Device IPs

Feature availability

WARP modes	Zero Trust plans ↗
Gateway with WARP Secure Web Gateway without DNS filtering	All plans

System	Availability	Minimum WARP version
Windows	✅	2025.10.186.0
macOS	✅	2025.10.186.0
Linux	✅	2025.10.186.0
iOS	❌
Android	❌
ChromeOS	❌

A device IP identifies and routes traffic to a specific WARP device in your Zero Trust organization. When a user registers the WARP client, Cloudflare assigns a virtual IPv4 and IPv6 address to the device registration. The WARP client uses these IP addresses to create a virtual network interface on the device, which allows your private network to reach the device via WARP-to-WARP, WARP Connector, or Magic WAN on-ramps.

You can verify device IPs and, if needed, reconfigure address pools to avoid overlapping IPs with existing internal resources.

Default device IPs

By default, Cloudflare assigns device IPs from the following address space:

• Default IPv4: 100.96.0.0/12
• Default IPv6: 2606:4700:0cf1:1000::/64

If your organization already uses the default IPv4 range for internal networking, or if you require more granular IP assignments for firewall policy management, you can configure custom WARP IPv4 subnets. You can assign different IPv4 subnets to devices based on the user's identity.

The default IPv6 range is owned by Cloudflare and therefore should not conflict with services on your private network. The WARP IPv6 range is not configurable.

Create an IP subnet

Create a custom IP subnet when the default IPv4 range conflicts with services on your private network.

To define a custom IPv4 subnet for device IPs:

1. In Cloudflare One ↗, go to Team & Resources > Devices > Device profiles.

2. Under WARP IP subnets, select Add new IP subnet.

3. Enter any name for the subnet.

4. In CIDR, enter a valid IPv4 CIDR block from the supported private ranges:

   • 10.0.0.0/8
   • 172.16.0.0/12
   • 192.168.0.0/16
   • 100.64.0.0/10

   The configured CIDR block must be at least size /24.

   Avoid IP conflicts

   Ensure that the chosen CIDR block does not overlap with existing internal routes, such as local office subnets or virtual private clouds (VPCs) in AWS or GCP.

5. Select Add subnet to save.

Next, assign this subnet to a group of devices.

Assign device IPs

Assign custom IP subnets to ensure devices are provisioned within a predictable address space based on specific user identity criteria.

Prerequisites

• Assign a unique IP address to each device is enabled in your device profiles.

Create an IP assignment

To assign IP subnets to your devices:

1. In Cloudflare One ↗, go to Team & Resources > Devices > Device profiles.
2. Under Device IP assignment, select Add new IP assignment.
3. Enter a name for this group of devices (for example, IT department).
4. Create rules to define the users or devices that will receive these IPs. Learn more about the available Selectors, Operators, and Values.
5. Choose an existing IPv4 subnet from the dropdown menu, or create a new subnet.
6. Select Assign IP address.
7. (Optional) In the Device IP assignment table, change the order of precedence of IP assignments.

Devices that match your rules are assigned a random IP from this address space upon registration. Only newly registered devices will receive a new IP; existing devices will not see any impact to connectivity. To assign a new IP to an existing device, you must delete its registration and then re-enroll the device in your Zero Trust organization.

Organizations are currently limited to 30 custom device IP assignments per account.

Selectors

You can configure IP assignments to match against the following selectors or criteria. Identity-based selectors are only available if the user enrolled the device by logging in to an identity provider (IdP).

User email

Apply a device profile based on the user's email.

UI name	API example value
User email	identity.email == "user-name@company.com"

User group emails

Apply a device profile based on an IdP group email address of which the user is configured as a member in the IdP.

UI name	API example
User group emails	identity.groups.email == "contractors@company.com"

User group IDs

Apply a device profile based on an IdP group ID of which the user is configured as a member in the IdP.

UI name	API example
User group IDs	identity.groups.id == "12jf495bhjd7893ml09o"

User group names

Apply a device profile based on an IdP group name of which the user is configured as a member in the IdP.

UI name	API example
User group names	identity.groups.name == "\"finance\""

User name

UI name	API example
User Name	identity.name == "user-name"

SAML attributes

Apply a device profile based on an attribute name and value from a SAML IdP.

UI name	API example
SAML Attributes	identity.saml_attributes == "\"group=finance\""

Comparison operators

Comparison operators determine how device profiles match a selector.

