Connect two or more private networks
This guide covers how to connect two independent subnets with WARP Connector. Each subnet must run its own WARP Connector on a Linux host. Installing on your router is the simplest setup, but if you do not have access to the router, you may choose any other machine on the subnet.
flowchart LR subgraph subnet1[Subnet 10.0.0.0/24] router1["WARP Connector #1 10.0.0.1"] end subgraph subnet2[Subnet 192.168.1.0/24] router2["WARP Connector #2 192.168.1.97"] end router1<-->C((Cloudflare))<-->router2
In this example, we will create a WARP Connector for subnet 10.0.0.0/24
and install it on 10.0.0.1
. We will then create a second WARP Connector for subnet 192.168.1.0/24
and install it on 192.168.1.97
.
Prerequisites
- A Linux host 1 on each subnet.
- Verify that your firewall allows inbound/outbound traffic over the WARP IP addresses, ports, and domains.
1. Install a WARP Connector
To install WARP Connector on a host machine:
-
In Zero Trust ↗, go to Networks > Tunnels.
-
Select Create a tunnel.
-
For the tunnel type, select WARP Connector.
-
You will be prompted to turn on Warp to Warp and Override local interface IP if they are currently turned off. These settings allow Cloudflare to assign a unique CGNAT IP to each WARP device and route traffic between them.
-
Give the tunnel any name (for example,
Subnet-10.0.0.0/24
) and select Create tunnel. -
Select the operating system of your host machine.
-
On your host machine, open a terminal window and run the commands shown in the Zero Trust dashboard. Those commands will install the WARP Connector, enable IP forwarding on the host, and connect WARP Connector to your Zero Trust organization.
-
(Optional) Configure IP forwarding:
Enable IP forwarding to persist after reboot
Configure IP forwarding with iptables
If you are setting up WARP Connector on a host with iptables enabled, make sure that your iptables FORWARD chain includes rules to accept the desired traffic. For testing and troubleshooting purposes, you can set the default policy for the WARP interface to ACCEPT:
-
To verify that the WARP Connector is connected to Cloudflare:
Troubleshoot connection
If WARP is disconnected, try the following troubleshooting strategies:
-
Run
warp-cli connect
. -
If your private network uses a firewall to restrict Internet traffic, ensure that it allows the WARP ports and IPs.
-
Review your WARP daemon logs for information about why the connection is failing.
-
WARP Connector software is now installed but not yet routing traffic.
2. (Recommended) Create a device profile
A dedicated device profile allows you to manage the WARP Connector host machine separately from WARP client user devices. WARP Connector hosts are registered to your Zero Trust organization with the email address warp_connector@<your-team-name>.cloudflareaccess.com
. To set up a device profile for WARP Connector:
-
Create a new profile that matches on the following expression:
Selector Operator Value User email is warp_connector@<your-team-name>.cloudflareaccess.com
-
In the profile settings, ensure that Service mode is set to Gateway with WARP.
3. Route traffic from WARP Connector to subnet
- In Zero Trust ↗, go to Networks > Routes.
- Select Create route.
- In CIDR, enter the private IPv4 address range that you wish to route through this WARP Connector (for example,
10.0.0.0/24
). WARP Connector does not currently support IPv6 routes. - For Tunnel, select the name of your WARP Connector (Subnet-10.0.0.0/24).
- Select Create.
- In your WARP Connector device profile, configure Split Tunnels so that traffic to your private network CIDR (
10.0.0.0/24
) routes through the WARP tunnel. For example, if you are using Exclude mode, delete10.0.0.0/8
from Split Tunnels and re-add the following IPs:10.0.1.0/24
,10.0.2.0/23
,10.0.4.0/22
,10.0.8.0/21
,10.0.16.0/20
,10.0.32.0/19
,10.0.64.0/18
,10.0.128.0/17
,10.1.0.0/16
,10.2.0.0/15
,10.4.0.0/14
,10.8.0.0/13
,10.16.0.0/12
,10.32.0.0/11
,10.64.0.0/10
,10.128.0.0/9
The WARP Connector will now forward inbound requests to devices on the subnet.
flowchart LR subgraph subnet1[Subnet 10.0.0.0/24] router1["WARP Connector #1 10.0.0.1"] device["Device 10.0.0.2"] end C((Cloudflare))--Requests to 10.0.0.2--> router1 --> device
4. Route traffic from subnet to WARP Connector
Depending on where you installed the WARP Connector, you may need to configure other devices on the subnet to route outbound requests through WARP Connector.
flowchart LR subgraph subnet1[Subnet 10.0.0.0/24] router1["WARP Connector #1 10.0.0.1"] device["Device 10.0.0.2"] end device --Requests to 192.168.1.0/24 --> router1 --> C((Cloudflare))
Option 1: Default gateway
If you installed WARP Connector on your router, no additional configuration is necessary. All traffic will use the router as the default gateway.
Option 2: Alternate gateway
If you have access to the router but installed WARP Connector on another machine, you can configure the router to forward traffic to the WARP Connector. This typically involves adding a static route for the destination IPs that you want to connect to through Cloudflare. Refer to your router documentation for specific instructions on how to add an IP route.
Add route to router
For example, for devices on subnet 10.0.0.0/24
to reach applications behind subnet 192.168.1.0/24
, add a rule on the router that routes 192.168.1.0/24
to the WARP Connector host machine (10.0.0.100
).
When a device on the subnet sends a request, the router will first redirect the traffic to the WARP Connector host. WARP Connector encrypts the traffic, changes its destination IP to the WARP ingress IP, and sends it back to the router. The router will now forward this encrypted traffic to Cloudflare.
Option 3: Intermediate gateway
If you do not have access to the router, you will need to configure each device on the subnet to egress through the WARP Connector machine instead of the default gateway.
Add route to devices
You can configure all traffic on a device to egress through WARP Connector with its local source IP. All traffic will be filtered by your Gateway network policies.
Ensure that the metric
value is lower than other default gateways.
Ensure that the metric
value is lower than other default gateways.
Alternatively, you can configure only certain routes to egress through WARP Connector. For example, you may only want to filter traffic destined to internal applications and devices, but allow public Internet traffic to bypass Cloudflare.
Verify routes
To validate subnet routing, check your routing table and ensure that traffic is routing through the CloudflareWARP
virtual interface.
5. Install another WARP Connector
Repeat steps 1, 3, and 4 above to install an additional WARP Connector on subnet 192.168.1.0/24
. The device profile created in Step 2 will apply to all WARP Connectors.
flowchart LR subgraph subnet1[Subnet 10.0.0.0/24] router1["WARP Connector #1 10.0.0.1"] end subgraph subnet2[Subnet 192.168.1.0/24] router2["WARP Connector #2 192.168.1.97"] end router1<-->C((Cloudflare))<-->router2
6. Test the WARP Connector
You can now test the connection between the two subnets. For example, on the 10.0.0.2
device run ping 192.168.1.100
.
flowchart LR subgraph subnet1[Subnet 10.0.0.0/24] device1["Device 10.0.0.2"]--"ping 192.168.1.100"-->router1["WARP Connector #1 10.0.0.1"] end subgraph subnet2[Subnet 192.168.1.0/24] router2["WARP Connector #2 192.168.1.97"]-->device2["Device 192.168.1.100"] end router1-->C((Cloudflare))-->router2
-
Check the system requirements. Package dependencies are the following:
↩curl
,gpg
,iptables
,iptables-persistent
,lsb-core
, andsudo
.