--- title: Device client settings description: Reference information for Device client settings in Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Wireguard ](https://developers.cloudflare.com/search/?tags=Wireguard)[ MASQUE ](https://developers.cloudflare.com/search/?tags=MASQUE) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Device client settings Device client settings (formerly WARP) allow you to customize the Cloudflare One Client modes and permissions available to end users. * [Global device client settings](#global-device-client-settings) are configurations which apply to all devices enrolled in your Zero Trust organization. * [Global disconnection settings](#global-disconnection-settings) allow administrators to force-disconnect all Cloudflare One Clients during an incident or outage. * [Device profile settings](#device-profile-settings) can vary across devices depending on which [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) is applied. Note It may take up to 10 minutes for newly updated settings to propagate to devices. ## Global device client settings ### Allow admin override codes Feature availability | Operating Systems | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | All systems | Any mode | All plans | Note To use **Allow admin override codes**, you must first have enabled [**Lock device client switch**](#lock-device-client-switch). When [**Lock device client switch**](#lock-device-client-switch) is enabled, users cannot toggle the Cloudflare One Client on and off on their device. Enabling **Allow admin override codes** gives users the ability to temporarily connect or disconnect the Cloudflare One Client using an override code provided by an admin. **Allow admin override codes** is only needed in a configuration where **Lock device client switch** is enabled. Example use cases for **Allow admin override codes** include: * Allowing users to momentarily disconnect the Cloudflare One Client to work around a temporary network issue such as an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection. * Allowing test users to connect the Cloudflare One Client while a global disconnect is in effect. As admin, you can set a **Timeout** to define how long a user can toggle the client's connection toggle on or off after entering the override code. Cloudflare generates a new override code every hour that an admin can send to end users. The override code's validity adheres to fixed-hour time blocks and aims to be generous to the end user. Troubleshooting To learn more about override code timeouts and how Cloudflare calculates an override code's valid duration, refer to [Troubleshooting](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues/#admin-override-codes-expired). If [Auto connect](#auto-connect) is enabled, the Cloudflare One Client will automatically reconnect, according to the value set for the auto connect timeout, even when using **Allow admin override codes**. Refer to [Troubleshooting](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues/#admin-override-codes-expired) for more information. #### Retrieve the override code To retrieve the one-time code for a user: 1. Enable **Allow admin override codes**. 2. Go to **Team & Resources** \> **Devices**. 3. Select **View details** for a connected device. 4. Scroll down to **User details** and select the user's name. 5. Copy the 7-digit **Override code** shown in the side panel. 6. Share this code with the user for them to enter on their device. The user will have an unlimited amount of time to activate their code. #### Enter the override code To activate the override code on a user device: * [ Version 2026.2+ ](#tab-panel-5841) * [ Version 2026.1 and earlier ](#tab-panel-5842) 1. Open the Cloudflare One Client and go to **Settings**. 2. In **Temporarily disconnect Cloudflare One Client**, select **Enter admin code**. 3. Enter the override code and select **Disconnect**. 1. In the Cloudflare One Client, go to **Settings** \> **Preferences** \> **Advanced**. 2. Select **Enter code**. 3. Enter the override code. The user can now toggle the client's connection toggle or use the `warp-cli connect` command. The client will automatically reconnect after the [Auto connect period](#auto-connect), but the user can continue to connect or disconnect the Cloudflare One Client until the override expires. ### Install CA to system certificate store Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode, Local proxy mode | All plans | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2024.12.554.0 | | macOS | ✅ | 2024.12.554.0 | | Linux | ✅ | 2024.12.554.0 | | iOS | ❌ | | | Android | ❌ | | | ChromeOS | ❌ | | When `Enabled`, the Cloudflare One Client will [automatically install](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/) your organization's root certificate on the device. ### Assign a unique IP address to each device