WARP on-ramp to Magic WAN
Use WARP as an on-ramp to Magic WAN and route traffic from user devices with WARP installed to any network connected with Cloudflare Tunnel or Magic IP-layer tunnels (Anycast GRE, IPsec, or CNI).
Prerequisites
Before you can begin using WARP as an on-ramp to Magic WAN, you must:
- Set up your Zero Trust account.
- Contact your account team to enable the integration between WARP and Magic WAN.
1. Route packets back to WARP devices
Route packets back to WARP devices from services behind an Anycast GRE or other type tunnel.
Cloudflare will assign IP addresses from the WARP virtual IP (VIP) space to your WARP devices. To view your virtual IP address, open the Cloudflare Zero Trust dashboard and select My Team > Devices.
All packets with a destination IP in the VIP space need to be routed back through the tunnel. For example, with a single GRE tunnel named gre1
, in Linux, the following command would add a routing rule that would route such packets:
$ ip route add 100.96.0.0/12 dev gre1
2. Configure Split Tunnels
Configure Split Tunnels from your Zero Trust account to only include traffic from the private IP addresses you want to access.
Optionally, you can configure Split Tunnels to include IP ranges or domains you want to use for connecting to public IP addresses.
3. Install the WARP client on your device
Refer to Deploy WARP to your organization for more information on whether to choose a manual or managed deployment.
You should be able to access Private IP addresses specified in the Split Tunnel configuration.
Run traceroute
Magic WAN clients connecting through GRE, IPsec, CNI or WARP that want to perform a traceroute
to an endpoint behind a Cloudflare Tunnel will need to change some settings to make the command useful. Refer to Run traceroute
for more information.