diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector.mdx
deleted file mode 100644
index d35efa48171386d..000000000000000
--- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector.mdx
+++ /dev/null
@@ -1,423 +0,0 @@
----
-pcx_content_type: how-to
-title: Site-to-site connectivity
-sidebar:
- order: 5
- badge:
- text: Beta
-head:
- - tag: title
- content: Set up WARP Connector
----
-
-import { Details, GlossaryTooltip, TabItem, Tabs } from "~/components";
-
-
-
-| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
-| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
-| Gateway with WARP | All plans |
-
-| System | Availability |
-| -------- | ------------ |
-| Windows | ❌ |
-| macOS | ❌ |
-| Linux | ✅ |
-| iOS | ❌ |
-| Android | ❌ |
-| ChromeOS | ❌ |
-
-
-
-Cloudflare WARP Connector is a piece of software [^1] that enables site-to-site, bidirectional, and mesh networking connectivity without requiring changes to underlying network routing infrastructure. WARP Connector establishes a secure Layer 3 connection between a private network and Cloudflare, allowing you to:
-
-- Connect two or more private networks to each other.
-- Connect IoT devices that cannot run external software, such as printers and IP phones.
-- Filter and log server-initiated traffic, such as VoIP and SIP traffic.
-- Apply Zero Trust security policies based on the source IP of the request.
-
-
-
-As shown in the diagram, WARP Connector acts as a router for a subnet within the private network to on-ramp and off-ramp traffic through Cloudflare. All devices on the subnet can access any services connected to Cloudflare, and all devices connected to Cloudflare can access any services on the subnet. Each subnet runs a WARP Connector on a designated Linux machine (typically the default gateway router), but other devices on the network do not need to install software.
-
-This guide will cover how to connect two independent subnets, for example `10.0.0.0/24` and `192.168.1.0/24`.
-
-## Prerequisites
-
-- A Linux host [^2] on each subnet
-- Verify that your firewall allows inbound/outbound traffic over the [WARP IP addresses, ports, and domains](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/).
-
-## 1. Create a service token
-
-[Create a new service token](/cloudflare-one/identity/service-tokens/#create-a-service-token) and copy its **Client ID** and **Client Secret**. WARP Connector will use this service token to authenticate with your Zero Trust organization.
-
-## 2. Add a device enrollment rule
-
-Next, create a device enrollment rule that allows the WARP Connector to authenticate:
-
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**.
-
-2. In the **Device enrollment** card, select **Manage**.
-
-3. Select **Add a rule**.
-
-4. Name the rule.
-
-5. For **Rule action**, select _Service Auth_.
-
-6. Configure the following fields:
-
- | Selector | Value |
- | ------------- | ---------------------- |
- | Service Token | `` |
-
-7. Select **Save**.
-
-## 3. Enable CGNAT routing
-
-All WARP Connector and WARP client devices in your Zero Trust organization have the same local IP address by default. To route traffic between various WARP devices, you must allow Cloudflare to assign a unique CGNAT IP to each device.
-
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**.
-2. Enable **Proxy**.
-3. Enable **Warp to Warp**. This allows Cloudflare to route traffic to the CGNAT IP space.
-4. Next, go to **Settings** > **WARP Client**.
-5. Enable [**Override local interface IP**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip-).
-6. [Check your Split Tunnel configuration](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#3-route-private-network-ips-through-warp) and ensure that the CGNAT IP space (`100.96.0.0/12`) routes through WARP.
-
- For example, if you are using **Exclude** mode, delete `100.64.0.0/10` from the list and re-add `100.64.0.0/11` and `100.112.0.0/12`.
-
-## 4. Install a WARP Connector
-
-Each subnet must run its own WARP Connector on a Linux host. Installing on your router is the simplest setup, but if you do not have access to the router, you may choose any other machine on the subnet.
-
-In this example, we will create a WARP Connector for subnet `10.0.0.0/24` and install it on `10.0.0.1`. We will then create a second WARP Connector for subnet `192.168.1.0/24` and install it on `192.168.1.97`.
-
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Network** > **Tunnels**.
-2. Select **Create a tunnel**.
-3. For the connector type, select **WARP**. Select **Next**.
-4. A window will appear with a list of prerequisites. Select **Confirm** to continue.
-5. Give the tunnel any name (for example, `Subnet-10.0.0.0/24`) and select **Save tunnel**.
-6. Select the operating system of your host machine.
-7. Copy-paste the command into a terminal window and run the command. WARP Connector software is now installed, but not yet connected to Cloudflare.
-8. To authenticate the WARP Connector to your Zero Trust organization:
-
- 1. Create an `mdm.xml` file in `/var/lib/cloudflare-warp` using any text editor:
-
- ```sh
- cd /var/lib/cloudflare-warp
- sudo vim mdm.xml
- ```
-
- 2. Add the following text to the file. Make sure to fill in your team name, the Client ID and Client Secret of your [service token](#1-create-a-service-token), and the WARP Connector token value (shown in the dashboard). As soon as you save this file, WARP will automatically register with the provided credentials.