Feature availability | Operating Systems | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Windows, macOS, Linux | Traffic and DNS mode, Traffic only mode | All plans | Overrides the default IP address of the Cloudflare One Client's [virtual network interface](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/#ip-traffic) such that each device has its own unique local interface IP. This setting is primarily used as a prerequisite for [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) and [MASQUE](#device-tunnel-protocol). You can also use it when the default IP conflicts with other local services on your network. **Value:** * `Disabled`: (default) Sets the local interface IP to `172.16.0.2` on all devices. This configuration is only respected by devices using [WireGuard](#device-tunnel-protocol) and does not affect devices using [MASQUE](#device-tunnel-protocol). * `Enabled`: Sets the local interface IP on each device to its CGNAT IP or to a [custom device IP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-ips/). The IP assigned to a device is permanent until the device unregisters from your Zero Trust organization or switches to a different registration. Disconnects and reconnects do not change the IP address assignment. ### Allow all Cloudflare One traffic to reach enrolled devices Feature availability | Operating Systems | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | All systems | Traffic and DNS mode | All plans | Allows traffic on-ramped using [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) or [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/) to route to devices enrolled in your Zero Trust organization. Each device is assigned a virtual IP address in the CGNAT IP space (`100.96.0.0/12`) or a [custom device IP range](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-ips/). With this setting `Enabled`, users on your private network will be able to connect to these device IPs and access [TCP, UDP, and/or ICMP-based services](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/) on your devices. You can create [Gateway network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) to control which users and devices can access the device IPs. Note Ensure that traffic destined to your device IPs routes from your private network to Cloudflare Gateway. For example, if you are using [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) connectivity, you must configure your [Split Tunnel settings](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) so that traffic to your Mesh IPs routes through the tunnel. ## Global disconnection settings ### Disconnect the Cloudflare One Client on all devices Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | All modes | All plans | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2025.2.600.0 | | macOS | ✅ | 2025.2.600.0 | | Linux | ✅ | 2025.2.600.0 | | iOS | ❌ | | | Android | ❌ | | | ChromeOS | ❌ | | Note Requires the [Super Administrator](https://developers.cloudflare.com/cloudflare-one/roles-permissions/) role. **Disconnect the Cloudflare One Client on all devices** allows administrators to fail open the Cloudflare One Client in case of an incident occurring in your environment, independent from incidents or outages affecting Cloudflare's services. When you turn on **Disconnect the Cloudflare One Client on all devices**, Cloudflare will disconnect all Windows, macOS, and Linux Cloudflare One Clients that are connected to your Zero Trust organization. This includes end user devices and [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) nodes. End users will receive a notification on their device and the Cloudflare One Client will display [Admin directed disconnect](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/client-errors/#admin-directed-disconnect). To resume normal operations, turn off **Disconnect the Cloudflare One Client on all devices**. The Cloudflare One Client will automatically reconnect. For more information on how **Disconnect the Cloudflare One Client on all devices** works with other device client settings, refer to [Device client settings precedence](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/#warp-settings-precedence). ### Manage device connection using an external signal Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | All modes | All plans | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2025.10.186.0 | | macOS | ✅ | 2025.10.186.0 | | Linux | ✅ | 2025.10.186.0 | | iOS | ❌ | | | Android | ❌ | | | ChromeOS | ❌ | | Allows administrators to disconnect and reconnect the Cloudflare One Client independently from any Cloudflare infrastructure. When `Enabled`, Cloudflare One Clients will periodically poll the configured HTTPS endpoint and disconnect when they receive a valid disconnect signal. To set up the external HTTPS endpoint, refer to [External emergency disconnect](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). ## Device profile settings ### Captive portal detection Feature availability | Operating Systems | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | All systems | Any mode | All plans | When `Enabled`, the Cloudflare One Client will automatically disconnect when it detects a captive portal, and it will automatically reconnect after the **Timeout** duration. Since captive portal implementations vary, the Cloudflare One Client may not detect all captive portals. For more information, refer to [Captive portal detection](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/captive-portals/). ### Mode switch Feature availability | Operating Systems | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | All systems | Any mode | All plans | When `Enabled`, users have the option to switch between [Traffic and DNS mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-and-dns-mode-default) and [DNS only mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode). This feature does not support switching between any other modes. ### Device tunnel protocol Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | All plans | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2024.11.309.0 | | macOS | ✅ | 2024.11.309.0 | | Linux | ✅ | 2024.11.309.0 | | iOS | ✅ | 1.7 | | Android | ✅ | 2.0 | | ChromeOS | ✅ | 2.0 | Configures the protocol used to route IP traffic from the device to Cloudflare Gateway. To check the active protocol on a device, open a terminal and run `warp-cli settings | grep protocol`. **Value**: * **WireGuard**: Establishes a [WireGuard ↗](https://www.wireguard.com/) connection to Cloudflare. The Cloudflare One Client will encrypt traffic using a non-FIPs compliant cipher suite, `TLS_CHACHA20_POLY1305_SHA256`. When switching from MASQUE to WireGuard, users may lose Internet connectivity if their Wi-Fi network blocks the [ports and IPs](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#warp-ingress-ip) required for WireGuard to function. * **MASQUE**: (default) Establishes an HTTP/3 connection to Cloudflare. The Cloudflare One Client will encrypt traffic using TLS 1.3 and a [FIPS 140-2 ↗](https://csrc.nist.gov/pubs/fips/140-2/upd2/final) compliant cipher suite, `TLS_AES_256_GCM_SHA384`. [Assign a unique IP address to each device](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#assign-a-unique-ip-address-to-each-device) is enabled by default for devices with MASQUE enabled. For more details on WireGuard versus MASQUE, refer to our [blog post ↗](https://blog.cloudflare.com/zero-trust-warp-with-a-masque). ### Lock device client switch Feature availability | Operating Systems | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | All systems | Any mode | All plans | Allows the user to disconnect the Cloudflare One Client. **Value:** * `Disabled`: (default) The user is able to connect or disconnect the Cloudflare One Client at their discretion. When the client is disconnected, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks. * `Enabled`: The user is prevented from disconnecting the Cloudflare One Client. The client will always start in the connected state. On MDM deployments, you must also include the `auto_connect` parameter with at least a value of `0`. This will prevent clients from being deployed in the off state without a way for users to manually enable them. ### Allow device to leave organization Feature availability | Operating Systems | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | All systems | Any mode | All plans | When `Enabled`, users can log out from your Zero Trust organization by selecting **Logout from Zero Trust** in the Cloudflare One Client UI. The **Logout from Zero Trust** button is only available for devices that were [enrolled manually](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/). Devices that enrolled using an MDM file are always prevented from leaving your Zero Trust organization. ### Allow updates Feature availability | Operating Systems | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | macOS, Windows, Linux | Any mode | All plans | When `Enabled`, users will receive update notifications when a new version of the client is available. Only turn this on if your users are local administrators with the ability to add or remove software from their device. ### Auto connect Feature availability | Operating Systems | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | All systems | Any mode | All plans | When `Enabled`, the client will automatically reconnect if it has been disabled for the specified **Timeout** value. This setting is best used in conjunction with [Lock device client switch](#lock-device-client-switch) above. We recommend keeping this set to a very low value — usually just enough time for a user to log in to hotel or airport Wi-Fi. If any value is specified, the client defaults to the Connected