user to site

Author: ranbel

src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet.mdx

@@ -38,6 +38,8 @@ To connect a private network using `cloudflared`, refer to [Connect private netw
 
 ## 3. Route traffic from subnet to WARP Connector
 
+Depending on where you installed the WARP Connector, you may need to configure other devices on the subnet to route outbound requests through WARP Connector.
+
 ### Option 1: Default gateway
 
 <Render file="tunnel/warp-connector-default-gateway" />
@@ -48,12 +50,10 @@ To connect a private network using `cloudflared`, refer to [Connect private netw
 
 #### Route from subnet to Internet
 
-For example, for all traffic from laptop `10.0.0.2` to egress through WARP Connector, add a rule on the router that routes `0.0.0.0` to the WARP Connector host machine (`10.0.0.100`). When the laptop sends a request, the router will first redirect the traffic to the WARP Connector host. WARP Connector encrypts the traffic, changes its destination IP to the [WARP ingress IP](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip), and sends it back to the router. The router will now forward this encrypted traffic to Cloudflare.
+For example, for all traffic from the subnet to egress through WARP Connector, add a rule on the router that routes `0.0.0.0` to the WARP Connector host machine (`10.0.0.100`).
 
-:::note
+<Render file="tunnel/warp-connector-alternate-gateway-flow" />
 
-Ensure that your routing rules do not forward the [WARP ingress IP](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) back to the WARP Connector.
-:::
 ### Option 3: Intermediate gateway
 
 <Render file="tunnel/warp-connector-intermediate-gateway" />
@@ -68,7 +68,7 @@ Ensure that your routing rules do not forward the [WARP ingress IP](/cloudflare-
 
 ## 4. Test the WARP Connector
 
-You can now test if traffic from your subnet routes through Cloudflare.
+You can now test if traffic from your subnet routes through Cloudflare. For example,
 