-
- ```txt
-
- organization
- myteam
- auth_client_id
- b33d5a65a6e801cd875scefff5908457f29.access
- auth_client_secret
- cdb5fa2721018c39cfaf8ec7fca9b5f62860ff5c584a89121241c6d0c83878124591cce23
- warp_connector_token
- fVTLilTWgMiF3TMxTIMM3nMU2NsixOYTTDHW1IamOMyORL0Y0jUcMWAoZDZhVhLVdn2pTDhy0VFRWZdE22rQCFNN6jQUoOx0eIV0ehcj5RyTZl5PYRwU25wMMi0kDGUS2XZn5W0eJS3mZXS9DkUTJatMNiMZDtNb1TmtmMptENJ20WY0NmdYmIBLoVhtToFichIjtiMnTZIMMOYOGZmpATzzEm2MjhnC6tWMHwNwFGhoIN==
-
- ```
-
- 3. Verify the registration:
-
- ```sh
- warp-cli registration show
- ```
-
- ```sh output
- Account type: Team
- Device ID: f174e90a-fafe-4643-bbbc-4a0ed4fc8415
- Public key: 4w5uugfh0q03nrmcn95ltfzeghfzuhl75o7pruyd0h7z9ar9x6doxwq50aszar5kd
- Account ID: 699d98642c564d2e855e9661899b7252
- Organization: myteam
- ```
-
-
- If the registration did not go through, try the following troubleshooting strategies:
-
- - Ensure that `mdm.xml` is formatted correctly and stored in `/var/lib/cloudflare-warp`.
- - Ensure that you have a [device enrollment rule](/cloudflare-one/connections/connect-networks/private-net/warp-connector/#2-add-a-device-enrollment-rule) with the _Service Auth_ action (not _Allow_).
- - Restart the WARP systemd service:
- ```sh
- sudo systemctl restart warp-svc.service
- ```
- - Clear an old registration and trigger WARP to re-register:
- ```sh
- sudo warp-cli registration delete
- ```
- - Review your [WARP daemon logs](/cloudflare-one/connections/connect-devices/warp/troubleshooting/warp-logs/) for information about why the registration is failing.
-
-
-
- 4. Verify that WARP is connected to Cloudflare:
-
- ```sh
- warp-cli status
- ```
-
- ```sh output
- Status update: Connected
- ```
-
-
-
-
- If WARP is disconnected, try the following troubleshooting strategies:
-
- * Run `warp-cli connect`.
-
- * If your private network uses a firewall to restrict Internet traffic, ensure that it allows the [WARP ports and IPs](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/).
-
- * Review your [WARP daemon logs](/cloudflare-one/connections/connect-devices/warp/troubleshooting/warp-logs/) for information about why the connection is failing.
-
-
-
-:::caution[Warning]
-
-If you are managing the deployment remotely over SSH, your connection may drop when you register the WARP Connector. Because the connector immediately starts forwarding traffic to Cloudflare, the remote SSH server's traffic will be routed to Cloudflare instead of via the server's public IP and will timeout your existing connection. You can work around this issue by temporarily adding the public IP of your local machine to your [Split Tunnel Exclude list](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/).
-:::
-
-9. Select **Next**.
-10. In **CIDR**, enter the private IPv4 address range that you wish to route through this WARP Connector (for example, `10.0.0.0/24`). WARP Connector does not currently support IPv6 routes.
-
-:::note
-
-If you do not already have a private network range, you can choose a subnet from one of these [pre-defined CIDRs](https://datatracker.ietf.org/doc/html/rfc1918#section-3).
-:::
-
-11. Select **Save Tunnel**.
-
-12. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/), ensure that your CIDR is routing through the WARP tunnel. For instructions on how to do this, refer to [Route private network IPs through WARP](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#3-route-private-network-ips-through-warp).
-
- The `10.0.0.0/24` WARP Connector is now connected to Cloudflare.
-
- ```mermaid
- flowchart LR
- subgraph subnet1[Subnet 10.0.0.0/24]
- router1["Device running
- WARP Connector
- 10.0.0.1"]
- end
- router1<-->C((Cloudflare))
- ```
-
-13. Repeat these steps to install an additional WARP Connector on subnet `192.168.1.0/24`. You can reuse the service token, but you will need to create a new tunnel and MDM file.
-
- ```mermaid
- flowchart LR
- subgraph subnet1[Subnet 10.0.0.0/24]
- router1["Device running
- WARP Connector #1
- 10.0.0.1"]
- end
- subgraph subnet2[Subnet 192.168.1.0/24]
- router2["Device running
- WARP Connector #2
- 192.168.1.97"]
- end
- router1<-->C((Cloudflare))<-->router2
- ```
-
-## 5. Configure the host
-
-Run the following commands on the machine where you installed WARP Connector. You will need to configure the host machine on each subnet.
-
-1. Enable IP forwarding:
-
- ```sh
- sudo sysctl -w net.ipv4.ip_forward=1
- ```
-
-
-
- ```sh
- echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-warp-svc.conf
- sudo sysctl -p /etc/sysctl.d/99-warp-svc.conf
- ```
-
-
-:::note[IP forwarding on VPC]
-
-If you are setting up WARP Connector on a [virtual private cloud (VPC)](https://www.cloudflare.com/learning/cloud/what-is-a-virtual-private-cloud/), you may need to enable IP forwarding on the VM instance.