state (for example, after a reboot or the initial install). **Value:** * `0`: Allow the switch to stay in the off position indefinitely until the user turns it back on. * `1` to `1440`: Turn switch back on automatically after the specified number of minutes. ### Support URL Feature availability | Operating Systems | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | All systems | Any mode | All plans | When `Enabled`, the **Send Feedback** button in the Cloudflare One Client appears and will launch the URL specified. Example **Support URL** values are: * `https://support.example.com`: Use an https:// link to open your companies internal help site. * `mailto:yoursupport@example.com`: Use a `mailto:` link to open your default mail client. ### Service mode Feature availability | Operating Systems | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | All systems | Any mode | All plans | Allows you to choose the operational mode of the client. Refer to [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes) for a detailed description of each mode. ### Local Domain Fallback Feature availability | Operating Systems | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | All systems | Traffic and DNS mode, DNS only mode | All plans | Configures the Cloudflare One Client to redirect DNS requests to a private DNS resolver. For more information, refer to our [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) documentation. ### Split Tunnels Feature availability | Operating Systems | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | All systems | Any mode | All plans | Configures the Cloudflare One Client to exclude or include traffic to specific IP addresses or domains. For more information, refer to our [Split Tunnel](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) documentation. ### Directly route Microsoft 365 traffic Feature availability | Operating Systems | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | All systems | Any mode | All plans | Creates [Split Tunnel](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) Exclude entries for all [Microsoft 365 IP addresses specified by Microsoft ↗](https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-ip-web-service). To use this setting, **Split Tunnels** must be set to **Exclude IPs and domains**. Once enabled, all Microsoft 365 network traffic will bypass the Cloudflare One Client and Gateway. Note Microsoft has recently made changes to the IPs used by their applications (such as Microsoft Teams). Until Microsoft updates their [IP address and URL web service ↗](https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-ip-web-service?view=o365-worldwide), you will need to manually add the following IPs to your [Split Tunnels Exclude list](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/#add-a-route): * `24.24.24.24/32` * `52.120.0.0/14` ### Allow users to enable local network exclusion Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | All plans | | System | Availability | Minimum client version | | -------- | ------------ | -------------------------- | | Windows | ✅ | 2024.1.159.0 | | macOS | ✅ | 2024.1.160.0 | | Linux | ✅ | 2024.2.62.0 | | iOS | ❌ | N/A[1](#user-content-fn-1) | | Android | ✅ | 1.4 | | ChromeOS | ✅ | 1.4 | This setting is intended as a workaround for users whose home network uses the same set of IP addresses as your corporate private network. To use this setting, **Split Tunnels** must be set to **Exclude IPs and domains**. When `Enabled`, users have the option to access local network resources (such as printers and storage devices) while connected to the Cloudflare One Client. When the user turns on [**Access Local Network**](#access-local-network-as-a-user), the Cloudflare One Client will detect the local IP range advertised by the user's home network (for example, `10.0.0.0/24`) and temporarily exclude this range from the WARP tunnel. The user will need to re-request access after the **Timeout** expires. Setting **Timeout** to `0 minutes` will allow LAN access until the next client reconnection, such as a reboot or a laptop waking from sleep. Warning Enabling this setting comes with two major consequences: * **Device is exposed to security threats.** The user may be unaware that traffic to what used to be their company's private network is now actually being routed to their local network. This leaves the device vulnerable to [on-path attackers ↗](https://www.cloudflare.com/learning/security/threats/on-path-attack/) and other security vulnerabilities. For example, imagine that a user's typical workflow involves logging into a remote desktop on the corporate network at `10.0.0.30`. A bad actor could set up a fake server on the local network at `10.0.0.30`. If the user goes to `10.0.0.30` while **Access local network** is enabled, the attacker can now steal their credentials. * **User loses access to corporate resources.