cloudflare · ranbel · Mar 18, 2026 · Mar 18, 2026
@@ -13,9 +13,9 @@
 Global Acceleration is a suite of connectivity offerings designed to simplify your global assets' deployment in China. Global Acceleration is provided by our partners including CMI, CBC Tech, and JD Cloud.

 <Stream
 	id="18457868eb13222051618b0d138e0225"
 	title="Global Acceleration"
 	thumbnail="https://imagedelivery.net/xDOJvHcv1KwTQn6S-BGFIw/2093e8e7-2720-4595-0a4c-5e57ba67bd00/public"
 	chapters={{
 		Introduction: "17s",
 		"Dynamic content outside of Mainland China": "38s",
@@ -66,7 +66,7 @@
 
 ### 1. Validate prerequisites
 
-Ensure that you have a Cloudflare [Enterprise plan](https://www.cloudflare.com/plans/enterprise/) and [China Network](/china-network/), if you want CDN Global Acceleration. the Cloudflare One Client and Cloudflare WAN licenses are required for the Cloudflare One Client Connection or Cloudflare WAN Global Acceleration.
+Ensure that you have a Cloudflare [Enterprise plan](https://www.cloudflare.com/plans/enterprise/) and [China Network](/china-network/), if you want CDN Global Acceleration. Cloudflare One Client and Cloudflare WAN licenses are required for the Cloudflare One Client Connection or Cloudflare WAN Global Acceleration.
 
 ### 2. Sign contract
 

@@ -23,12 +23,12 @@ As our [Network Map](https://www.cloudflare.com/en-gb/network/) shows, we have l
 
 ## Why is my public IP address sometimes visible?
 
-Cloudflare One Client in the Cloudflare One Client mode was meant to ensure all your traffic is kept private between you and the origin (the site you are connecting to), but not from the origin itself. In a number of cases, if the origin site you are communicating with can't determine who you are and where you're from, they can't serve locale relevant content to you.
+The Cloudflare One Client is meant to ensure all your traffic is kept private between you and the origin (the site you are connecting to), but not from the origin itself. In a number of cases, if the origin site you are communicating with can't determine who you are and where you're from, they can't serve locale relevant content to you.
 Sites inside Cloudflare network are able to see this information. If a site is showing you your IP address, chances are they are in our network. Most sites outside our network (orange clouded sites) however are unable to see this information and instead see the nearest egress colo to their server. We are working to see if in the future we can't find a way to more easily share this information with a limited number of gray clouded sites where it is relevant to both parties.
 
 ## Why has my throughput dropped while using the Cloudflare One Client?
 
-the Cloudflare One Client is in part powered by 1.1.1.1. When visiting sites or going to a new location on the Internet, you should see blazing fast DNS lookups. However, the Cloudflare One Client is built to trade some throughput for enhanced privacy, because it encrypts all traffic both to and from your device. While this isn't noticeable at most mobile speeds, on desktop systems in countries where high speed broadband is available, you may notice a drop. We think the tradeoff is worth it though and continue to work on improving performance all over the system.
+The Cloudflare One Client is in part powered by 1.1.1.1. When visiting sites or going to a new location on the Internet, you should see blazing fast DNS lookups. However, the Cloudflare One Client is built to trade some throughput for enhanced privacy, because it encrypts all traffic both to and from your device. While this isn't noticeable at most mobile speeds, on desktop systems in countries where high speed broadband is available, you may notice a drop. We think the tradeoff is worth it though and continue to work on improving performance all over the system.
 
 ## Why is my device not connecting to a public Wi-Fi?
 

@@ -107,7 +107,7 @@
 This error appears if you try to change your [team domain](/cloudflare-one/faq/getting-started-faq/#whats-a-team-domainteam-name) while the [Cloudflare dashboard SSO](/fundamentals/manage-members/dashboard-sso/) feature is enabled on your account.
 Cloudflare dashboard SSO does not currently support team domain changes. Contact your account team for more details.
 
-## the Cloudflare One Client on Linux shows `DNS connectivity check failed`.
+## The Cloudflare One Client on Linux shows `DNS connectivity check failed`.
 
 This error means that the `systemd-resolved` service on Linux is not allowing WARP to resolve DNS requests. You can identify this issue in the [`daemon.log`](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs) file of the `warp diag` logs, where the error message appears as `ERROR main_loop: warp::warp::connectivity_check: DNS connectivity check failed to resolve host="warp-svc."`.
 
@@ -185,19 +185,19 @@

 If you added a [multi-level subdomain](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2a-connect-an-application) (more than one level of subdomain), you must [order an Advanced Certificate for the hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2a-connect-an-application) as Cloudflare's Universal certificate will not cover the public hostname by default.

