add split tunnel route

ranbel · ranbel · commit 1dfbc5d50738 · 2025-05-07T16:11:22.000-04:00
diff --git a/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx b/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx
@@ -4,6 +4,8 @@
 
 import { GlossaryTooltip, TabItem, Tabs, Render } from "~/components";
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
 2. Under **Device settings**, locate the [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) you would like to modify and select **Configure**.
 3. Under **Split Tunnels**, check whether your [Split Tunnels mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) is set to **Exclude** or **Include**.
@@ -33,6 +35,107 @@ import { GlossaryTooltip, TabItem, Tabs, Render } from "~/components";
 
 		</TabItem> </Tabs>
 
+</TabItem> <TabItem label="Terraform (v5)">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Zero Trust Write`
+
+2. Choose a [`cloudflare_zero_trust_device_default_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_default_profile) or [`cloudflare_zero_trust_device_custom_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_custom_profile) resource to modify, or [create a new device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/#create-a-new-profile).
+
+3. (Optional) Create a list of split tunnel routes that you can reuse across multiple device profiles. For example, you can declare a local value in the same module as your device profiles:
+
+	```tf title="split-tunnels.local.tf"
+	locals {
+		global_exclude_list = [
+			# Default Split Tunnel entries recommended by Cloudflare
+			{
+				address     = "ff05::/16"
+			},
+			{
+				address     = "ff04::/16"
+			},
+			{
+				address     = "ff03::/16"
+			},
+			{
+				address     = "ff02::/16"
+			},
+			{
+				address     = "ff01::/16"
+			},
+			{
+				address     = "fe80::/10"
+				description = "IPv6 Link Local"
+			},
+			{
+				address     = "fd00::/8"
+			},
+			{
+				address     = "255.255.255.255/32"
+				description = "DHCP Broadcast"
+			},
+			{
+				address     = "240.0.0.0/4"
+			},
+			{
+				address     = "224.0.0.0/24"
+			},
+			{
+				address     = "192.168.0.0/16"
+			},
+			{
+				address     = "192.0.0.0/24"
+			},
+			{
+				address     = "172.16.0.0/12"
+			},
+			{
+				address     = "169.254.0.0/16"
+				description = "DHCP Unspecified"
+			},
+			{
+				address     = "100.64.0.0/10"
+			},
+			{
+				address     = "10.0.0.0/8"
+			}
+		]
+	}
+	```
+4. In the device profile, exclude or include routes based on either their IP address or domain:
+
+	```tf title="device-profiles.tf"
+	resource "cloudflare_zero_trust_device_custom_profile" "example" {
+		account_id            = var.cloudflare_account_id
+		name                  = "Example custom profile with split tunnels"
+		enabled               = true
+		precedence            = 101
+		service_mode_v2       = {mode = "warp"}
+		match                 =  "identity.email == \"test@cloudflare.com\""
+
+		exclude = concat(
+			# Global entries
+			local.global_exclude_list,
+
+			# Profile-specific entries
+			[
+				{
+					address = "192.0.2.0/24"
+					description = "Example IP to exclude from WARP"
+				},
+				{
+					host = "example.com"
+					description = "Example domain to exclude from WARP"
+				}
+			]
+		)
+	}
+	```
+	 When possible we recommend adding an IP address instead of a domain. To learn about the consequences of adding a domain, refer to [Domain-based Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels).
+
+</TabItem>
+</Tabs>
+
 <Render file="warp/client-notification-lag" product="cloudflare-one" />
 
 We recommend keeping the Split Tunnels list short, as each entry takes time for the client to parse. In particular, domains are slower to action than IP addresses because they require on-the-fly IP lookups and routing table / local firewall changes. A shorter list will also make it easier to understand and debug your configuration. For information on device profile limits, refer to [Account limits](/cloudflare-one/account-limits/#warp).
diff --git a/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx b/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx
@@ -28,7 +28,7 @@ import { Tabs, TabItem } from '~/components';
 		```tf
 		resource "cloudflare_zero_trust_device_custom_profile" "exclude_example" {
 			account_id            = var.cloudflare_account_id
-			name                  = "Device profile in Split Tunnels Exclude mode"
+			name                  = "Custom profile in Split Tunnels Exclude mode"
 			enabled               = true
 			precedence            = 101
 			service_mode_v2       = {mode = "warp"}
@@ -48,7 +48,7 @@ import { Tabs, TabItem } from '~/components';
 		```tf
 		resource "cloudflare_zero_trust_device_custom_profile" "include_example" {
 			account_id            = var.cloudflare_account_id
-			name                  = "Device profile in Split Tunnels Include mode"
+			name                  = "Custom profile in Split Tunnels Include mode"
 			enabled               = true
 			precedence            = 101
 			service_mode_v2       = {mode = "warp"}