** — While accessing their local network, the user will be unable to connect to corporate resources that fall within the same IP/CIDR range. #### Access local network as a user To turn on local network access in the Cloudflare One Client: * [ Windows and macOS ](#tab-panel-5843) * [ Linux ](#tab-panel-5844) * [ Android and ChromeOS ](#tab-panel-5845) 1. Open the Cloudflare One Client and go to **Settings**. 2. In **Temporarily access local network resources**, select **Access resources**. Version 2026.1 and earlier 1. Open the Cloudflare One Client. 2. Select the gear icon. 3. Select **Access Local Network**. 1. Open a terminal window. 2. Run `warp-cli override local-network start`. 1. Open the Cloudflare One Agent app. 2. Go to **Settings** \> **Advanced** \> **Connection Options**. 3. Select **Access Local Network**. #### Limitations * The Cloudflare One Client will only exclude local networks in the [RFC 1918 ↗](https://datatracker.ietf.org/doc/html/rfc1918) address space. Other IP addresses such as CGNAT are not supported. * The maximum excluded subnet size is `/24`. * If a device has multiple network interfaces with distinct local IP ranges, the Cloudflare One Client will only exclude one of those networks. To access a specific local network, disable the other interfaces and disconnect/reconnect the Cloudflare One Client. ### Client interface IP DNS registration Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | All plans | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2025.2.600.0 | | macOS | ❌ | | | Linux | ❌ | | | iOS | ❌ | | | Android | ❌ | | | ChromeOS | ❌ | | When `Enabled`, the operating system will register the Cloudflare One Client's [local interface IP](#assign-a-unique-ip-address-to-each-device) (CGNAT IP or `172.16.0.2`) with your on-premise DNS server when the DNS server is reachable. If you use on-premise DNS infrastructure (such as Active Directory), we recommend turning this setting on for remote [device profiles](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) and turning it off for [managed network](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) device profiles. In this configuration, remote devices will register their client interface IP, while on-premise devices will only register their local DHCP address. This allows the on-premise DNS server to resolve device hostnames no matter where the device is located. ### SCCM VPN boundary support Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | All plans | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2025.5.735.1 | | macOS | ❌ | | | Linux | ❌ | | | iOS | ❌ | | | Android | ❌ | | | ChromeOS | ❌ | | Microsoft's [System Center Configuration Manager ↗](https://learn.microsoft.com/en-us/intune/configmgr/) (SCCM) is used to manage software on Windows devices based on the [boundary group ↗](https://learn.microsoft.com/en-us/intune/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups), or network location, to which they belong. You can assign Cloudflare One Clients to a SCCM boundary group based on their [managed network](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) and other device profile attributes. When **SCCM VPN Boundary Support** is turned on, the Cloudflare One Client will modify the description field on its [virtual network interface](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/#ip-traffic). This allows you to define a VPN boundary group that matches on the network interface description. **Value:** * `Disabled`: (default) The client network interface description is `Cloudflare WARP Interface Tunnel`. * `Enabled`: The client network interface description is `(SCCM) Cloudflare WARP Interface Tunnel` for devices which have the [SCCM client ↗](https://learn.microsoft.com/en-us/intune/configmgr/core/clients/deploy/deploy-clients-to-windows-computers) installed. Devices without the SCCM client will still use the default `Cloudflare WARP Interface Tunnel` description. The Cloudflare One Client checks if the SCCM client is installed by looking for the SMS Agent Host (`ccmexec.exe`) Windows service. #### Example SCCM configuration Assume you want to push software updates from a cloud based [distribution point ↗](https://learn.microsoft.com/en-us/intune/configmgr/core/servers/deploy/configure/boundary-groups-distribution-points) if the device is remote, but use on-prem servers if the device is on the office network. To set up these boundary groups: 1. In Zero Trust: a. Turn on **SCCM VPN Boundary Support** for remote [device profiles](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/). b. Turn off **SCCM VPN Boundary Support** for [on-prem device profiles](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/#4-configure-device-profile). c. (Optional) Verify device settings: Verify SCCM VPN Boundary Support To check if **SCCM VPN Boundary Support** is active on a device, run the