WARP settings
WARP settings define the WARP client modes and permissions available to end users.
- Global settings apply to all devices enrolled in your Zero Trust organization.
- Device settings may vary across devices depending on which device profile is applied.
Global settings
Admin override
Feature availability
Operating Systems | WARP mode required | Zero Trust plans ↗ |
---|---|---|
All systems | Any mode | All plans |
When Enabled
, end users can turn off the WARP client using an override code provided by an admin. This feature allows users to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection).
You can set a Timeout to define how long a user can toggle on or off the WARP switch. The timer starts when the user first enters their code into the WARP client. The code remains valid and can be reused anytime during this time period. For example, if Timeout is 24 hours, the user can re-enter the code at 23:59:00 and continue to turn off WARP until 47:59:00 (up to 48 hours total).
Retrieve the override code
To retrieve the one-time code for a user:
- Enable Admin override.
- Go to My Team > Devices.
- Select View for a connected device.
- Scroll down to User details and copy the 7-digit Override code.
- Share this code with the end user for them to enter on their device.
The user will have an unlimited amount of time to activate their code.
Enter the override code
To turn off the WARP client on a user device:
- In the WARP client, go to Settings > Preferences > Advanced.
- Select Enter code.
- Enter the override code. The WARP client will display a pop-up window showing when the override expires.
- Turn off the WARP switch.
The client will automatically reconnect after the Auto connect period, but the user can continue to turn off WARP until the override expires.
Install CA to system certificate store
Feature availability
Operating Systems | WARP mode required | Zero Trust plans ↗ |
---|---|---|
Windows, macOS, Linux | Gateway with WARP, Proxy mode | All plans |
When Enabled
, the WARP client will automatically install your organization’s root certificate on the device.
Override local interface IP Beta
Feature availability
Operating Systems | WARP mode required | Zero Trust plans ↗ |
---|---|---|
Windows, macOS, Linux | Gateway with WARP, Secure Web Gateway without DNS Filtering | All plans |
Overrides the default IP address of WARP’s virtual network interface such that each device has its own unique local interface IP.
This setting is primarily used in conjunction with the WARP Connector and for MASQUE. You can also use it when the default IP conflicts with other local services on your network.
Value:
-
Disabled
: (default) Sets the local interface IP to172.16.0.2
on all devices. -
Enabled
: Sets the local interface IP on each device to its CGNAT IP. The change takes effect within 24 hours.
The CGNAT IP assigned to a WARP device is permanent until the device unregisters from your Zero Trust organization. Disconnects and reconnects do not change the IP address assignment.
Device settings
Captive portal detection
Feature availability
Operating Systems | WARP mode required | Zero Trust plans ↗ |
---|---|---|
All systems | Any mode | All plans |
When Enabled
, the WARP client will automatically turn off when it detects a captive portal, and it will automatically turn back on after the Timeout duration.
Since captive portal implementations vary, WARP may not detect all captive portals. For more information, refer to Captive portal detection.
Mode switch
Feature availability
Operating Systems | WARP mode required | Zero Trust plans ↗ |
---|---|---|
All systems | Any mode | All plans |
When Enabled
, users have the option to switch between Gateway with WARP mode and Gateway with DoH mode. This feature does not support switching between any other modes.
Device tunnel protocol
Feature availability
WARP modes | Zero Trust plans ↗ |
---|---|
| All plans |
System | Availability | Minimum WARP version |
---|---|---|
Windows | ✅ | 2024.6.415.0 |
macOS | ✅ | 2024.6.416.0 |
Linux | ✅ | 2024.6.497.0 |
iOS | Coming soon | |
Android | Coming soon | |
ChromeOS | Coming soon |
Configures the protocol used to route IP traffic from the device to Cloudflare Gateway. It may take up to 24 hours for all devices to switch to the new protocol. To check the active protocol on a device, open a terminal and run warp-cli settings | grep protocol
.
Value:
- WireGuard: (default) Establishes a WireGuard ↗ connection to Cloudflare. The WARP client will encrypt traffic using a non-FIPs compliant cipher suite,
TLS_CHACHA20_POLY1305_SHA256
. When switching from MASQUE to WireGuard, users may lose Internet connectivity if their Wi-Fi network blocks the ports and IPs required for WireGuard to function. - MASQUE Beta : Establishes an HTTP/3 connection to Cloudflare. To use MASQUE, Override local interface IP must be
Enabled
. The WARP client will encrypt traffic using TLS 1.3 and a FIPS 140-2 ↗ compliant cipher suite,TLS_AES_256_GCM_SHA384
.
For more details on WireGuard versus MASQUE, refer to our blog post ↗.
Lock WARP switch
Feature availability
Operating Systems | WARP mode required | Zero Trust plans ↗ |
---|---|---|
All systems | Any mode | All plans |
Allows the user to turn off the WARP switch and disconnect the client.
Value:
Disabled
: (default) The user is able to turn the switch on or off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.Enabled
: The user is prevented from turning off the switch. The WARP client will always start in the connected state.