-:::
-
-2. WARP's [virtual interface](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#virtual-interface) has a [maximum transmission unit (MTU)](https://www.cloudflare.com/learning/network-layer/what-is-mtu/) of 1280 bytes, whereas the standard Ethernet MTU is 1500 bytes. To avoid dropping packets that exceed 1280 bytes, clamp the [maximum segment size (MSS)](https://www.cloudflare.com/learning/network-layer/what-is-mss/) of the host machine so that incoming payloads are less than the MTU of WARP:
-
- ```sh
- sudo iptables -t mangle -A FORWARD -i CloudflareWARP -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
- sudo iptables -t mangle -A FORWARD -o CloudflareWARP -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
- ```
-
-
-
- 1. Create a bash script that writes the `iptable` rules to a file:
-
- ```bash
- echo '#!/bin/bash
- # Define your rules
- RULES=(
- "-A FORWARD -i CloudflareWARP -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu"
- "-A FORWARD -o CloudflareWARP -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu"
- )
-
- # Apply the rules
- for rule in "${RULES[@]}"; do
- iptables -t mangle $rule
- done
-
- # Save the rules
- iptables-save > /etc/iptables/rules.v4
- ' | sudo tee /usr/local/bin/apply_iptables_rules.sh
- ```
-
- 2. Run the script:
-
- ```sh
- sudo chmod +x /usr/local/bin/apply_iptables_rules.sh
- sudo /usr/local/bin/apply_iptables_rules.sh
- ```
-
- 3. Create a systemd service to restore the rules at startup:
-
- ```bash
- echo '[Unit]
- Description=Load iptables rules at startup
-
- [Service]
- Type=oneshot
- ExecStart=/sbin/iptables-restore < /etc/iptables/rules.v4
-
- [Install]
- WantedBy=multi-user.target
- ' | sudo tee /etc/systemd/system/iptables-persistent.service
- ```
-
-
-
-## 6. Route traffic through WARP Connector
-
-Depending on where you installed the WARP Connector, you may need to configure other devices on the subnet to route traffic through WARP Connector.
-
-### Option 1: Default gateway
-
-If you installed WARP Connector on your router, no additional configuration is necessary. All traffic will use the router as the default gateway.
-
-
-
-### Option 2: Alternate gateway
-
-If you have access to the router but installed WARP Connector on another machine, you can configure the router to forward traffic to the WARP Connector. This typically involves adding a static route for the destination IPs that you want to connect to through Cloudflare. Refer to your router's documentation for specific instructions on how to add an IP route.
-
-For example, if you are on subnet `10.0.0.0/24` and want to reach applications behind subnet `192.168.1.0/24`, add a rule that routes `192.168.1.0/24` to the WARP Connector IP (`10.0.0.100` in the diagram below). When a device sends a request to `192.168.1.0/24`, the router will first redirect the traffic to the WARP Connector machine. WARP Connector encrypts the traffic, changes its destination IP to the [WARP ingress IP](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip), and sends it back to the router. The router will now forward this encrypted traffic to Cloudflare.
-
-
-
-:::note
-
-Ensure that your routing rules do not forward the [WARP ingress IP](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) back to the WARP Connector.
-:::
-
-### Option 3: Intermediate gateway
-
-If you do not have access to the router, you will need to configure each device on the subnet to egress through the WARP Connector machine instead of the default gateway.
-
-
-
-#### Route all traffic
-
-You can configure all traffic on a device to egress through WARP Connector with its local source IP. All traffic will be filtered by your Gateway network policies.
-
-
-
-```sh
-sudo ip route add default via dev eth0 metric 101
-```
-
-Ensure that the `metric` value is lower than other default gateways. To verify that WARP Connector is now the preferred default gateway, run `ip route get `.
-
-
-
-```sh
-sudo route -n change default -interface en0
-```
-
-
-
-
-
-```bash
-route /p add 0.0.0.0 mask 0.0.0.0 metric 101
-```
-
-
-
-#### Route specific IPs
-
-You can configure only certain routes to egress through WARP Connector. For example, you may only want to filter traffic destined to internal applications and devices, but allow public Internet traffic to bypass Cloudflare.
-
-
-
-```sh
-sudo ip route add via dev eth0
-```
-
-
-
-```sh
-sudo route -n add -net
-```
-
-
-
-
-
-```bash
-route /p add mask 255.255.255.255
-```
-
-
-
-:::note[WARP device IPs]
-
-`100.96.0.0/12` is the default CIDR for all user devices running [Cloudflare WARP](/cloudflare-one/connections/connect-devices/warp/). Setting `` to `100.96.0.0/12` configures the local machine to connect to user devices through Cloudflare.
-:::
-
-#### Verify routes
-
-To validate subnet routing, [check your routing table](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#routing-table) and ensure that traffic is routing through the `CloudflareWARP` [virtual interface](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#virtual-interface).
-
-## 7. Test the WARP Connector
-
-You can now test the connection between the two subnets. For example, on the `10.0.0.2` device run `ping 192.168.1.100`.
-
-```mermaid
- flowchart LR
- subgraph subnet1[Subnet 10.0.0.0/24]
- device1["Device
- 10.0.0.2"]--"ping
- 192.168.1.100"-->router1["Device running
- WARP Connector
- 10.0.0.1"]
- end
- subgraph subnet2[Subnet 192.168.1.0/24]
- router2["Device running
- WARP Connector
- 192.168.1.97"]-->device2["Device
- 192.168.1.100"]
- end
- router1-->C((Cloudflare))-->router2
-```
-
-:::note
-
-If you are testing with curl using private hostnames, make sure to add the `--ipv4` flag to your curl commands.
-:::
-
-[^1]: WARP Connector is an extension of the [WARP client](/cloudflare-one/connections/connect-devices/warp/).
