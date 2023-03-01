Configure tunnel endpoints

Cloudflare recommends two tunnels for each ISP and network location router combination, one per Cloudflare endpoint. Cloudflare will assign two Cloudflare endpoint addresses shortly after your onboarding kickoff call that you can use as the tunnel destinations on your network location’s routers/endpoints.

To configure the tunnels between Cloudflare and your locations, you must provide the following data for each tunnel:

Customer edge IP address — A public Internet routable IP address that is outside of the prefixes Cloudflare will advertise on your behalf. These are generally IP addresses provided by your ISP. If you intend to use a physical or virtual connection ( Cloudflare Network Interconnect ), you do not need to provide edge addresses. Cloudflare will provide them.

— A public Internet routable IP address that is outside of the prefixes Cloudflare will advertise on your behalf. These are generally IP addresses provided by your ISP. If you intend to use a physical or virtual connection ( ), you do not need to provide edge addresses. Cloudflare will provide them. Interface address — A 31-bit subnet ( /31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255 169.254.244.0/20

— A 31-bit subnet ( in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: Private IP addresses — The private IP address assigned to the Cloudflare and customer sides of the tunnel

Edge routing configuration example Tunnel Customer edge IP Private subnet Customer private IP Cloudflare private IP TNL_1_IAD 104.18.112.75 10.10.10.100/31 10.10.10.100 10.10.10.101 TNL_2_IAD 104.18.112.75 10.10.10.102/31 10.10.10.102 10.10.10.103 TNL_3_ATL 104.40.112.125 10.10.10.104/31 10.10.10.104 10.10.10.105 TNL_4_ATL 104.40.112.125 10.10.10.106/31 10.10.10.106 10.10.10.107

​​ Add tunnels

Log in to your Cloudflare dashboard External link icon Open external link , and select your account. Select Magic WAN > Manage Magic WAN configuration > Configure.

From the Tunnels tab, select Create. On the Add tunnels page, choose either a GRE tunnel or IPsec tunnel.

GRE tunnel On the Add GRE tunnels page, fill out the information for your GRE tunnel. (Optional) We recommend you test your tunnel before officially adding it. To test the tunnel, select Test tunnels. To add multiple tunnels, select Add GRE tunnel for each new tunnel. After adding your tunnel information, select Add tunnels to save your changes.

IPsec tunnel On the Add IPsec tunnels page, fill out the information for your IPsec tunnel. (Optional) We recommend you test your tunnel before officially adding it. To test the tunnel, select Test tunnels. Note: Tunnels are only functional when a PSK is added. If you choose to have Cloudflare generate a PSK for you, all existing sessions will be terminated until the key is generated. To add multiple tunnels, select Add IPsec tunnel for each new tunnel. After adding your tunnel information, select Add tunnels to save your changes.

​​ Edit tunnels

From Tunnels, locate the tunnel you want to modify and select Edit. To edit multiple tunnels, select the checkboxes for each tunnel and then select Edit selected tunnels. On the Edit tunnels page, fill out the fields you want to modify. (Optional) We recommend you test your tunnel before officially adding it. To test the tunnel, select Test tunnels. After adding your information, select Edit tunnels to save your changes.

Note that you cannot edit the Cloudflare endpoint associated with your tunnel.

​​ Delete tunnels