Operator	Meaning
in	matches at least one of the defined values
not in	does not match any of the defined values
is	equals the defined value
matches	regular expression (regex) evaluates to true

Value

In the Value field, you can input a single value when using an equality comparison operator (such as is) or multiple values when using a containment comparison operator (such as in). Additionally, you can use regular expressions (or regex) to specify a range of values for supported selectors.

Regular expressions

Regular expressions are evaluated using Rust. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for Wildcards. To evaluate if your regex matches, you can use Rustexp ↗.

If you want to match multiple values, you can use the pipe symbol (|) as an OR operator. You do not need to use an escape character (\) before the pipe symbol. For example, the following expression evaluates to true when the user's email domain matches either @acme.com or @widgets.com:

Selector	Operator	Value
User email	matches	@acme.com|@widgets.com

In addition to regular expressions, you can use logical operators to match multiple values.

Logical operators

To evaluate multiple conditions in an expression, select a logical operator:

Operator	Meaning
And	match all of the conditions in the expression
Or	match any of the conditions in the expression

Order of precedence

WARP checks the IP assignments from top to bottom as they appear in the Cloudflare One dashboard (lowest precedence number is checked first). WARP follows the first match principle — once a device matches an IP assignment, WARP stops evaluating and no subsequent IP assignments can override the decision. You can rearrange the IP assignments in the Cloudflare One dashboard according to your desired order of precedence.

Verify device IPs

Via the dashboard

To check the virtual IP addresses assigned to a specific device registration:

1. In Cloudflare One ↗, go to Team & Resources > Devices.
2. Select your device > View details.

   Device filters

   The Cloudflare One dashboard defaults to showing devices that were last seen within the past year. You can select Show filters to change the date range or filter by the last active user.

3. Scroll down to Users. You will see the registrations associated with this device along with their assigned IPv4 and IPv6 addresses.

Via the CLI

To check the device IP used by WARP's virtual network interface:

Windows

On Windows, run ipconfig. When WARP is turned on, you will see an adapter called CloudflareWARP with your WARP device IP.

PowerShell

ipconfig

Windows IP Configuration

Unknown adapter CloudflareWARP:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Cloudflare WARP Interface Tunnel
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2606:4700:110:8f79:145:f180:fc4:8106(Preferred)
   Link-local IPv6 Address . . . . . : fe80::83b:d647:4bed:d388%49(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.16.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 127.0.2.2
                                       127.0.2.3
   NetBIOS over Tcpip. . . . . . . . : Enabled

macOS

On macOS, run ifconfig. When WARP is turned on, you will see a utun interface with your WARP device IP.

ifconfig

<redacted>
utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
  inet 172.16.0.2 --> 172.16.0.2 netmask 0xffffffff
  inet6 fe80::f6d4:88ff:fe82:6d9e%utun3 prefixlen 64 scopeid 0x17
  inet6 2606:4700:110:8c7d:7369:7526:a59b:5636 prefixlen 128
  nd6 options=201<PERFORMNUD,DAD>

Linux

On Linux, run ifconfig or ip addr. When WARP is turned on, you will see a utun interface with your WARP device IP.

ip addr

<redacted>
3: CloudflareWARP: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc mq state UNKNOWN group default qlen 500
    link/none
    inet 172.16.0.2/32 scope global CloudflareWARP
       valid_lft forever preferred_lft forever
    inet6 2606:4700:110:8a2e:a5f7:a8de:a1f9:919/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::117e:276b:8a79:c498/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

In the example above, the device IPv4 address is 172.16.0.2.

View subnet usage

Monitor the consumption of your IPv4 subnets to ensure you have enough addresses for new device registrations. Devices will be unable to register if they match a subnet with no available IPs.

Use the Cloudflare One dashboard to view a high-level overview of assigned and available IPs:

1. In Cloudflare One ↗, go to Team & Resources > Devices > Device profiles.
2. Locate the WARP IP subnets table.
3. The IPs assigned column displays the total number of IPs currently assigned to active device registrations versus the total capacity of the CIDR block.

If your subnet is approaching capacity, you can expand your subnet to increase the number of available IPs. Alternatively, you can free up IPs by deleting existing device registrations, particularly revoked registrations that may be consuming IP space despite the device no longer being in use.

Delete device registrations instead of revoking

Revoking a device registration does not release the virtual IPs that are assigned to the registration. Because virtual IPs are a finite resource, Cloudflare strongly advises deleting a registration rather than revoking it.