-
-[^2]: Check the [system requirements](/cloudflare-one/connections/connect-devices/warp/download-warp/#linux). Package dependencies are the following: `curl`, `gpg`, `iptables`, `iptables-persistent`, `lsb-core`, and `sudo`.
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx
new file mode 100644
index 000000000000000..424d1780a40c33c
--- /dev/null
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx
@@ -0,0 +1,49 @@
+---
+pcx_content_type: concept
+title: WARP Connector
+sidebar:
+ label: Overview
+ order: 5
+ badge:
+ text: Beta
+tableOfContents: false
+---
+
+import { Render, Details} from "~/components";
+
+
+
+| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| Gateway with WARP | All plans |
+
+| System | Availability |
+| -------- | ------------ |
+| Windows | ❌ |
+| macOS | ❌ |
+| Linux | ✅ |
+| iOS | ❌ |
+| Android | ❌ |
+| ChromeOS | ❌ |
+
+
+
+Cloudflare WARP Connector is a piece of software [^1] that enables site-to-site, bidirectional, and mesh networking connectivity without requiring changes to underlying network routing infrastructure. WARP Connector establishes a secure Layer 3 connection between a private network and Cloudflare, allowing you to:
+
+- Connect two or more private networks to each other.
+- Connect IoT devices that cannot run external software, such as printers and IP phones.
+- Filter and log server-initiated traffic, such as VoIP and SIP traffic.
+- Apply Zero Trust security policies based on the source IP of the request.
+
+
+
+As shown in the diagram, WARP Connector acts as a router for a subnet within the private network to on-ramp and off-ramp traffic through Cloudflare. All devices on the subnet can access any services connected to Cloudflare, and all devices connected to Cloudflare can access any services on the subnet. Each subnet runs a WARP Connector on a designated Linux machine (typically the default gateway router), but other devices on the network do not need to install software.
+
+To set up WARP Connector, refer to the guide for your use case:
+
+- **[Site-to-Internet](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet/)**: Send requests from your private network to the Internet.
+- **[Site-to-site](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site/)**: Send requests between two or more private networks.
+- **[User-to-site](/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site/)**: Allow WARP client devices to send requests to your private network.
+- **Internet-to-site**: Not supported by WARP Connector. To provide clientless access to applications on your private network, set up a [Cloudflare Tunnel with `cloudflared`](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) and configure a [public hostname route](/cloudflare-one/connections/connect-networks/routing-to-tunnel/).
+
+[^1]: WARP Connector is an extension of the [WARP client](/cloudflare-one/connections/connect-devices/warp/).
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet.mdx
new file mode 100644
index 000000000000000..0f00eb2485c9eb4
--- /dev/null
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet.mdx
@@ -0,0 +1,83 @@
+---
+pcx_content_type: how-to
+title: Connect private network to Internet
+sidebar:
+ label: Site-to-Internet
+ order: 3
+---
+
+import { Render, Details, GlossaryTooltip, TabItem, Tabs } from "~/components";
+
+This guide covers how to connect a private network to the Internet using WARP Connector. In this example, we will create a WARP Connector for subnet `10.0.0.0/24` and install it on `10.0.0.1`.
+
+```mermaid
+ flowchart LR
+ subgraph subnet1[Subnet 10.0.0.0/24]
+ device1["Device
+ 10.0.0.2"]-->router1["WARP Connector
+ 10.0.0.1"]
+ end
+ router1-->C((Cloudflare))-->I{Internet}
+```
+
+## Prerequisites
+
+- A Linux host [^1] on the subnet
+- Verify that your firewall allows inbound/outbound traffic over the [WARP IP addresses, ports, and domains](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/).
+
+## 1. Install a WARP Connector
+
+
+
+## 2. (Recommended) Create a device profile
+
+
+
+## 3. Route traffic from subnet to WARP Connector
+
+Depending on where you installed the WARP Connector, you may need to configure other devices on the subnet to route outbound requests through WARP Connector.
+
+### Option 1: Default gateway
+
+
+
+### Option 2: Alternate gateway
+
+
+
+#### Add route to router
+
+For example, for all traffic from the subnet to egress through WARP Connector, add a rule on the router that routes `0.0.0.0` to the WARP Connector host machine (`10.0.0.100`).
+
+
+
+### Option 3: Intermediate gateway
+
+
+
+#### Add route to devices
+
+
+
+#### Verify routes
+
+
+
+## 4. Test the WARP Connector
+
+You can now test if traffic from your subnet routes through Cloudflare. For example,
+
+1. On the `10.0.0.2` device, run `curl --ipv4 www.google.com`.
+2. Check your [Gateway DNS logs](/cloudflare-one/insights/logs/gateway-logs/) for queries from `warp_connector@.cloudflareaccess.com`. Logs may take a few minutes to populate.
+
+```mermaid
+ flowchart LR
+ subgraph subnet1[Subnet 10.0.0.0/24]
+ device1["Device
+ 10.0.0.2"]--Request-->router1["WARP Connector
+ 10.0.0.1"]
+ end
+ router1-->C((Cloudflare))-->I{Internet}
+```
+
+[^1]:
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site.mdx
new file mode 100644
index 000000000000000..37ea1e416ad369b
--- /dev/null
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site.mdx
@@ -0,0 +1,179 @@
+---
+pcx_content_type: how-to
+title: Connect two or more private networks
+sidebar:
+ label: Site-to-site
+ order: 3
+---
+
+import { Render, Details, GlossaryTooltip, TabItem, Tabs } from "~/components";
+
+This guide covers how to connect two independent subnets with WARP Connector. Each subnet must run its own WARP Connector on a Linux host. Installing on your router is the simplest setup, but if you do not have access to the router, you may choose any other machine on the subnet.