On MDM deployments, you must also include the auto_connect
parameter with at least a value of 0
. This will prevent clients from being deployed in the off state without a way for users to manually enable them.
Allow device to leave organization
Feature availability
Operating Systems | WARP mode required | Zero Trust plans ↗ |
---|---|---|
All systems | Any mode | All plans |
When Enabled
, users can log out from your Zero Trust organization by selecting Logout from Zero Trust in the WARP client UI. The Logout from Zero Trust button is only available for devices that were enrolled manually. Devices that enrolled using an MDM file are always prevented from leaving your Zero Trust organization.
Allow updates
Feature availability
Operating Systems | WARP mode required | Zero Trust plans ↗ |
---|---|---|
macOS, Windows, Linux | Any mode | All plans |
When Enabled
, users will receive update notifications when a new version of the client is available. Only turn this on if your users are local administrators with the ability to add or remove software from their device.
Auto connect
Feature availability
Operating Systems | WARP mode required | Zero Trust plans ↗ |
---|---|---|
All systems | Any mode | All plans |
When Enabled
, the client will automatically reconnect if it has been disabled for the specified Timeout value. This setting is best used in conjunction with Lock WARP Switch above.
We recommend keeping this set to a very low value — usually just enough time for a user to log in to hotel or airport Wi-Fi. If any value is specified, the client defaults to the Connected state (for example, after a reboot or the initial install).
Value:
0
: Allow the switch to stay in the off position indefinitely until the user turns it back on.1
to1440
: Turn switch back on automatically after the specified number of minutes.
Support URL
Feature availability
Operating Systems | WARP mode required | Zero Trust plans ↗ |
---|---|---|
All systems | Any mode | All plans |
When Enabled
, the Send Feedback button in the WARP client appears and will launch the URL specified. Example Support URL values are:
https://support.example.com
: Use an https:// link to open your companies internal help site.mailto:yoursupport@example.com
: Use amailto:
link to open your default mail client.
Service mode
Feature availability
Operating Systems | WARP mode required | Zero Trust plans ↗ |
---|---|---|
All systems | Any mode | All plans |
Allows you to choose the operational mode of the client. Refer to WARP Modes for a detailed description of each mode.
Local Domain Fallback
Feature availability
Operating Systems | WARP mode required | Zero Trust plans ↗ |
---|---|---|
All systems | Gateway with WARP, Gateway with DoH | All plans |
Configures the WARP client to redirect DNS requests to a private DNS resolver. For more information, refer to our Local Domain Fallback documentation.
Split Tunnels
Feature availability
Operating Systems | WARP mode required | Zero Trust plans ↗ |
---|---|---|
All systems | Any mode | All plans |
Configures the WARP client to exclude or include traffic to specific IP addresses or domains. For more information, refer to our Split Tunnel documentation.
Directly route Microsoft 365 traffic
Feature availability
Operating Systems | WARP mode required | Zero Trust plans ↗ |
---|---|---|
All systems | Any mode | All plans |
Creates Split Tunnel Exclude entries for all Microsoft 365 IP addresses specified by Microsoft ↗. To use this setting, Split Tunnels must be set to Exclude IPs and domains. Once enabled, all Microsoft 365 network traffic will bypass WARP and Gateway.
Allow users to enable local network exclusion
Feature availability
WARP modes | Zero Trust plans ↗ |
---|---|
| All plans |
System | Availability | Minimum WARP version |
---|---|---|
Windows | ✅ | 2024.1.159.0 |
macOS | ✅ | 2024.1.160.0 |
Linux | ✅ | 2024.2.62.0 |
iOS | ❌ | N/A1 |
Android | ✅ | 1.4 |
ChromeOS | ✅ | 1.4 |
This setting is intended as a workaround for users whose home network uses the same set of IP addresses as your corporate private network. To use this setting, Split Tunnels must be set to Exclude IPs and domains.
When Enabled
, users have the option to access local network resources (such as printers and storage devices) while connected to WARP. When the user turns on Access Local Network, WARP will detect the local IP range advertised by the user’s home network (for example, 10.0.0.0/24
) and temporarily exclude this range from the WARP tunnel. The user will need to re-request access after the Timeout expires. Setting Timeout to 0 minutes
will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep.
Access local network as a user
To turn on local network access in the WARP client:
- Select the Cloudflare logo in the menu bar.
- Select the gear icon.
- Select Access Local Network.
- Open a terminal window.
- Run
warp-cli override local-network start
.
- Open the Cloudflare One Agent app.
- Go to Settings > Advanced > Connection Options.
- Select Access Local Network.
Limitations
- WARP will only exclude local networks in the RFC 1918 ↗ address space. Other IP addresses such as CGNAT are not supported.
- The maximum excluded subnet size is
/24
. - If a Windows device has multiple network interfaces with distinct local IP ranges, WARP will only exclude one of those networks. To access a specific local network, disable the other interfaces and disconnect/reconnect WARP.
-
Current versions of iOS do not allow LAN traffic to route through the WARP tunnel. Therefore, this feature is not needed on iOS. ↩