Tunnels & encapsulation
Magic WAN uses Generic Routing Encapsulation (GRE) and IPsec tunnels to transmit packets from Cloudflare’s global network to your origin network. Cloudflare sets up tunnel endpoints on global network servers inside your network namespace, and you set up tunnel endpoints on routers at your network location.
Magic WAN encapsulates IP packets destined for your network and transmits them across the tunnels to your tunnel endpoint router, which decapsulates the packets and sends them to your internal network.
Magic WAN uses Anycast IP addresses for Cloudflare’s tunnel endpoints, meaning that any server in any network location is capable of encapsulating and decapsulating packets for the same tunnel.
This works because the Anycast protocol is stateless — each packet is processed independently and does not require any negotiation or coordination between tunnel endpoints. Tunnel endpoints are technically bound to IP addresses but do not need to be bound to specific devices. Any device that can strip off the outer headers and then route the inner packet can handle any packet sent over the tunnel.
Cloudflare’s Anycast architecture provides a conduit to your Anycast tunnel for every server in every network location on Cloudflare’s global network.