+
+```mermaid
+ flowchart LR
+ subgraph subnet1[Subnet 10.0.0.0/24]
+ router1["WARP Connector #1
+ 10.0.0.1"]
+ end
+ subgraph subnet2[Subnet 192.168.1.0/24]
+ router2["WARP Connector #2
+ 192.168.1.97"]
+ end
+ router1<-->C((Cloudflare))<-->router2
+```
+
+In this example, we will create a WARP Connector for subnet `10.0.0.0/24` and install it on `10.0.0.1`. We will then create a second WARP Connector for subnet `192.168.1.0/24` and install it on `192.168.1.97`.
+
+## Prerequisites
+
+- A Linux host [^1] on each subnet.
+- Verify that your firewall allows inbound/outbound traffic over the [WARP IP addresses, ports, and domains](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/).
+
+## 1. Install a WARP Connector
+
+
+
+## 2. (Recommended) Create a device profile
+
+
+
+## 3. Route traffic from WARP Connector to subnet
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Networks** > **Routes**.
+2. Select **Create route**.
+3. In **CIDR**, enter the private IPv4 address range that you wish to route through this WARP Connector (for example, `10.0.0.0/24`). WARP Connector does not currently support IPv6 routes.
+ :::note
+ If you do not already have a private network range, you can choose a subnet from one of these [pre-defined CIDRs](https://datatracker.ietf.org/doc/html/rfc1918#section-3).
+ :::
+4. For **Tunnel**, select the name of your WARP Connector (_Subnet-10.0.0.0/24_).
+5. Select **Create**.
+6. In your WARP Connector device profile, [configure Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) so that traffic to your private network CIDR (`10.0.0.0/24`) routes through the WARP tunnel. For example, if you are using **Exclude** mode, delete `10.0.0.0/8` from Split Tunnels and re-add the following IPs: `10.0.1.0/24`, `10.0.2.0/23`, `10.0.4.0/22`, `10.0.8.0/21`, `10.0.16.0/20`, `10.0.32.0/19`, `10.0.64.0/18`, `10.0.128.0/17`, `10.1.0.0/16`, `10.2.0.0/15`, `10.4.0.0/14`, `10.8.0.0/13`, `10.16.0.0/12`, `10.32.0.0/11`, `10.64.0.0/10`, `10.128.0.0/9`
+
+The WARP Connector will now forward inbound requests to devices on the subnet.
+
+```mermaid
+ flowchart LR
+ subgraph subnet1[Subnet 10.0.0.0/24]
+ router1["WARP Connector #1
+ 10.0.0.1"]
+ device["Device
+ 10.0.0.2"]
+ end
+
+ C((Cloudflare))--Requests to 10.0.0.2--> router1 --> device
+
+```
+
+## 4. Route traffic from subnet to WARP Connector
+
+Depending on where you installed the WARP Connector, you may need to configure other devices on the subnet to route outbound requests through WARP Connector.
+
+```mermaid
+ flowchart LR
+ subgraph subnet1[Subnet 10.0.0.0/24]
+ router1["WARP Connector #1
+ 10.0.0.1"]
+ device["Device
+ 10.0.0.2"]
+ end
+
+ device --Requests to
+ 192.168.1.0/24 --> router1 --> C((Cloudflare))
+
+```
+
+### Option 1: Default gateway
+
+
+
+### Option 2: Alternate gateway
+
+
+
+#### Add route to router
+
+For example, for devices on subnet `10.0.0.0/24` to reach applications behind subnet `192.168.1.0/24`, add a rule on the router that routes `192.168.1.0/24` to the WARP Connector host machine (`10.0.0.100`).
+
+
+
+### Option 3: Intermediate gateway
+
+
+
+#### Add route to devices
+
+
+
+Alternatively, you can configure only certain routes to egress through WARP Connector. For example, you may only want to filter traffic destined to internal applications and devices, but allow public Internet traffic to bypass Cloudflare.
+
+
+
+```sh
+sudo ip route add via dev eth0
+```
+
+
+
+```sh
+sudo route -n add -net
+```
+
+
+
+
+
+```bash
+route /p add mask 255.255.255.255
+```
+
+
+
+
+#### Verify routes
+
+
+
+## 5. Install another WARP Connector
+
+Repeat steps 1, 3, and 4 above to install an additional WARP Connector on subnet `192.168.1.0/24`. The device profile created in Step 2 will apply to all WARP Connectors.
+
+```mermaid
+ flowchart LR
+ subgraph subnet1[Subnet 10.0.0.0/24]
+ router1["WARP Connector #1
+ 10.0.0.1"]
+ end
+ subgraph subnet2[Subnet 192.168.1.0/24]
+ router2["WARP Connector #2
+ 192.168.1.97"]
+ end
+ router1<-->C((Cloudflare))<-->router2
+```
+
+## 6. Test the WARP Connector
+
+You can now test the connection between the two subnets. For example, on the `10.0.0.2` device run `ping 192.168.1.100`.