To get a list of all device registrations in a subnet (including revoked registrations), use the Cloudflare API. For example, the following script fetches all device registrations and their device IPs, and outputs all registrations within the specified CIDR block.

Example script to filter registrations by IP

1. Create a new file called filter-device-ips.py that contains the following code:

   Python

   import requests
   import ipaddress
   import json
   
   # --- Configuration ---
   AUTH_EMAIL = "<CLOUDFLARE_ACCOUNT_EMAIL>"
   AUTH_KEY = "<CLOUDFLARE_API_KEY>"  # Refer to https://developers.cloudflare.com/fundamentals/api/get-started/keys/. API token authentication is not currently supported for fetching device IPs.
   ACCOUNT_ID = "<CLOUDLFARE_ACCOUNT_ID"  # Refer to https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/.
   TARGET_CIDR = "100.64.0.0/10"
   
   # --- API request headers ---
   headers = {
       "X-Auth-Email": AUTH_EMAIL,
       "X-Auth-Key": AUTH_KEY,
       "Content-Type": "application/json"
   }
   
   def get_all_registrations():
       """Fetches all device registrations including revoked registrations. """
       devices = {}
       url = f"https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/devices/registrations"
       params = {"per_page": 50, "status": "all"}
   
       while True:
           response = requests.get(url, headers=headers, params=params).json()
           if not response.get('success'):
               print(f"Error fetching registrations: {response.get('errors')}")
               break
   
           for d in response.get('result', []):
               # We use the ID as the key to link with IP data later
               devices[d['id']] = d
   
           cursor = response.get('result_info', {}).get('cursor')
           if not cursor:
               break
           params['cursor'] = cursor
   
       return devices
   
   def filter_by_cidr(device_map, network):
       """Fetch device IPs and return devices that fall within the target CIDR block."""
       matches = []
       device_ids = list(device_map.keys())
   
       # API limits IP correlation to batches of 20
       for i in range(0, len(device_ids), 20):
           batch = device_ids[i:i+20]
           # Construct parameters for the IP endpoint
           params = {f"device_ids[{idx}]": d_id for idx, d_id in enumerate(batch)}
           url = f"https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/teamnet/devices/ips"
   
           res = requests.get(url, headers=headers, params=params).json()
   
           if not res.get('success'):
               print(f"Error fetching IPs: {res.get('errors')}")
               continue
   
           for item in res.get('result', []):
               d_id = item.get('device_id')
               ip_data = item.get('device_ips', {})
               ipv4_str = ip_data.get('ipv4')
   
               if ipv4_str:
                   try:
                       if ipaddress.IPv4Address(ipv4_str) in network:
                           if d_id in device_map:
                               full_data = device_map[d_id]
                               full_data['device_ips'] = ip_data
                               matches.append(full_data)
                   except ValueError:
                       continue
   
       return matches
   
   if __name__ == "__main__":
       try:
           net = ipaddress.IPv4Network(TARGET_CIDR, strict=False)
   
           print(f"[*] Fetching registrations (status=all)...")
           all_devices = get_all_registrations()
           print(f"[*] Found {len(all_devices)} total registrations.")
   
           print(f"[*] Checking IP ranges for match...")
           filtered_list = filter_by_cidr(all_devices, net)
   
           if filtered_list:
               print(f"\n--- Found {len(filtered_list)} Device(s) in {TARGET_CIDR} ---\n")
               for dev in filtered_list:
                   print(json.dumps(dev, indent=2))
                   print("-" * 50)
           else:
               print(f"\nNo devices found within the {TARGET_CIDR} range.")
   
       except Exception as e:
           print(f"Script Error: {e}")

2. In the script configuration section, input your Cloudflare API credentials and your IP subnet range.

3. Open a terminal and navigate to the script directory. To run the script, type:

   python3 filter-device-ips.py

Edit an IP subnet

Cloudflare does not support editing an existing IPv4 subnet definition. To assign a different IPv4 subnet to your devices:

1. In Cloudflare One ↗, go to Team & Resources > Devices > Device profiles.
2. Under Device IP assignment, find the device group associated with the old subnet and select Edit.
3. Select Create new IP subnet range to define a new subnet.
4. Select Save.

The new subnet will appear in the WARP IP subnets table. You can now delete the old subnet. Devices will only get an IP from the new subnet when they re-register; existing registrations will retain their current IP.