Connect an IP/CIDR
This guide covers how to enable secure remote access to private IP addresses using cloudflared and WARP. You can connect an entire private network, a subnet, or an application defined by a static IP.
To connect your infrastructure with Cloudflare Tunnel:
- Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network.
- In the Private Networks tab for the tunnel, enter the IP/CIDR range that you wish to route through the tunnel (for example
10.0.0.0/8).
To connect your devices to Cloudflare:
- Deploy the WARP client on your devices in Gateway with WARP mode or generate a proxy endpoint and deploy a PAC file.
- Create device enrollment rules to determine which devices can enroll to your Zero Trust organization.
By default, WARP excludes traffic bound for RFC 1918 space ↗, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your private network, you must configure Split Tunnels so that the IP/CIDR of your private network routes through WARP.
-
First, check whether your Split Tunnels mode is set to Exclude or Include mode.
-
Edit your Split Tunnel routes depending on the mode:
If you are using Exclude mode:
a. Delete the route containing your private network's IP/CIDR range. For example, if your network uses the default AWS range of
172.31.0.0/16, delete172.16.0.0/12.b. Re-add IP/CIDR ranges that are not explicitly used by your private network. For the AWS example above, you would add new entries for
172.16.0.0/13,172.24.0.0/14,172.28.0.0/15, and172.30.0.0/16. This ensures that only traffic to172.31.0.0/16routes through WARP.You can use the following calculator to determine which IP addresses to re-add:
Calculator instructions
- In Base CIDR, enter the RFC 1918 range that you deleted from Split Tunnels.
- In Excluded CIDRs, enter the IP/CIDR range used by your private network.
- Re-add the calculator results to your Split Tunnel Exclude mode list.
By tightening the private IP range included in WARP, you reduce the risk of breaking a user's access to local resources.
If you are using Include mode:
- Add the required Zero Trust domains or IP addresses to your Split Tunnel include list.
- Add a route to include your private network's IP/CIDR range.
By default, all WARP devices enrolled in your Zero Trust organization can connect to your private network through Cloudflare Tunnel. You can configure Gateway to inspect your network traffic and either block or allow access based on user identity and device posture. To learn more about policy design, refer to Secure your first application.
To start logging and filtering network traffic, turn on the Gateway proxy:
- Go to Settings > Network.
- In Firewall, turn on Proxy.
- Select TCP.
- (Recommended) To proxy traffic to internal DNS resolvers, select UDP.
- (Recommended) To proxy traffic for diagnostic tools such as
pingandtraceroute, select ICMP. You may also need to update your system to allow ICMP traffic throughcloudflared.
Proxy settings are not currently supported by the Terraform v5 provider (as of version 5.3.0). To turn on the Gateway proxy, use the dashboard or API.
Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your split tunnel settings. For more information on how Gateway forwards traffic, refer to Gateway proxy.
To prevent WARP users from accessing your entire private network, we recommend creating a catch-all block policy for your private IP space. You can then layer on higher priority Allow policies which grant users access to specific applications or IPs.
If you have applications clearly defined by IPs or hostnames, we recommend creating an Access application and managing user access alongside your SaaS and other web apps. Alternatively, if you prefer to secure a private network using a traditional firewall model, you can build Gateway network and DNS policies for IP ranges and domains.
For more information on building Gateway policies, refer to Secure your first application and Common network policies.
End users can now reach HTTP or TCP-based services on your network by visiting any IP address in the range you have specified.
To allow users to reach the service using its private hostname instead of its IP, refer to Private DNS.
To check that their device is properly configured, the user can visit https://help.teams.cloudflare.com/ to ensure that:
- The page returns Your network is fully protected.
- In HTTP filtering, both WARP and Gateway Proxy are enabled.
- The Team name matches the Zero Trust organization from which you created the tunnel.
Check the local IP address of the device and ensure that it does not fall within the IP/CIDR range of your private network. For example, some home routers will make DHCP assignments in the 10.0.0.0/24 range, which overlaps with the 10.0.0.0/8 range used by most corporate private networks. When a user's home network shares the same IP addresses as the routes in your tunnel, their device will be unable to connect to your application.
To resolve the IP conflict, you can either:
- Reconfigure the user's router to use a non-overlapping IP range. Compatible routers typically use
192.168.1.0/24,192.168.0.0/24or172.16.0.0/24. - Tighten the IP range in your Split Tunnel configuration to exclude the
10.0.0.0/24range. This will only work if your private network does not have any hosts within10.0.0.0/24. - Change the IP/CIDR of your private network so that it does not overlap with a range commonly used by home networks.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark