Skip to content

Added information for Warp to Warp with MWAN #22883

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jun 16, 2025
+8 −1
Merged

Added information for Warp to Warp with MWAN #22883

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
49bb213
Added information for Warp to Warp with MWAN
dledfordcf Jun 3, 2025
bcfcba8
Update warp.mdx
dledfordcf Jun 3, 2025
c2b09b6
Update src/content/docs/magic-wan/zero-trust/warp.mdx
marciocloudflare Jun 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion src/content/docs/magic-wan/zero-trust/warp.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,13 @@ head:
- tag: title
content: Use WARP as an on-ramp
---
:::note
By default direct Warp to Warp connections are not supported for machines behind MWAN with Warp connected due to double encapsulation and asymmetric routing.

It's recommended to not connect Warp when a device is in a location behind MWAN, and instead connect to their LAN IP from remote devices connected to Warp instead of using Warp to Warp, as the MWAN onramp will route to remote locations private network, but if you do wish to use Warp inside a MWAN connected location, and directly connect to the devices Warp IP (in the 100.96.0.0/12 range) using Warp to Warp from either remote devices or devices in another location you will need to exclude the 100.96.0.0/12 subnet from you on premises Warp profile and include it in your off premises profile.
Copy link
Contributor

@windsurf-bot windsurf-bot bot Jun 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The second paragraph in the note is a very long run-on sentence (over 100 words) that's difficult to follow. Consider breaking it into multiple shorter sentences for better readability and comprehension.

Copy link
Contributor

@windsurf-bot windsurf-bot bot Jun 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a typo in this sentence: 'exclude the 100.96.0.0/12 subnet from you on premises Warp profile' should be 'exclude the 100.96.0.0/12 subnet from your on premises Warp profile'.

Suggested change
It's recommended to not connect Warp when a device is in a location behind MWAN, and instead connect to their LAN IP from remote devices connected to Warp instead of using Warp to Warp, as the MWAN onramp will route to remote locations private network, but if you do wish to use Warp inside a MWAN connected location, and directly connect to the devices Warp IP (in the 100.96.0.0/12 range) using Warp to Warp from either remote devices or devices in another location you will need to exclude the 100.96.0.0/12 subnet from you on premises Warp profile and include it in your off premises profile.
It's recommended to not connect Warp when a device is in a location behind MWAN, and instead connect to their LAN IP from remote devices connected to Warp instead of using Warp to Warp, as the MWAN onramp will route to remote locations private network, but if you do wish to use Warp inside a MWAN connected location, and directly connect to the devices Warp IP (in the 100.96.0.0/12 range) using Warp to Warp from either remote devices or devices in another location you will need to exclude the 100.96.0.0/12 subnet from your on premises Warp profile and include it in your off premises profile.


This will allow remote devices to route the 100.96.0.0/12 subnet over Warp > Cloudflare Edge > MWAN > Warp connected device on premises, then the return traffic will follow the same flow but in reverse. If 100.96.0.0/12 is included in the Warp tunnel on both ends the traffic flow will be remote Warp > Cloudflare Edge > MWAN > Warp device on premises, but the return traffic will be on premises device Warp tunnel > Cloudflare Edge > Remote device Warp tunnel, which in turn is asymmetric from the remote > on premises flow and will cause the connection to fail.
Copy link
Contributor

@windsurf-bot windsurf-bot bot Jun 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The flow description uses '>' characters which might be interpreted as HTML tags in MDX. Consider using '->' instead for better clarity and to avoid potential rendering issues.

Suggested change
This will allow remote devices to route the 100.96.0.0/12 subnet over Warp > Cloudflare Edge > MWAN > Warp connected device on premises, then the return traffic will follow the same flow but in reverse. If 100.96.0.0/12 is included in the Warp tunnel on both ends the traffic flow will be remote Warp > Cloudflare Edge > MWAN > Warp device on premises, but the return traffic will be on premises device Warp tunnel > Cloudflare Edge > Remote device Warp tunnel, which in turn is asymmetric from the remote > on premises flow and will cause the connection to fail.
This will allow remote devices to route the 100.96.0.0/12 subnet over Warp -> Cloudflare Edge -> MWAN -> Warp connected device on premises, then the return traffic will follow the same flow but in reverse. If 100.96.0.0/12 is included in the Warp tunnel on both ends the traffic flow will be remote Warp -> Cloudflare Edge -> MWAN -> Warp device on premises, but the return traffic will be on premises device Warp tunnel -> Cloudflare Edge -> Remote device Warp tunnel, which in turn is asymmetric from the remote -> on premises flow and will cause the connection to fail.

Copy link

@JohnDaWalka JohnDaWalka Jun 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will connect to my warp tunnel now because I have a permanent connection, and if that does not work, I will utilize the tile scale. I will be looking out for an implicit notice from my partner, Nathaniel bass

:::

import { GlossaryTooltip, Render } from "~/components";

Expand Down Expand Up @@ -83,4 +90,4 @@ nslookup <SERVER_BEHIND_MAGIC_WAN>

This DNS lookup should return a valid IP address associated with the server or service you are testing for.

Next, test with a browser that you can connect to a service on the WAN by opening a webpage that is only accessible on the WAN. The server can be the same server used in the DNS lookup or another server in the WAN. Connecting using an IP address instead of a domain name should work.
Next, test with a browser that you can connect to a service on the WAN by opening a webpage that is only accessible on the WAN. The server can be the same server used in the DNS lookup or another server in the WAN. Connecting using an IP address instead of a domain name should work.