r/CloudFlare: Site to Site Tunnel over WARP

r/CloudFlare: Site to Site Tunnel over WARP
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/yi5kg5/site_to_site_tunnel_over_warp/


So, I finally got the tunnels working. I can connect to my main sites resources with no issues. Now I want to setup my current site as a tunnel also so I can access my home PC through WARP on my phone. I went through all the steps and set it up.

When I disable WARP, I can access my local network just fine, but when I turn on WARP, I can access all my main site resources, but I can access anything on my local network. I have been scratching my head at this for a few days now. Any help is appreciated.

I had to uninstall the tunnel at home to get things working again, but I can’t access my home PC through it. I don't want to make the RDP public, even though that might solve my problem.


Please check your settings for Local Domain Fallback as well as in which mode your WARP is running, Include or Exclude mode. Every setting I mentioned is in the Cloudflare Teams settings.

Comment 1 on Answer

I have fallback domain set to the domain of the main site. The second site is a subdomain of that site. I have DNS entries for both sites on the main DC DNS server.

Site 1: example.com

Site2: site2.example.com

Include Mode with each private network listed. and

Access works fine when I'm on my phone and I can access both resources, but when I get onto my home computer and turn on warp, all internal resources stop responding on, but I can access the internet and all resources from DNS resolved too. When I ping a local resource by hostname, I get the right local IP, but I can't connect to it.

My response to comment 1

Do you have overlapping subnets between your home and your business network per chance? That would explain the home network not being available when the business network is reachable via WARP.

Comment 1.1 on Answer

So, both sites have a tunnel. I have the tunnel and the warp client on my home PC.

Site 1:

Site 2 (Home):

I want to be able to access both sites remotely. But when I'm inside site 2, I should still be able to access both sites.

My response to comment 1.1

The underlying problem here is that the WARP client takes the traffic pointing to site 2 (even though it is local, and since you included it in the route) and wants to route it through Cloudflare and the tunnel back to Site 2, which will not work.

Also, please relocate the tunnel you have for site 2 to another device which can dedicate its service to just the cloudflared daemon.

My only solution for this is that you switch off the WARP client on your device once you want to access site 2 when at home and switch it on for site 1 access.

I checked the docs but you can't manually add or remove routes to the WARP client for one device only.

Comment 1.2 on Answer

That's what I thought. I just wanted a second opinion. I have a VPN setup for home if I need to RDP into my home PC, I was just trying to find an all in one solution.

So Cloudflare needs to add a way to deploy different configurations to different device groups.

My response to comment 1.2

So Cloudflare needs to add a way to deploy different configurations to different device groups.

Yes, exactly.

I had a similar problem where one device should have access to the Included subnets all the time but another only on specific occasions. I was able to get around that using proxy mode, so if the other device needs to call the tunnel, the app has to go through a local SOCKS5 proxy.

This is configurable via the mdm.xml file.

Comment 1.3 on Answer

Funny enough, when I moved the tunnel onto ubuntu virtual machine, access to my internal networks was restored while on warp. Only side effect I have been able to find so far is I can’t RDP from my phone over the Internet if warp is on on my computer. but hey, I guess the VPN is plan B

My response to comment 1.3

Yes, this is plausible because cloudflared and the WARP client don't clash and also don't loop the traffic to each other anymore.

But you will notice that the bandwidth to site 2 while in site 2 will be lower, latency higher and overall snappiness is reduced, because the traffic takes the long route to its destination now.

Comment 1.4 on Answer

A small price to pay I suppose.