 ## As of February 2, 2025, my end-user device's browser is returning a `Your connection is not private` warning.

 ### Why am I getting this error?

 The default global Cloudflare root certificate expired on 2025-02-02 at 16:05 UTC. If you installed the default Cloudflare certificate before 2024-10-17, you must [generate a new certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/#generate-a-cloudflare-root-certificate) and activate it for your Zero Trust organization to avoid inspection errors. If you did not generate a new certificate before February 2, 2025, you will encounter browser warnings like `Your connection is not private`.

 Starting with Cloudflare One Client version 2024.12.554.0 and later, the Cloudflare One Client will automatically install Cloudflare certificates in an end-user device's certificate store as soon as the Cloudflare certificates appear as **Available** in the Cloudflare dashboard.

 For Cloudflare One Client versions prior to 2024.12.554.0, certificates had to be marked as **In-Use** in the Cloudflare dashboard before the Cloudflare One Client could push the Cloudflare certificates to an end-user device's certificate store.

 ### What do I need to do?

 For Cloudflare One Client versions before and after 2024.12.554.0, certificate propagation will only occur when the Cloudflare One Client is responsible for automatically installing the certificate on the client device. To enable the Cloudflare One Client to propogate certificates:

 1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Team & Resources** > **Devices**.
 2. Select the **Management** tab.
@@ -249,7 +249,7 @@
   warp-cli tunnel rotate-keys
   ```

 2. [Upgrade](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/update/#how-to-update-warp) to the Cloudflare One Client version 2024.12.554.0.

   Some customers who are on versions earlier than 2024.11.309.0 have experienced inconsistencies with certificate installation and may need to upgrade.

@@ -349,7 +349,7 @@
 
 Check the logs to verify if there are any missing DLLs (for example, `netstandard2.0`), which may point to a missing or outdated version of the .NET Framework.
 
-One common cause is a missing or outdated version of the [.NET Framework Runtime](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/#windows:~:text=NET%20Framework%20version-,4.7.2%20or%20later,-HD%20space). the Cloudflare One Client requires a .NET Framework version of `4.7.2` or later.
+One common cause is a missing or outdated version of the [.NET Framework Runtime](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/#windows:~:text=NET%20Framework%20version-,4.7.2%20or%20later,-HD%20space). The Cloudflare One Client requires a .NET Framework version of `4.7.2` or later.
 
 Some legacy Windows systems (such as Windows 10 Enterprise 1607 LTSB, which is bundled with .NET `4.6`) do not include this runtime by default and may fail during installation with a `Setup Wizard ended prematurely` error. More recent Windows versions include .NET `4.7.2` or later by default and do not encounter this error.
 

@@ -275,7 +275,7 @@ In this example, "private network" refers to a distinct environment (such as sta
 <Tabs>
 <TabItem label="Version 2026.2+">
 
-1. Open the Cloudflare One client.
+1. Open the Cloudflare One Client.
 2. Go to **Home**.
 3. In the **VNET** dropdown, choose the virtual network you want to connect to (for example, `staging-vnet`).
 

@@ -10,7 +10,7 @@ sidebar:
 
 import { Render } from "~/components";
 
-the Cloudflare One Client to Tunnel allows users to connect to RDP servers using their preferred RDP client. Cloudflare Tunnel creates a secure, outbound-only connection from your RDP server to Cloudflare's global network; this requires running the `cloudflared` daemon on the server (or any other host machine within the private network). Users install the [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) on their device and enroll in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can connect to the RDP server unless you build policies to allow or block specific users.
+The [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) allows users to connect to RDP servers using their preferred RDP client. Cloudflare Tunnel creates a secure, outbound-only connection from your RDP server to Cloudflare's global network; this requires running the `cloudflared` daemon on the server (or any other host machine within the private network). Users install the Cloudflare One Client on their device and enroll in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can connect to the RDP server unless you build policies to allow or block specific users.
 
 This example walks through how to set up an RDP server on a Google Cloud Platform (GCP) virtual machine (VM), but you can use any machine that supports RDP connections.
 

@@ -24,7 +24,7 @@ When planning your private network addressing and configuring [Split Tunnel](/cl
 
 | Name                                                          | Default CIDR               | Configurable |
 | ------------------------------------------------------------- | -------------------------- | ------------ |
-| [device IPs](#device-ips)                           | `2606:4700:0cf1:1000::/64` | No           |
+| [Device IPs](#device-ips)                           | `2606:4700:0cf1:1000::/64` | No           |
 | [Gateway initial resolved IPs](#gateway-initial-resolved-ips) | `2606:4700:0cf1:4000::/64` | No           |
 | [Cloudflare source IPs](#cloudflare-source-ips)               | `2606:4700:0cf1:5000::/64` | No           |
 

