WARP on-ramp to Magic WAN
Use as an on-ramp to Magic WAN and route traffic from user devices with WARP installed to any network connected with Cloudflare Tunnel or Magic IP-layer tunnels (Anycast , , or ). Take advantage of the integration between Magic WAN and and enforce policies at Cloudflare’s global network.
Depending on your use case, you will see the following IP addresses when connecting a WARP device to Magic WAN:
100.96.0.0/12: When connecting a WARP device to an origin behind a GRE or IPsec tunnel.
- : When you are connecting a WARP device, and using Zero Trust policies - for example, you have Gateway set up.
1. Route packets back to WARP devices
Route packets back to WARP devices from services behind an Anycast GRE or other type tunnel. You need to do this before actually installing WARP. Otherwise, your infrastructure will not route packets correctly to Cloudflare global network and connectivity will fail.
All packets with a destination IP in the VIP space need to be routed back through the tunnel. For example, with a single GRE tunnel named
gre1, in Linux, the following command would add a routing rule that would route such packets:
$ ip route add 100.96.0.0/12 dev gre1
2. Configure Split Tunnels
Optionally, you can configure Split Tunnels to include IP ranges or domains you want to use for connecting to public IP addresses.
3. Install the WARP client on your device
You should be able to access Private IP addresses specified in the Split Tunnel configuration.
You must log out and log back in with at least one WARP device to ensure the configuration updates on your device.
Test WARP integration
Before testing, be sure to for the server or service in WARP settings. This is needed because by default Cloudflare Zero Trust excludes common top level domains used for local resolution from being sent to Gateway for processing.
If WARP integration has been enabled for the account within the last day, log off and on again in the WARP client before testing.
$ nslookup <SERVER_BEHIND_MAGIC_WAN>
This DNS lookup should return a valid IP address associated with the server or service you are testing for.
Next, test with a browser that you can connect to a service on the WAN by opening a webpage that is only accessible on the WAN. The server can be the same server used in the DNS lookup or another server in the WAN. Connecting using an IP address instead of a domain name should work.