If you have a Magic WAN client connected through GRE, IPsec, CNI or WARP and want to perform a traceroute to an endpoint behind a Cloudflare Tunnel, the following settings must be applied for the command to return useful information.
Inherited TTL value
On the machine where the traceroute client is executed, make sure the tunnel device does not inherit the TTL value of the inner packet. This is the default behavior on Linux and can result in unhelpful traceroute results:
Setting the TTL explicitly returns much better results:
WARP client
Some Linux distributions default to a very strict setting for reverse path filtering ↗. This strict setting attempts to drop fake traffic as a security measure. Performing a traceroute with this setting on can unintentionally drop traceroute packets. If you use WARP on Linux, set a less strict policy before attempting to perform a traceroute:
Was this helpful?
What did you like?
What went wrong?
Thank you for helping improve Cloudflare's documentation!