following command: Terminal window ``` warp-cli settings | findstr "SCCM VPN Boundary" ``` ``` (network policy) SCCM VPN Boundary Support: true ``` You can also verify network interface details for the `CloudflareWARP` adapter: Terminal window ``` ipconfig /all ``` ``` Windows IP Configuration ... Unknown adapter CloudflareWARP: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : (SCCM) Cloudflare WARP Interface Tunnel Physical Address. . . . . . . . . : DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:db8:110:8f79:145:f180:fc4:8106(Preferred) Link-local IPv6 Address . . . . . : fe80::83b:d647:4bed:d388%49(Preferred) IPv4 Address. . . . . . . . . . . : 172.16.0.2(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 127.0.2.2 127.0.2.3 NetBIOS over Tcpip. . . . . . . . : Disabled ``` Explain Code 2. In Microsoft SCCM: a. [Create a boundary ↗](https://learn.microsoft.com/en-us/intune/configmgr/core/servers/deploy/configure/boundaries#create-a-boundary) with the following settings: * **Description**: `Remote Cloudflare One Clients` * **Type**: _VPN_ * **Connection description**: `(SCCM) Cloudflare WARP Interface Tunnel` b. Assign this boundary to one or more boundary groups. When the device is remote, the client interface description changes to `(SCCM) Cloudflare WARP Interface Tunnel` and the SCCM server will determine that the device belongs to the VPN boundary group. The device can now download updates from the distribution point assigned to this boundary group. When a network change occurs and the Cloudflare One Client detects a managed network, it will revert the interface description to `Cloudflare WARP Interface Tunnel` and the boundary condition will no longer be satisfied. The device will match your local IP range and be considered as on-prem. ### NetBIOS over TCPIP Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | All plans | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2026.1.89.1 | | macOS | ❌ | | | Linux | ❌ | | | iOS | ❌ | | | Android | ❌ | | | ChromeOS | ❌ | | NetBIOS over TCP/IP (NetBT) is a legacy protocol used for name resolution and other features on Windows. NetBT has been deprecated for years, but Windows has not removed it. The Cloudflare One Client disables NetBT on the tunnel interface by default for security reasons and to align with modern best practices. This setting allows you to override the default behavior and enable NetBT over the WARP tunnel. #### When to enable NetBT You should turn on **NetBIOS over TCPIP** only if devices need to access internal resources over NetBT. Example scenarios include: * **Legacy name resolution**: You rely on NetBIOS to resolve single-label names (such as `\\SERVER01`), instead of modern alternatives like mDNS for single-label names or standard DNS for Fully Qualified Domain Names (such as `\\server01.corp.internal`). * **SMBv1**: You are accessing very old file shares or printers that do not support modern SMB (v2/v3) and require NetBT for discovery. * **Legacy applications**: You use specialized internal software that hard-codes NetBIOS for node-to-node communication. Otherwise, the recommendation is to always disable **NetBIOS over TCPIP**. You can choose a different setting for [remote devices](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) versus [on-prem devices](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/#4-configure-device-profile). #### Verify NetBT settings To check if **NetBIOS over TCPIP** is enabled on the client tunnel interface, run the following command: ``` warp-cli settings | findstr "NetBT" ``` ``` (network policy) NetBT: true ``` You can also verify network interface details for the `CloudflareWARP` adapter: ``` ipconfig /all ``` ``` Windows IP Configuration ... Unknown adapter CloudflareWARP: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Cloudflare WARP Interface Tunnel Physical Address. . . . . . . . . : DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:db8:110:8f79:145:f180:fc4:8106(Preferred) Link-local IPv6 Address . . . . . : fe80::83b:d647:4bed:d388%49(Preferred) IPv4 Address. . . . . . . . . . . : 172.16.0.2(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 127.0.2.2 127.0.2.3 NetBIOS over Tcpip. . . . . . . . : Enabled ``` Explain Code ## Footnotes 1. Current versions of iOS do not allow LAN traffic to route through the WARP tunnel. Therefore, this feature is not needed on iOS. [↩](#user-content-fnref-1) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/team-and-resources/","name":"Team and resources"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/team-and-resources/devices/","name":"Devices"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/","name":"Cloudflare One Client"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/","name":"Configure the Cloudflare One Client"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/","name":"Device client settings"}}]} ```