflare One Client checks if the SCCM client is installed by looking for the SMS Agent Host (ccmexec.exe) Windows service.

Example SCCM configuration

Assume you want to push software updates from a cloud based distribution point ↗ if the device is remote, but use on-prem servers if the device is on the office network. To set up these boundary groups:

1. In Zero Trust:

   a. Turn on SCCM VPN Boundary Support for remote device profiles.

   b. Turn off SCCM VPN Boundary Support for on-prem device profiles.

   c. (Optional) Verify device settings:

   Verify SCCM VPN Boundary Support

   To check if SCCM VPN Boundary Support is active on a device, run the following command:

   warp-cli settings | findstr "SCCM VPN Boundary"

   (network policy) SCCM VPN Boundary Support: true

   You can also verify network interface details for the CloudflareWARP adapter:

   ipconfig /all

   Windows IP Configuration
   
   ...
   
   Unknown adapter CloudflareWARP:
   
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : (SCCM) Cloudflare WARP Interface Tunnel
     Physical Address. . . . . . . . . :
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2001:db8:110:8f79:145:f180:fc4:8106(Preferred)
     Link-local IPv6 Address . . . . . : fe80::83b:d647:4bed:d388%49(Preferred)
     IPv4 Address. . . . . . . . . . . : 172.16.0.2(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.255
     Default Gateway . . . . . . . . . :
     DNS Servers . . . . . . . . . . . : 127.0.2.2
                                         127.0.2.3
     NetBIOS over Tcpip. . . . . . . . : Disabled

2. In Microsoft SCCM:

   a. Create a boundary ↗ with the following settings:

   • Description: Remote Cloudflare One Clients
   • Type: VPN
   • Connection description: (SCCM) Cloudflare WARP Interface Tunnel

   b. Assign this boundary to one or more boundary groups.

When the device is remote, the client interface description changes to (SCCM) Cloudflare WARP Interface Tunnel and the SCCM server will determine that the device belongs to the VPN boundary group. The device can now download updates from the distribution point assigned to this boundary group. When a network change occurs and the Cloudflare One Client detects a managed network, it will revert the interface description to Cloudflare WARP Interface Tunnel and the boundary condition will no longer be satisfied. The device will match your local IP range and be considered as on-prem.

NetBIOS over TCPIP

Feature availability

Client modes	Zero Trust plans ↗
Traffic and DNS mode Traffic only mode	All plans

System	Availability	Minimum client version
Windows	✅	2026.1.89.1
macOS	❌
Linux	❌
iOS	❌
Android	❌
ChromeOS	❌

NetBIOS over TCP/IP (NetBT) is a legacy protocol used for name resolution and other features on Windows. NetBT has been deprecated for years, but Windows has not removed it. The Cloudflare One Client disables NetBT on the tunnel interface by default for security reasons and to align with modern best practices. This setting allows you to override the default behavior and enable NetBT over the WARP tunnel.

When to enable NetBT

You should turn on NetBIOS over TCPIP only if devices need to access internal resources over NetBT. Example scenarios include:

• Legacy name resolution: You rely on NetBIOS to resolve single-label names (such as \\SERVER01), instead of modern alternatives like mDNS for single-label names or standard DNS for Fully Qualified Domain Names (such as \\server01.corp.internal).
• SMBv1: You are accessing very old file shares or printers that do not support modern SMB (v2/v3) and require NetBT for discovery.
• Legacy applications: You use specialized internal software that hard-codes NetBIOS for node-to-node communication.

Otherwise, the recommendation is to always disable NetBIOS over TCPIP. You can choose a different setting for remote devices versus on-prem devices.

Verify NetBT settings

To check if NetBIOS over TCPIP is enabled on the client tunnel interface, run the following command:

warp-cli settings | findstr "NetBT"

(network policy) NetBT: true

You can also verify network interface details for the CloudflareWARP adapter:

ipconfig /all

Windows IP Configuration
...
Unknown adapter CloudflareWARP:
    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : Cloudflare WARP Interface Tunnel
    Physical Address. . . . . . . . . :
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv6 Address. . . . . . . . . . . : 2001:db8:110:8f79:145:f180:fc4:8106(Preferred)
    Link-local IPv6 Address . . . . . : fe80::83b:d647:4bed:d388%49(Preferred)
    IPv4 Address. . . . . . . . . . . : 172.16.0.2(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 127.0.2.2
                                        127.0.2.3
    NetBIOS over Tcpip. . . . . . . . : Enabled

Footnotes

1. Current versions of iOS do not allow LAN traffic to route through the WARP tunnel. Therefore, this feature is not needed on iOS. ↩