Connect private networks
You can connect private networks and the services running in those networks to Cloudflare using Cloudflare Tunnel . End users can then connect to those resources using the WARP client . When users connect to an IP made available through Cloudflare Tunnel, WARP sends their connection through Cloudflare’s network to the corresponding tunnel.
Cloudflare Tunnel relies on a piece of software, cloudflared
, to create those connections. Administrators define the IPs available in that environment and associate them with the tunnel. Users in your organization can then reach the service by enrolling into your organization’s Cloudflare Zero Trust account and using the WARP client.
To connect a private network to Cloudflare’s edge, follow the guide below. You can also check out our tutorial .
Before you start
- Install
cloudflared
. - Enable HTTP filtering by turning on the Proxy switch under Settings > Network > L7 Firewall.
- Create device enrollment rules to determine which devices can enroll to your Zero Trust organization.
- Install the WARP client on the devices you want to allow into your network.
- (optional) Integrate your preferred identity provider with Cloudflare Zero Trust.
Create a tunnel to connect your network
Authenticate
cloudflared
with the command below. The command will launch a browser window where you will be prompted to log in with your Cloudflare account and pick any zone you have added to Cloudflare.$ cloudflared loginCreate a tunnel with a user-friendly name to identify your network or environment.
$ cloudflared tunnel create acme-networkFinally, configure your tunnel with the IP/CIDR range of your private network. By doing this, you are creating a private network and making the WARP client aware that any requests to this IP range need to be routed to your new tunnel.
$ cloudflared tunnel route ip add 10.0.0.0/8 acme-networkConfirm the routes enrolled with the following command:
$ cloudflared tunnel route ip showNext, create a configuration file for the tunnel. The configuration file will be structured as follows:
tunnel: <Tunnel-UUID>credentials-file: /root/.cloudflared/credentials-file.jsonwarp-routing:enabled: trueRun the tunnel. Traffic inside of your organization coming from enrolled WARP clients will be sent to this instance when the destination is your private IP range.
$ cloudflared tunnel run acme-network
(optional) Ensure that traffic can reach your network
By default, Cloudflare Zero Trust excludes traffic to a specific set of destinations from WARP encryption. If you have not changed your default Split Tunnel settings, you can skip this step. If you have altered this configuration, for example by adding or removing entries to the Exclude list or by setting Split Tunnels mode to Include, make sure that traffic to the IP/CIDR you are associating with your private network is set to be encrypted by WARP.
To check that, navigate to Settings > Network > Split Tunnels on the Zero Trust Dashboard, and click Manage.
- If you are using the feature in Exclude mode, the IP ranges you see listed are those that Cloudflare excludes from WARP encryption by default. If your network’s IP/CIDR range is listed on this page, delete it.
- If you are using the feature in Include mode, the IP ranges you see listed are the only one Cloudflare is encrypting through WARP. Add your network’s IP/CIDR range to the list.
Configure devices to connect to your network
On the devices you want to connect to your network, install the Cloudflare root certificate. This step is optional if TLS decryption under Settings > Network > Firewall is disabled for this device. You can find the certificate under Settings > Devices > Certificates and follow these instructions .
Next, log in to the WARP client with Cloudflare for Teams on each of the devices you want to connect.
Users will now be able to reach any HTTP or TCP-based service on your network by navigating to any IP address in the range you have specified. Users can also visit https://help.teams.cloudflare.com/
to ensure that:
- The page returns Your network is fully protected.
- Both WARP and Gateway Proxy are enabled in the HTTP filtering section.
- The team name matches the expected organization. This team name must belong to the same Cloudflare account from which the tunnel is running.