+
+```mermaid
+ flowchart LR
+ subgraph subnet1[Subnet 10.0.0.0/24]
+ device1["Device
+ 10.0.0.2"]--"ping
+ 192.168.1.100"-->router1["WARP Connector #1
+ 10.0.0.1"]
+ end
+ subgraph subnet2[Subnet 192.168.1.0/24]
+ router2["WARP Connector #2
+ 192.168.1.97"]-->device2["Device
+ 192.168.1.100"]
+ end
+ router1-->C((Cloudflare))-->router2
+```
+
+:::note
+
+If you are testing with curl using private hostnames, add the `--ipv4` flag to your curl commands.
+:::
+
+[^1]:
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site.mdx
new file mode 100644
index 000000000000000..270dcc6fc8a8f6d
--- /dev/null
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site.mdx
@@ -0,0 +1,114 @@
+---
+pcx_content_type: how-to
+title: Connect private network to WARP clients
+sidebar:
+ label: User-to-site
+ order: 3
+---
+
+import { Render, Details, GlossaryTooltip, TabItem, Tabs } from "~/components";
+
+This guide covers how to connect WARP client user devices to a private network behind WARP Connector. In this example, we will create a WARP Connector for subnet `10.0.0.0/24` and install it on `10.0.0.1`.
+
+```mermaid
+ flowchart LR
+ subgraph subnet1[Subnet 10.0.0.0/24]
+ router1["WARP Connector
+ 10.0.0.1"]--> device1["Device
+ 10.0.0.2"]
+ router1["WARP Connector
+ 10.0.0.1"]
+ end
+ W[WARP clients]-->C((Cloudflare))-->router1
+```
+
+## Prerequisites
+
+- A Linux host [^1] on the subnet.
+- Verify that your firewall allows inbound/outbound traffic over the [WARP IP addresses, ports, and domains](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/).
+
+## 1. Install a WARP Connector
+
+
+
+## 2. (Recommended) Create a device profile
+
+
+
+## 3. Route CGNAT IPs through Cloudflare
+
+WARP clients and WARP Connectors are accessed using their CGNAT IP. Therefore, CGNAT IP traffic must route through Cloudflare on both the WARP Connector host and WARP client devices.
+
+1. In your WARP Connector device profile, go to [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/).
+2. Ensure that `100.96.0.0/12` routes through the WARP tunnel. For example, if you are using **Exclude** mode, delete `100.64.0.0/10` from the list and re-add `100.64.0.0/11` and `100.112.0.0/12`.
+3. Repeat the previous steps for all WARP client device profiles.
+
+## 4. Route traffic from subnet to WARP Connector
+
+Depending on where you installed the WARP Connector, you may need to configure other devices on the subnet to route requests through WARP Connector.
+
+### Option 1: Default gateway
+
+
+
+### Option 2: Alternate gateway
+
+
+
+#### Add route to router
+
+`100.96.0.0/12` is the default CIDR for all user devices running the [WARP client](/cloudflare-one/connections/connect-devices/warp/). On your router, add a rule that routes the destination IP `100.96.0.0/12` to the WARP Connector host machine (`10.0.0.100`).
+
+
+
+### Option 3: Intermediate gateway
+
+
+
+#### Add route to devices
+
+To route all CGNAT IP traffic through WARP Connector:
+
+
+
+```sh
+sudo ip route add 100.96.0.0/12 via dev eth0
+```
+
+
+
+```sh
+sudo route -n add -net 100.96.0.0/12
+```
+
+
+
+
+
+```bash
+route /p add 100.96.0.0/12 mask 255.255.255.255
+```
+
+
+
+#### Verify routes
+
+
+
+## 5. Test the WARP Connector
+
+You can now send a request from a WARP client user device to a device behind WARP connector. For example, on the WARP client device run `ping 10.0.0.2`.
+
+```mermaid
+ flowchart LR
+ subgraph subnet1[Subnet 10.0.0.0/24]
+ router1["WARP Connector
+ 10.0.0.1"]--> device1["Device
+ 10.0.0.2"]
+ router1["WARP Connector
+ 10.0.0.1"]
+ end
+ W[WARP client]--ping 10.0.0.2 -->C((Cloudflare))-->router1
+```
+
+[^1]:
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/vpc-deployments.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/vpc-deployments.mdx
new file mode 100644
index 000000000000000..d6c07df28ff08c5
--- /dev/null
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/vpc-deployments.mdx
@@ -0,0 +1,23 @@
+---
+pcx_content_type: reference
+title: Tips for VPC deployments
+sidebar:
+ label: VPC deployments
+ order: 3
+---
+
+When setting up WARP Connector on a virtual private cloud (VPC), you may need to configure additional settings in the cloud service provider.
+
+## GCP
+
+For Google Cloud Project (GCP) deployments, [enable IP forwarding](https://cloud.google.com/vpc/docs/using-routes#canipforward) on the VM instance where you installed WARP Connector.
+
+## AWS
+
+For Amazon Web Services (AWS) deployments:
+- Stop [source/destination checking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) on the EC2 instance where you installed WARP Connector.
+- In your [subnet route table](https://docs.aws.amazon.com/vpc/latest/userguide/subnet-route-tables.html), route all IPv4 traffic to the EC2 instance where you installed WARP Connector. For example,
+
+ | Destination | Target |
+ | ----------- | ------ |
+ | `0.0.0.0/0` | `eni-11223344556677889` |
diff --git a/src/content/glossary/cloudflare-one.yaml b/src/content/glossary/cloudflare-one.yaml
index 37adda115428ba2..4a95a3bcfcbfc83 100644
--- a/src/content/glossary/cloudflare-one.yaml
+++ b/src/content/glossary/cloudflare-one.yaml
@@ -23,7 +23,7 @@ entries:
- term: CGNAT IP
general_definition: |-
- a unique, virtual IP address assigned to each WARP device from the `100.96.0.0/12` range. You can view the CGNAT IP for a device on its **My Team** > **Devices** page.
+ a unique, virtual IP address assigned to each WARP device from the `100.96.0.0/12` range. You can view the CGNAT IP for a device in **My Team** > **Devices** > **Virtual IPv4/IPv6**.
- term: cloudflared
general_definition: |-
@@ -239,6 +239,10 @@ entries:
general_definition: |-
a software abstraction that allows you to logically segregate resources on a private network. Virtual networks are especially useful for exposing resources which have overlapping IP routes.
+ - term: Virtual Private Cloud (VPC)
+ general_definition: |-
+ a secure, isolated private network hosted on public cloud infrastructure. Examples of public cloud providers include Google Cloud, AWS, and Microsoft Azure.
+
- term: Virtual Private Network (VPN)
general_definition: |-
a tool that allows users to send and receive data across shared or public networks as if their devices were directly connected to the private network. For example, employees working from home can use a VPN to access files on the corporate network.
diff --git a/src/content/partials/cloudflare-one/tunnel/warp-connector-alternate-gateway-flow.mdx b/src/content/partials/cloudflare-one/tunnel/warp-connector-alternate-gateway-flow.mdx
new file mode 100644
index 000000000000000..e9d746288c52e16
--- /dev/null
+++ b/src/content/partials/cloudflare-one/tunnel/warp-connector-alternate-gateway-flow.mdx
@@ -0,0 +1,10 @@
+---
+{}
+---
+
+When a device on the subnet sends a request, the router will first redirect the traffic to the WARP Connector host. WARP Connector encrypts the traffic, changes its destination IP to the [WARP ingress IP](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip), and sends it back to the router. The router will now forward this encrypted traffic to Cloudflare.
+
+:::note
+
+Ensure that your routing rules do not forward the [WARP ingress IP](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) back to the WARP Connector.
+:::
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/tunnel/warp-connector-alternate-gateway.mdx b/src/content/partials/cloudflare-one/tunnel/warp-connector-alternate-gateway.mdx
new file mode 100644
index 000000000000000..b85b3b959c9fb28
--- /dev/null
+++ b/src/content/partials/cloudflare-one/tunnel/warp-connector-alternate-gateway.mdx
@@ -0,0 +1,7 @@
+---
+{}
+---
+
+If you have access to the router but installed WARP Connector on another machine, you can configure the router to forward traffic to the WARP Connector. This typically involves adding a static route for the destination IPs that you want to connect to through Cloudflare. Refer to your router documentation for specific instructions on how to add an IP route.
+
+
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/tunnel/warp-connector-default-gateway.mdx b/src/content/partials/cloudflare-one/tunnel/warp-connector-default-gateway.mdx
new file mode 100644
index 000000000000000..d86900345cd4301
--- /dev/null
+++ b/src/content/partials/cloudflare-one/tunnel/warp-connector-default-gateway.mdx
@@ -0,0 +1,7 @@
+---
+{}
+---
+
+If you installed WARP Connector on your router, no additional configuration is necessary. All traffic will use the router as the default gateway.
+
+
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/tunnel/warp-connector-device-profile.mdx b/src/content/partials/cloudflare-one/tunnel/warp-connector-device-profile.mdx
new file mode 100644
index 000000000000000..2e18443ba38bdb3
--- /dev/null
+++ b/src/content/partials/cloudflare-one/tunnel/warp-connector-device-profile.mdx
@@ -0,0 +1,17 @@
+---
+{}
+---
+
+A dedicated [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) allows you to manage the WARP Connector host machine separately from WARP client user devices. WARP Connector hosts are registered to your Zero Trust organization with the email address `warp_connector@.cloudflareaccess.com`. To set up a device profile for WARP Connector:
+
+1. [Create a new profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/#create-a-new-profile) that matches on the following expression:
+
+ | Selector | Operator | Value |
+ | -------- | -------- | ----- |
+ | User email | is | `warp_connector@.cloudflareaccess.com` |
+
+2. In the profile settings, ensure that **Service mode** is set to **Gateway with WARP**.
+
+:::note
+`warp_connector@.cloudflareaccess.com` will only match WARP Connectors deployed with WARP client version `2024.9.346.0` and above. WARP Connectors deployed using the legacy workflow will use the generic email for service token registrations (`non-identity@.cloudflareaccess.com`).
+:::
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/tunnel/warp-connector-install.mdx b/src/content/partials/cloudflare-one/tunnel/warp-connector-install.mdx
new file mode 100644
index 000000000000000..0081befa3c4ba78
--- /dev/null
+++ b/src/content/partials/cloudflare-one/tunnel/warp-connector-install.mdx
@@ -0,0 +1,61 @@
+---
+{}
+---
+
+import { Details, GlossaryTooltip } from "~/components";
+
+To install WARP Connector on a host machine:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Networks** > **Tunnels**.
+2. Select **Create a tunnel**.
+3. For the tunnel type, select **WARP Connector**.
