Cloudflare Docs
Magic WAN
Visit Magic WAN on GitHub
Set theme to dark (⇧+D)


Before you can begin using Magic WAN, verify that you meet Cloudflare’s onboarding requirements.

​​ Use compatible tunnel endpoint routers

Magic WAN relies on GRE and IPsec tunnels to transmit packets from Cloudflare’s global network to your origin network. To ensure compatibility with Magic WAN, the routers at your tunnel endpoints must:

  • Allow configuration of at least one tunnel per Internet service provider (ISP).
  • Support maximum segment size (MSS) clamping.
  • Support the configuration parameters for IPsec mentioned in IPsec tunnels.

​​ Set maximum segment size

The SYN-ACK packet sent to the client during TCP handshake encodes the value for maximum segment size (MSS). Egress packets are routed via your ISP interface, and each packet must comply with the standard Internet routable maximum transmission unit (MTU), which is 1500 bytes.

Cloudflare Magic WAN uses tunnels to deliver packets from our global network to your data centers. Cloudflare encapsulates these packets adding new headers.

To accommodate the additional header data, you must set the MSS value to 1436 bytes at your tunnel interfaces (not the physical interfaces).

Standard Internet Routable MTU1500 bytes
-     Original IP header20 bytes
-     Original protocol header (TCP)20 bytes
-     New IP header20 bytes
-     New protocol header (GRE)4 bytes
=     Maximum segment size (MSS)1436 bytes

Unless you apply these MSS settings at the origin, client machines do not know that they must use an MSS of 1436 bytes when sending packets to your origin.

​​ Follow router vendor guidelines

Instructions to adjust MSS by applying MSS clamps vary depending on the vendor of your router.

The following table lists several commonly used router vendors with links to MSS clamping instructions:

Router deviceURL
CiscoTCP IP Adjust MSS
JuniperTCP MSS – Edit System