Choose a connection method
There are multiple ways to onramp traffic from your private networks to Cloudflare. This page covers the two software-based methods commonly used for VPN replacement: Cloudflare Mesh and Cloudflare Tunnel. Both involve installing lightweight software on a host machine in your network to create a secure connection to Cloudflare's global network.
Cloudflare Mesh (formerly WARP Connector) runs the Cloudflare One Client (warp-cli) in headless mode on a Linux server. It operates as a Layer 3 proxy, supports bidirectional traffic (TCP, UDP, ICMP), and assigns a private Mesh IP to every participant. Use Mesh when you need:
- User-to-network access (replacing a VPN)
- Network-to-network / site-to-site connectivity
- Server-initiated connections (VoIP, SIP, AD updates, SCCM, DevOps)
- Client-to-client connectivity between enrolled devices
Cloudflare Tunnel runs the cloudflared daemon on a host machine. It creates an outbound-only connection and proxies traffic from Cloudflare to your internal applications or network. Use Tunnel when you need:
- Publishing specific applications by hostname
- Outbound-only connectivity (no inbound ports opened)
- Proxying HTTP/S, TCP, or SSH traffic to specific services
- Running on non-Linux platforms (macOS, Windows)
| Cloudflare Mesh | Cloudflare Tunnel | |
|---|---|---|
| Bidirectional traffic | ✅ | ❌ |
| High availability | ✅ (active-passive) | ✅ (active-active replicas) |
| Source IP of request | Virtual IP of requesting device | cloudflared host machine |
| Host machine | Linux (amd64, arm64) | Linux, macOS, Windows |
| IPv4 | ✅ | ✅ |
| IPv6 | ❌ | ✅ |
| OSI layer | L3 | L4 |
| Protocol | MASQUE | QUIC or HTTP/2 |
| Protocols proxied | TCP, UDP, ICMP | HTTP/S, TCP, SSH, RDP, SMB |
For most VPN replacement scenarios, Cloudflare Tunnel is the easiest way to get started. It runs on all platforms (Linux, macOS, Windows, containers, Raspberry Pi), does not require return route configuration (traffic is source-NATed to the cloudflared host), and does not interfere with existing VPN software on the same machine.
Use Cloudflare Mesh when you need bidirectional connectivity with server-initiated traffic (VoIP, SIP, AD updates, SCCM), site-to-site networking between multiple locations, or deployments where preserving the original source IP is important.
Both methods can be used together. For example, use Tunnel for straightforward user-to-application access and add Mesh nodes where you need bidirectional or site-to-site connectivity.