+4. You will be prompted to turn on **Warp to Warp** and [**Override local interface IP**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip) if they are currently turned off. These settings allow Cloudflare to assign a unique CGNAT IP to each WARP device and route traffic between them.
+5. Give the tunnel any name (for example, `Subnet-10.0.0.0/24`) and select **Create tunnel**.
+6. Select the operating system of your host machine.
+7. On your host machine, open a terminal window and run the commands shown in the Zero Trust dashboard. Those commands will install the WARP Connector, enable IP forwarding on the host, and connect WARP Connector to your Zero Trust organization.
+
+ :::note[Remote SSH connections]
+
+ If you are managing the deployment remotely over SSH, your connection may drop when you install the WARP Connector. Because the WARP connector immediately starts forwarding traffic to Cloudflare, the remote SSH server's traffic will now route via Cloudflare instead of via the server's public IP. To work around the issue:
+ - **Option 1**: In your WARP Connector [device profile](#3-recommended-create-a-device-profile), temporarily add the public IP of your local machine to the [Split Tunnel Exclude list](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/).
+
+ - **Option 2**: If your local machine is connected to Zero Trust (for example, via the WARP client), you can SSH to the CGNAT IP of the WARP Connector. Traffic to the CGNAT IP must [route through the WARP tunnel](#4-configure-split-tunnels).
+ :::
+
+8. (Optional) Configure IP forwarding:
+
+
+ ```sh
+ echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-warp-svc.conf
+ sudo sysctl -p /etc/sysctl.d/99-warp-svc.conf
+ ```
+
+
+
+ If you are setting up WARP Connector on a host with iptables enabled, make sure that your iptables FORWARD chain includes rules to accept the desired traffic. For testing and troubleshooting purposes, you can set the default policy for the WARP interface to ACCEPT:
+ ```sh
+ iptables -A FORWARD -i CloudflareWARP -J ACCEPT
+ iptables -A FORWARD -o CloudflareWARP -J ACCEPT
+ ```
+
+
+
+9. To verify that the WARP Connector is connected to Cloudflare:
+ ```sh
+ $ warp-cli status
+ Status update: Connected
+ ```
+
+
+
+ If WARP is disconnected, try the following troubleshooting strategies:
+
+ - Run `warp-cli connect`.
+
+ - If your private network uses a firewall to restrict Internet traffic, ensure that it allows the [WARP ports and IPs](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/).
+
+ - Review your [WARP daemon logs](/cloudflare-one/connections/connect-devices/warp/troubleshooting/warp-logs/) for information about why the connection is failing.
+
+
+
+WARP Connector software is now installed but not yet routing traffic.
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/tunnel/warp-connector-intermediate-gateway.mdx b/src/content/partials/cloudflare-one/tunnel/warp-connector-intermediate-gateway.mdx
new file mode 100644
index 000000000000000..7c82d640cdff706
--- /dev/null
+++ b/src/content/partials/cloudflare-one/tunnel/warp-connector-intermediate-gateway.mdx
@@ -0,0 +1,7 @@
+---
+{}
+---
+
+If you do not have access to the router, you will need to configure each device on the subnet to egress through the WARP Connector machine instead of the default gateway.
+
+
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/tunnel/warp-connector-linux-packages.mdx b/src/content/partials/cloudflare-one/tunnel/warp-connector-linux-packages.mdx
new file mode 100644
index 000000000000000..892d1feb0af43bd
--- /dev/null
+++ b/src/content/partials/cloudflare-one/tunnel/warp-connector-linux-packages.mdx
@@ -0,0 +1,5 @@
+---
+{}
+---
+
+Check the [system requirements](/cloudflare-one/connections/connect-devices/warp/download-warp/#linux). Package dependencies are the following: `curl`, `gpg`, `iptables`, `iptables-persistent`, `lsb-core`, and `sudo`.
diff --git a/src/content/partials/cloudflare-one/tunnel/warp-connector-route-all-traffic.mdx b/src/content/partials/cloudflare-one/tunnel/warp-connector-route-all-traffic.mdx
new file mode 100644
index 000000000000000..8d4e96fb65133ee
--- /dev/null
+++ b/src/content/partials/cloudflare-one/tunnel/warp-connector-route-all-traffic.mdx
@@ -0,0 +1,33 @@
+---
+{}
+---
+
+import { TabItem, Tabs } from "~/components";
+
+You can configure all traffic on a device to egress through WARP Connector with its local source IP. All traffic will be filtered by your Gateway network policies.
+
+
+
+```sh
+sudo ip route add default via dev eth0 metric 101
+```
+
+Ensure that the `metric` value is lower than other default gateways.
+
+
+
+```sh
+sudo route -n change default -interface en0
+```
+
+
+
+
+
+```bash
+route /p add 0.0.0.0 mask 0.0.0.0 metric 101
+```
+
+Ensure that the `metric` value is lower than other default gateways.
+
+
diff --git a/src/content/partials/cloudflare-one/tunnel/warp-connector-verify-routes.mdx b/src/content/partials/cloudflare-one/tunnel/warp-connector-verify-routes.mdx
new file mode 100644
index 000000000000000..c4370efabf6cea0
--- /dev/null
+++ b/src/content/partials/cloudflare-one/tunnel/warp-connector-verify-routes.mdx
@@ -0,0 +1,5 @@
+---
+{}
+---
+
+To validate subnet routing, [check your routing table](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#routing-table) and ensure that traffic is routing through the `CloudflareWARP` [virtual interface](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#virtual-interface).