@@ -29,7 +29,7 @@ The Client Certificate device posture attribute checks if the device has a valid
 
 ## Prerequisites
 
-- A CA that issues client certificates for your devices. the Cloudflare One Client does not evaluate the certificate trust chain; this needs to be the issuing certificate.
+- A CA that issues client certificates for your devices. The Cloudflare One Client does not evaluate the certificate trust chain; this needs to be the issuing certificate.
 
   :::note[Upload the signing certificate that issued the client certificate]
 
@@ -86,10 +86,10 @@ To generate a sample root CA for testing, refer to [Generate mTLS certificates](
       	files or the same file.
       </Details>
    4. **Certificate ID**: Enter the UUID of the signing certificate.
-   5. **Common name**: (Optional) To check for a Common Name (CN) on the client certificate, enter a string with optional `${serial_number}` and `${hostname}` variables (for example, `${serial_number}_mycompany`). the Cloudflare One Client will search for an exact, case-insensitive match. If you do not specify a common name, the Cloudflare One Client will ignore the common name field on the certificate.
+   5. **Common name**: (Optional) To check for a Common Name (CN) on the client certificate, enter a string with optional `${serial_number}` and `${hostname}` variables (for example, `${serial_number}_mycompany`). The Cloudflare One Client will search for an exact, case-insensitive match. If you do not specify a common name, the Cloudflare One Client will ignore the common name field on the certificate.
    6. **Check for Extended Key Usage**: (Optional) Check whether the client certificate has one or more attributes set. Supported values are **Client authentication** (`1.3.6.1.5.5.7.3.2`) and/or **Email** (`1.3.6.1.5.5.7.3.4`).
    7. **Check for private key**: (Recommended) When enabled, WARP checks that the device has a private key associated with the client certificate.
-   8. **Subject Alternative Name**: (Optional) To check for a Subject Alternative Name (SAN) on the client certificate, enter a string with optional `${serial_number}` and `${hostname}` variables (for example, `${serial_number}_mycompany`). the Cloudflare One Client will search for an exact, case-insensitive match. You can add multiple SANs to the posture check — a certificate only needs to match one SAN for the check to pass.
+   8. **Subject Alternative Name**: (Optional) To check for a Subject Alternative Name (SAN) on the client certificate, enter a string with optional `${serial_number}` and `${hostname}` variables (for example, `${serial_number}_mycompany`). The Cloudflare One Client will search for an exact, case-insensitive match. You can add multiple SANs to the posture check — a certificate only needs to match one SAN for the check to pass.
 
 6. Select **Save**.
 

@@ -75,7 +75,7 @@ To activate the override code on a user device:
 <Tabs>
 <TabItem label="Version 2026.2+">
 
-1. Open the Cloudflare One client and go to **Settings**.
+1. Open the Cloudflare One Client and go to **Settings**.
 2. In **Temporarily disconnect Cloudflare One Client**, select **Enter admin code**.
 3. Enter the override code and select **Disconnect**.
 
@@ -379,7 +379,7 @@ To turn on local network access in the Cloudflare One Client:
 
 <TabItem label="Windows and macOS">
 
-1. Open the Cloudflare One client and go to **Settings**.
+1. Open the Cloudflare One Client and go to **Settings**.
 2. In **Temporarily access local network resources**, select **Access resources**.
 
 <Details header="Version 2026.1 and earlier">

@@ -84,7 +84,7 @@ To switch to a different organization as a user:
 
 <Tabs> <TabItem label="Windows, macOS, and Linux">
 
-1. Open the Cloudflare One client on your device.
+1. Open the Cloudflare One Client on your device.
 2. Go to **Home**. The **Configuration** dropdown will show the organizations that the admin has configured for your device.
 
 <Details header="Version 2026.1 and earlier">

@@ -270,7 +270,7 @@ The device is not authenticated to an [organization](/cloudflare-one/setup/#crea
 <Tabs>
 <TabItem label="Version 2026.2+">
 
-1.  Launch the Cloudflare One client.
+1.  Launch the Cloudflare One Client.
 2.  Go to **Profile** > **Account information**.
 3.  Select **Re-Authenticate**.
 4.  Complete the authentication steps required by your organization.

@@ -53,7 +53,7 @@ After updating the Cloudflare One Client, monitor the issue to see if it recurs.
 <Tabs>
 <TabItem label="Version 2026.2+">
 
-1.  Open the Cloudflare One client on your desktop.
+1.  Open the Cloudflare One Client on your desktop.
 2.  Select **About**.
 3.  Compare your device's version with the [latest version](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).
 
@@ -479,7 +479,7 @@ Both methods update the client with the latest configuration.
 <Tabs>
 <TabItem label="Version 2026.2+">
 
-1. On the end user device, open the Cloudflare One client and select **Disconnect**.
+1. On the end user device, open the Cloudflare One Client and select **Disconnect**.
 
 :::note[What if the end user cannot disconnect?]
 If the end user does not see the [disconnect button](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#lock-warp-switch), they will need to enter an [admin override code](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes).

@@ -42,14 +42,14 @@ To configure the Cloudflare One Client to install a root certificate on your org
 5. [Enroll the device](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/) in your Zero Trust organization.
 6. (Optional) If the device is running macOS Big Sur or newer, [manually trust the certificate](#manually-trust-the-certificate).
 
-the Cloudflare One Client will now download any [certificates set to **Available**](/cloudflare-one/team-and-resources/devices/user-side-certificates/#activate-a-root-certificate). After download, the Cloudflare One Client will add the certificates to the device's system certificate store in `installed_certs/<certificate_id>.pem` and append the contents to the `installed_cert.pem` file. If you have any scripts using `installed_cert.pem`, Cloudflare recommends you set them to use the individual files in the `installed_certs/` directory instead. `installed_certs.pem` will be deprecated by 2025-06-31.
+The Cloudflare One Client will now download any [certificates set to **Available**](/cloudflare-one/team-and-resources/devices/user-side-certificates/#activate-a-root-certificate). After download, the Cloudflare One Client will add the certificates to the device's system certificate store in `installed_certs/<certificate_id>.pem` and append the contents to the `installed_cert.pem` file. If you have any scripts using `installed_cert.pem`, Cloudflare recommends you set them to use the individual files in the `installed_certs/` directory instead. `installed_certs.pem` will be deprecated by 2025-06-31.
 
 :::note
 
 <Render file="warp/client-notification-lag" product="cloudflare-one" />
 :::
 
-the Cloudflare One Client does not install certificates to individual applications. You will need to [manually add certificates](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store instead of the system certificate store.
+The Cloudflare One Client does not install certificates to individual applications. You will need to [manually add certificates](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store instead of the system certificate store.
 
 ## Access the installed certificate
 
@@ -118,6 +118,6 @@ The Cloudflare One Client will also place the certificate in `/var/lib/cloudflar
 
 ## Uninstall the certificate
 
-If the certificate was installed by the Cloudflare One Client, it is automatically removed when you turn on another certificate for inspection in Cloudflare One, turn off **Install CA to system certificate store**, or [uninstall the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/uninstall/). the Cloudflare One Client does not remove certificates that were installed manually (for example, certificates added to third-party applications).
+If the certificate was installed by the Cloudflare One Client, it is automatically removed when you turn on another certificate for inspection in Cloudflare One, turn off **Install CA to system certificate store**, or [uninstall the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/uninstall/). The Cloudflare One Client does not remove certificates that were installed manually (for example, certificates added to third-party applications).
 
 To manually remove the certificate, refer to the instructions supplied by your operating system or the third-party application.
@@ -38,7 +38,7 @@ First, [generate](/cloudflare-one/team-and-resources/devices/user-side-certifica
 4. Select **More actions**.
 5. Depending on which format you want, choose **Download .pem** and/or **Download .crt**.
 
-Alternatively, you can download and install a certificate [using the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/#install-a-certificate-using-the-cloudflare-one-client). the Cloudflare One Client will add the certificates to the device's system certificate store in `installed_certs/<certificate_id>.pem`.
+Alternatively, you can download and install a certificate [using the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/#install-a-certificate-using-the-cloudflare-one-client). The Cloudflare One Client will add the certificates to the device's system certificate store in `installed_certs/<certificate_id>.pem`.
 
 ## 2. Verify the downloaded certificate
 

@@ -35,7 +35,7 @@ You can filter DNS queries from individual devices (for example, employee laptop
 
 To filter DNS requests from an individual device such as a laptop or phone:
 
-1. [Install the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) on your device. the Cloudflare One Client is a lightweight agent that routes the device's DNS queries through Cloudflare so Gateway can inspect and filter them.
+1. [Install the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) on your device. The Cloudflare One Client is a lightweight agent that routes the device's DNS queries through Cloudflare so Gateway can inspect and filter them.
 2. [Enroll the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/) in your organization's <GlossaryTooltip term="team name">Zero Trust instance</GlossaryTooltip> [^1]. This tells WARP which Gateway policies to enforce.
 3. (Optional) If you want to display a [custom block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) instead of a generic browser error when a request is blocked, [install a Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device.
 

@@ -47,7 +47,7 @@ To verify your device is connected to Cloudflare One:
   <Tabs>
 	<TabItem label="Version 2026.2+">
 
-   1. Open the Cloudflare One client.
+   1. Open the Cloudflare One Client.
    2. Go to **Profile**.
    3. Note the **Client Interface IP**. This is the same address that will appear as the Source IP in your network logs.
   </TabItem>