Cloudflare One Client
The Cloudflare One Client (formerly WARP) securely and privately sends traffic from your devices to Cloudflare's global network, where Cloudflare Gateway can apply advanced web filtering. The client also reports device health information — such as OS version, disk encryption status, and the presence of specific applications — so that you can enforce device posture checks in your Access and Gateway policies.
The Cloudflare One Client creates encrypted connections between your device and Cloudflare's network. It does this in two ways:
- Proxy tunnel — Encrypts and routes your device's internet and private network traffic through Cloudflare, using the WireGuard ↗ or MASQUE ↗ protocol.
- DNS proxy — Sends your device's DNS queries to Cloudflare over an encrypted channel (DNS-over-HTTPS ↗), where Gateway DNS policies can filter them.
The client runs on all major operating systems and can be deployed through common endpoint management tools (such as Intune, JAMF, or JumpCloud).
The Cloudflare One Client consists of:
- Graphical User Interface (GUI): A control panel that allows end users to view the client's status and perform actions such as connecting or disconnecting.
- WARP daemon (or service): The core background process responsible for establishing the encrypted connections described above and handling all client functionality on your device.
For more information on how the Cloudflare One Client routes traffic, refer to the client architecture page and watch the video below.
Chapters
The GUI and daemon (or service) have different names and are stored in the following locations:
Windows
| Windows | |
|---|---|
| Service / Daemon | C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe |
| GUI application | C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe |
| Logs Location | DaemonC:\ProgramData\Cloudflare\GUI LogsC:\Users\<USER>.WARP\AppData\Localor %LOCALAPPDATA%\Cloudflare |
macOS
| macOS | |
|---|---|
| Service / Daemon | /Applications/Cloudflare WARP.app/Contents/Resources/CloudflareWARP |
| GUI application | /Applications/Cloudflare WARP.app/Contents/MacOS/Cloudflare WARP |
| Logs Location | Daemon/Library/Application Support/Cloudflare/GUI Logs~/Library/Logs/Cloudflare/ |
Linux
| Linux | |
|---|---|
| Service / Daemon | /bin/warp-svc |
| GUI application | /bin/warp-taskbar |
| Logs Location | /var/log/cloudflare-warp//var/lib/cloudflare-warp |
Along with the Cloudflare One Client GUI and daemon, warp-cli and warp-diag are also installed on the machine and added to the system path for use from any terminal session.
warp-diag is a command-line diagnostics tool that collects logs, configuration details, and connectivity data from the Cloudflare One Client to help troubleshoot issues.
warp-cli is the command-line interface (CLI) for managing and configuring the Cloudflare One Client, allowing users to connect, disconnect, and adjust settings programmatically.
Deploying the Cloudflare One Client significantly enhances your organization's security and visibility within Cloudflare Zero Trust:
-
Unified security policies everywhere: With the Cloudflare One Client deployed in the Traffic and DNS mode, Gateway policies are not location-dependent — they can be enforced anywhere.
-
Advanced web filtering and threat protection: Activate Gateway features for your device traffic, including:
-
Application and device-specific insights: View which SaaS applications your users are accessing and review their approval status on the Shadow IT Discovery page. Monitor device and network performance with Digital Experience Monitoring (DEX) to detect connectivity or performance issues before users report them.
-
Device posture checks: The Cloudflare One Client provides advanced Zero Trust protection by making it possible to check for device posture. By setting up device posture checks, you can build Access or Gateway policies that check for a device's location, disk encryption status, OS version, and more.
-
Secure private and infrastructure access: Connect devices to internal networks and applications through Cloudflare Tunnel without exposing them to the public internet. The client is also required for Access for Infrastructure, which provides SSH access using short-lived certificates and detailed audit logging.
The Cloudflare One Client offers flexible operating modes to suit your specific needs:
- Traffic and DNS mode (default) — Routes device traffic (by default, all ports and protocols) and DNS queries through Cloudflare for filtering, inspection, and policy enforcement. Traffic exclusions can be configured with Split Tunnels.
- DNS-only mode — Routes only DNS queries through Cloudflare. Use this mode if you only need DNS-level filtering without inspecting web or application traffic.
Other modes (Traffic only, Local proxy, Posture only) are also available. For details, refer to the operating modes page.
- Review the first-time setup guide to install and deploy the Cloudflare One Client on your corporate devices.
- Review possible client modes and settings to best suit your organization's needs.
- Explore Cloudflare Gateway to enforce advanced DNS, network, HTTP, and egress policies with the Cloudflare One Client.