 1. On the `10.0.0.2` device, run `curl --ipv4 www.google.com`.
 2. Check your [Gateway DNS logs](/cloudflare-one/insights/logs/gateway-logs/) for queries from `warp_connector@<your-team-name>.cloudflareaccess.com`. Logs may take a few minutes to populate.
@@ -77,10 +77,10 @@ You can now test if traffic from your subnet routes through Cloudflare.
     flowchart LR
       subgraph subnet1[Subnet 10.0.0.0/24]
         device1["Device
-        10.0.0.2"]-->router1["WARP Connector
+        10.0.0.2"]--Request-->router1["WARP Connector
         10.0.0.1"]
       end
       router1-->C((Cloudflare))-->I{Internet}
 ```
 
-[^1]: Check the [system requirements](/cloudflare-one/connections/connect-devices/warp/download-warp/#linux). Package dependencies are the following: `curl`, `gpg`, `iptables`, `iptables-persistent`, `lsb-core`, and `sudo`.
+[^1]: <Render file="tunnel/warp-connector-linux-packages" />

src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site.mdx

@@ -93,12 +93,9 @@ Depending on where you installed the WARP Connector, you may need to configure o
 
 #### Route from subnet to subnet
 
-For example, for laptop `10.0.0.2` to reach applications behind subnet `192.168.1.0/24`, add a rule on the router that routes `192.168.1.0/24` to the WARP Connector host machine (`10.0.0.100`). When a device sends a request to `192.168.1.0/24`, the router will first redirect the traffic to the WARP Connector host. WARP Connector encrypts the traffic, changes its destination IP to the [WARP ingress IP](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip), and sends it back to the router. The router will now forward this encrypted traffic to Cloudflare.
+For example, for devices on subnet `10.0.0.0/24` to reach applications behind subnet `192.168.1.0/24`, add a rule on the router that routes `192.168.1.0/24` to the WARP Connector host machine (`10.0.0.100`).
 
-:::note
-
-Ensure that your routing rules do not forward the [WARP ingress IP](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) back to the WARP Connector.
-:::
+<Render file="tunnel/warp-connector-alternate-gateway-flow" />
 
 ### Option 3: Intermediate gateway
 
@@ -181,4 +178,4 @@ You can now test the connection between the two subnets. For example, on the `10
 If you are testing with curl using private hostnames, add the `--ipv4` flag to your curl commands.
 :::
 
-[^1]: Check the [system requirements](/cloudflare-one/connections/connect-devices/warp/download-warp/#linux). Package dependencies are the following: `curl`, `gpg`, `iptables`, `iptables-persistent`, `lsb-core`, and `sudo`.
+[^1]: <Render file="tunnel/warp-connector-linux-packages" />

src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site.mdx

@@ -1,24 +1,116 @@
 ---
 pcx_content_type: how-to
-title: Connect WARP clients to private network
+title: Connect private network to WARP clients
 sidebar:
   label: User-to-site
   order: 3
 ---
 
 import { Render, Details, GlossaryTooltip, TabItem, Tabs } from "~/components";
 
+This guide covers how to connect WARP client user devices to a private network behind WARP Connector. In this example, we will create a WARP Connector for subnet `10.0.0.0/24` and install it on `10.0.0.1`.
+
 ```mermaid
     flowchart LR
       subgraph subnet1[Subnet 10.0.0.0/24]
       router1["WARP Connector
         10.0.0.1"]
       end
-      router1<-->C((Cloudflare))<-->W[WARP client]
+      W[WARP clients]-->C((Cloudflare))-->router1
 ```
 
+:::note
+To connect a private network using `cloudflared`, refer to [Connect private networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/).
+:::
+
+## Prerequisites
+
+- A Linux host [^1] on the subnet
+- Verify that your firewall allows inbound/outbound traffic over the [WARP IP addresses, ports, and domains](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/).
+
+## 1. Install a WARP Connector
+
+<Render file="tunnel/warp-connector-install" />
+
+## 2. (Recommended) Create a device profile
+
+<Render file="tunnel/warp-connector-device-profile" />
+
+## 3. Route CGNAT IPs through Cloudflare
+
+WARP clients and WARP Connectors are accessed using their  <GlossaryTooltip term="CGNAT IP">CGNAT IP</GlossaryTooltip>. Therefore, CGNAT IP traffic must route through Cloudflare on both the WARP Connector host and WARP client devices.
+
+1. In your WARP Connector device profile, delete `100.96.0.0/12` from the [Split Tunnel Exclude list](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) (or add it to the Split Tunnel Include list).
+2. Repeat the previous step for all WARP client device profiles.
+
+## 4. Route traffic from subnet to WARP Connector
+
+Depending on where you installed the WARP Connector, you may need to configure other devices on the subnet to route requests through WARP Connector.
+
+### Option 1: Default gateway
+
+<Render file="tunnel/warp-connector-default-gateway" />
+
+### Option 2: Alternate gateway
+
+<Render file="tunnel/warp-connector-alternate-gateway" />
+
 #### Route from subnet to WARP clients
 
-`100.96.0.0/12` is the default CIDR for all user devices running the [WARP client](/cloudflare-one/connections/connect-devices/warp/). To connect from the subnet to user devices:
-- On your router, add a rule that routes the destination IP `100.96.0.0/12` to the WARP Connector host machine (`10.0.0.100` in the diagram above).
-- Ensure that CGNAT IP traffic routes through WARP on both the WARP Connector host and WARP client devices. In other words, delete `100.96.0.0/12` from the [Split Tunnel Exclude list](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) in both device profiles.
+`100.96.0.0/12` is the default CIDR for all user devices running the [WARP client](/cloudflare-one/connections/connect-devices/warp/). On your router, add a rule that routes the destination IP `100.96.0.0/12` to the WARP Connector host machine (`10.0.0.100`).
+
+<Render file="tunnel/warp-connector-alternate-gateway-flow" />
+
+### Option 3: Intermediate gateway
+
+<Render file="tunnel/warp-connector-intermediate-gateway" />
+
+#### Route CGNAT IPs
+
+To route all <GlossaryTooltip term="CGNAT IP">CGNAT IP</GlossaryTooltip> traffic through WARP Connector:
+
+<Tabs> <TabItem label="Linux">
+
+```sh
+sudo ip route add 100.96.0.0/12 via <WARP-CONNECTOR-IP> dev eth0
+```
+
+</TabItem> <TabItem label="macOS">
+
+```sh
+sudo route -n add -net 100.96.0.0/12 <WARP-CONNECTOR-IP>
+```
+
+</TabItem>
+
+<TabItem label="Windows">
+
+```bash
+route /p add 100.96.0.0/12 mask 255.255.255.255 <WARP-CONNECTOR-IP>
+```
+
+</TabItem> </Tabs>
+
+#### Verify routes
+
+<Render file="tunnel/warp-connector-verify-routes" />
+
+## 4. Test the WARP Connector
+
+You can now send a request from a device behind WARP Connector to a WARP client user device.
+
+1. From **My Team** > **Devices**, determine the **Virtual IPv4** address of the WARP client device.
+2. From a device on the private network, run `ping <WARP-VIRTUAL-IPV4>`.
+
+```mermaid
+    flowchart LR
+      subgraph subnet1[Subnet 10.0.0.0/24]
+        device1["Device
+        10.0.0.2"]--ping 100.96.0.21-->router1["WARP Connector
+        10.0.0.1"]
+      end
+      router1-->C((Cloudflare))-->W["WARP client
+				100.96.0.21"]
+```
+
+[^1]: <Render file="tunnel/warp-connector-linux-packages" />

src/content/partials/cloudflare-one/tunnel/warp-connector-alternate-gateway-flow.mdx

@@ -0,0 +1,10 @@
+---
+{}
+---
+
+When a device on the subnet sends a request, the router will first redirect the traffic to the WARP Connector host. WARP Connector encrypts the traffic, changes its destination IP to the [WARP ingress IP](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip), and sends it back to the router. The router will now forward this encrypted traffic to Cloudflare.
+
+:::note
+
+Ensure that your routing rules do not forward the [WARP ingress IP](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) back to the WARP Connector.
+:::

src/content/partials/cloudflare-one/tunnel/warp-connector-linux-packages.mdx

@@ -0,0 +1,5 @@
+---
+{}
+---
+
+Check the [system requirements](/cloudflare-one/connections/connect-devices/warp/download-warp/#linux). Package dependencies are the following: `curl`, `gpg`, `iptables`, `iptables-persistent`, `lsb-core`, and `sudo`.

src/content/partials/cloudflare-one/tunnel/warp-connector-route-all-traffic.mdx

@@ -12,7 +12,7 @@ You can configure all traffic on a device to egress through WARP Connector with
 sudo ip route add default via <WARP-CONNECTOR-IP> dev eth0 metric 101
 ```
 
-Ensure that the `metric` value is lower than other default gateways. To verify that WARP Connector is now the preferred default gateway, run `ip route get <DESTINATION-IP>`.
+Ensure that the `metric` value is lower than other default gateways.
 
 </TabItem> <TabItem label="macOS">
 
@@ -28,4 +28,6 @@ sudo route -n change default <WARP-CONNECTOR-IP> -interface en0
 route /p add 0.0.0.0 mask 0.0.0.0 <WARP-CONNECTOR-IP> metric 101
 ```
 
+Ensure that the `metric` value is lower than other default gateways.
+
 </TabItem> </Tabs>