You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cloudflare WARP allows you to selectively apply WARP client settings if the device is connected to a secure network location such as an office.
11
11
12
+
On this page, you will learn how to create a TLS endpoint on your trusted network and configure it in Zero Trust to set up a managed network. After the TLS endpoint and managed network are configured, the WARP client on a device will detect when the device is on your managed network and apply the appropriate device profile.
13
+
14
+
## Requirements
15
+
16
+
- The WARP client scans all managed networks every time it detects a network change event from the operating system. To minimize performance impact, reuse the same TLS endpoint across multiple locations unless you require distinct settings profiles for each location.
17
+
- Ensure that the device can only reach one managed network at any given time. If multiple managed networks are configured and reachable, there is no way to determine which settings profile the device will receive.
18
+
19
+
:::note
20
+
21
+
Starting with WARP version `2025.4.929`, the WARP client may take up to 40 seconds to apply the correct device profile after connecting to a managed network. During this period, the WARP client may display a Connected status, but users might not have access to certain resources until the appropriate device profile is fully applied.
22
+
23
+
:::
24
+
12
25
## 1. Choose a TLS endpoint
13
26
14
-
A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, WARP detects the TLS endpoint and validates its certificate against an uploaded SHA-256 fingerprint.
27
+
A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, the WARP client on the device detects the TLS endpoint and validates the TLS certificate against an uploaded SHA-256 fingerprint (for self-signed certificates) or against the local certificate store to check that it is signed by a public certificate authority.
15
28
16
29
The TLS certificate can be hosted by any device on your network. However, the endpoint must be inaccessible to users outside of the network location. WARP will automatically exclude the managed network endpoint from all device profiles to ensure that users cannot connect to this endpoint over Cloudflare Tunnel. We recommend choosing a host that is physically in the office which remote users do not need to access, such as a printer.
4. In **Host and Port**, enter the private IP address and port number of your [TLS endpoint](#create-a-new-tls-endpoint) (for example, `192.168.185.198:3333`).
175
188
176
-
:::note
177
-
We recommend using the private IP of your managed network endpoint and not a hostname to prevent issues related to DNS lookups resolving the incorrect IP.
178
-
:::
189
+
:::note
190
+
We recommend using the private IP of your managed network endpoint and not a hostname to prevent issues related to DNS lookups resolving the incorrect IP.
191
+
:::
192
+
179
193
5. (Optional) In **TLS Cert SHA-256**, enter the [SHA-256 fingerprint](#2-extract-the-sha-256-fingerprint) of the TLS certificate. This field is only needed for self-signed certificates. If a TLS fingerprint is not supplied, WARP validates the certificate against the local certificate store and checks that it is signed by a public certificate authority.
180
194
181
195
</TabItem>
182
196
<TabItem label="Terraform (v5)">
183
197
184
-
1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
185
-
- `Zero Trust Write`
186
-
187
-
2. Add a managed network using the [`cloudflare_zero_trust_device_managed_network`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_managed_network) resource:
1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
199
+
200
+
- `Zero Trust Write`
201
+
202
+
2. Add a managed network using the [`cloudflare_zero_trust_device_managed_network`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_managed_network) resource:
WARP will automatically exclude the TLS endpoint from all device profiles. This prevents remote users from accessing the endpoint through the WARP tunnel on any port. If a device profile uses [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) in **Include** mode, make sure that the Split Tunnel entries do not contain the TLS endpoint IP address; otherwise, the entire IP range will be excluded from the WARP tunnel.
204
221
@@ -250,8 +267,3 @@ To check if the WARP client detects the network location:
250
267
1. Turn on WARP.
251
268
2. Disconnect and reconnect to the network.
252
269
3. Open a terminal and run `warp-cli debug alternate-network`.
253
-
254
-
## Best practices
255
-
256
-
- The WARP client scans all managed networks every time it detects a network change event from the operating system. To minimize performance impact, we recommend reusing the same TLS endpoint across multiple locations unless you require distinct settings profiles for each location.
257
-
- Ensure that the device can only reach one managed network at any given time. If multiple managed networks are configured and reachable, there is no way to determine which settings profile the device will receive.
0 commit comments