Cloudflare Docs
Magic WAN
Visit Magic WAN on GitHub
Set theme to dark (⇧+D)

WARP on-ramp to Magic WAN

Use WARP as an on-ramp to Magic WAN and route traffic from user devices with WARP installed to any network connected with Cloudflare Tunnel or Magic IP-layer tunnels (Anycast GRE, IPsec, or CNI).

​​ Prerequisites

Before you can begin using WARP as an on-ramp to Magic WAN, you must:

  • Set up your Zero Trust account.
  • Contact your account team to enable the integration between WARP and Magic WAN.

​​ 1. Route packets back to WARP devices

Route packets back to WARP devices from services behind an Anycast GRE or other type tunnel.

Cloudflare will assign IP addresses from the WARP virtual IP (VIP) space to your WARP devices. To view your virtual IP address, open the Cloudflare Zero Trust dashboard and select My Team > Devices.

All packets with a destination IP in the VIP space need to be routed back through the tunnel. For example, with a single GRE tunnel named gre1, in Linux, the following command would add a routing rule that would route such packets:

$ ip route add 100.96.0.0/12 dev gre1

​​ 2. Configure Split Tunnels

Configure Split Tunnels from your Zero Trust account to only include traffic from the private IP addresses you want to access.

Optionally, you can configure Split Tunnels to include IP ranges or domains you want to use for connecting to public IP addresses.

​​ 3. Install the WARP client on your device

Refer to Deploy WARP to your organization for more information on whether to choose a manual or managed deployment.

You should be able to access Private IP addresses specified in the Split Tunnel configuration.

​​ Run traceroute

Magic WAN clients connecting through GRE, IPsec, CNI or WARP that want to perform a traceroute to an endpoint behind a Cloudflare Tunnel will need to change some settings to make the command useful. Refer to Run traceroute for more information.