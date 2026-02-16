Cloudflare WAN (formerly Magic WAN) allows you to achieve any-to-any connectivity across branch and retail sites and data centers, with the Cloudflare connectivity cloud.

Before you begin

Cloudflare WAN is an Enterprise-only product. Contact Cloudflare ↗ to acquire Cloudflare WAN. If you plan on using Cloudflare One Appliance to automatically onboard your locations to Cloudflare, you will need to purchase Cloudflare WAN first.

Set up method

Cloudflare WAN supports an automatic setup and a manual setup. The automatic setup through Cloudflare One Appliance is the preferred method.

Automatic setup

Setting up Cloudflare WAN automatically is done through Cloudflare One Appliance, and is the preferred method. You can choose between the hardware version and the virtual version of Cloudflare One Appliance. The virtual version can be installed on your own machines.

If you plan on using Cloudflare One Appliance, you can skip the prerequisites below, and refer to Configure with Cloudflare One Appliance for more information on how to continue.

Manual setup

Setting up Cloudflare WAN manually is done through a combination of third-party devices in your premises and the Cloudflare dashboard. To be successful, you need to:

Read the Prerequisites below. Follow the steps in Manual configuration.

Prerequisites

Note The list of prerequisites below is only for customers planning to connect manually to Cloudflare with a third-party device. If you plan on using Cloudflare One Appliance, skip this section and refer to Configure with Cloudflare One Appliance.

Use compatible tunnel endpoint routers

Cloudflare WAN relies on GRE and IPsec tunnels to transmit packets ↗ from Cloudflare's global network to your origin network. To ensure compatibility with Cloudflare WAN, the routers at your tunnel endpoints must:

Allow configuration of at least one tunnel per Internet service provider (ISP).

Support maximum segment size (MSS) clamping.

clamping. Support the configuration parameters for IPsec mentioned in IPsec tunnels.

Set maximum segment size

Before enabling Cloudflare WAN, you must make sure that you set up the maximum segment size on your network. Cloudflare Cloudflare WAN uses tunnels to deliver packets ↗ from our global network to your data centers. Cloudflare encapsulates these packets adding new headers. You must account for the space consumed by these headers when configuring the maximum transmission unit (MTU) and maximum segment size (MSS) values for your network.

MSS clamping recommendations

GRE tunnels as off-ramp

The MSS value depends on how your network is set up.

On your edge router: Apply the clamp to the GRE tunnel internal interface (meaning where the egress traffic will traverse). Set the MSS clamp to 1,436 bytes. Your devices may do this automatically once the tunnel is configured, but it depends on your devices.

IPsec tunnels

For IPsec tunnels, the value you need to specify depends on how your network is set up. The MSS clamping value is lower than for GRE tunnels because the physical interface sees IPsec-encrypted packets, not TCP packets, and MSS clamping does not apply to those.

On your edge router: Apply this on your IPsec tunnel internal interface (meaning where the egress traffic will traverse). Your devices may do this automatically once the tunnel is configured, but it depends on your devices. Set the TCP MSS clamp to 1,360 bytes maximum.

Important Refer to your device documentation to check if it sets IPsec MSS clamping automatically. If that is not the case and you are using IPsec inside GRE, you have to set MSS clamp manually.

Refer to Maximum transmission unit and maximum segment size for more details.

Follow router vendor guidelines

Instructions to adjust MSS by applying MSS clamps vary depending on the vendor of your router.

The following table lists several commonly used router vendors with links to MSS clamping instructions: