Getting Started with Cloudflare Warp

Adam Listek

Read more posts by this author.

In the past, VPN tunnels have been challenging to set up and hard for folks to use. The Cloudflare WARP client is a fast and modern VPN, built on top of the secure WireGuard protocol and free for everyone to use, consumer or business alike.

In this article, you will learn how to use the Cloudflare WARP client and see how the Cloudflare WARP client is built for more than just consumer use. Cloudflare Teams, a zero-trust secure web gateway, leverages the WARP client to secure the network traffic of end-user systems to an internal system as well as the internet.

Prerequisites

To follow along with the Cloudflare Teams enrollment, you need an existing Cloudflare Teams account set up. To use PowerShell commands, any recent version of PowerShell will work, and 7.1 is used in this article. In addition, all steps in this article are performed on a recent version of Windows 10.

Installing the Cloudflare WARP client

The Cloudflare WARP client is cross-platform with installation instructions for multiple different operating systems. In this article, you’re going to install the Windows OS installation of the Cloudflare WARP, but also available for mobile via the Google Play Store as well. Read on to learn how to get started!

First, download the latest version of the Windows x64 client, which for this article is 1.5.461.0. Next, run the downloaded package and install with defaults.

Starting a VPN Connection with the Cloudflare WARP Client

Now that you have installed the Cloudflare WARP client, the installation program will make a system tray icon available to control the Cloudflare WARP client. To start the VPN connection, follow the steps below.

1. Click on the Cloudflare WARP client contained within the system tray.

System tray icon for Cloudflare WARP.
System tray icon for Cloudflare WARP.

2. Now, click Next on the “What is WARP?” and Accept on the “Our Commitment to Privacy” screens. This screen appears the first time you use Cloudflare WARP.

Welcome to the Cloudflare WARP message.
Welcome to the Cloudflare WARP message.
Cloudflare WARP privacy agreement,
Cloudflare WARP privacy agreement,

3. Click the toggle button to enable a secure VPN connection and connect to the Cloudflare network. This is disconnected by default.

Enabled Cloudflare WARP client connection.
Enabled Cloudflare WARP client connection.

4. Finally, verify the VPN is connected by using PowerShell to check the IP the world is seeing your traffic come from. Invoke the Invoke-RESTMethod command to query the ipify.org service. As shown below, the IP is different after the Cloudflare WARP VPN has been enabled.

Invoke-RESTMethod -URI 'https://api.ipify.org?format=json' | Select-Object -ExpandProperty IP
Invoke Rest Method
Invoke Rest Method

Configuring the Cloudflare WARP Client

Now that you have installed the client, more advanced installation scenarios are possible with configuration options in the Cloudflare WARP client. Access the Cloudflare WARP client preferences by clicking on the gear icon and choosing the Preferences menu item.

Preferences menu item.
Preferences menu item.

Connection Options

Several preferences screens offer information only, such as General, but others allow configuration. Customize client behavior by clicking on the Connection pane. Here you can explicitly add Wi-Fi networks, under the Network Name section, to pause the VPN connection intended to keep traffic from leaving the VPN when connected or even set to disable the WARP client for all Wi-Fi or wired networks.

In addition, you may customize the DNS Protocol option used in Cloudflare WARP and how 1.1.1.1 for Families DNS service option behaves, an option that allows for blocking content such as malware sites. The DNS Protocol option tells Cloudflare WARP which method to use to route DNS requests.

The Gateway DoH Subdomain option is intended for use with Cloudflare Teams. The Gateway DoH Subdomain is a value specific to an account value to route all DNS requests for filtering against user-specified filter policies.

Connection preferences page,
Connection preferences page,

Configuring Split Networks

By default, when the Cloudflare WARP client is active, all traffic is sent over the VPN tunnel. There may be times when you may not want to send all traffic over the Cloudflare network. Within the Cloudflare WARP client, you can define certain routes that will not proxy traffic through the VPN.

Navigate to the Advanced → Split Tunnels section of the Preferences dialog to modify excluded IP addresses or routes.

Advanced preferences page.
Advanced preferences page.

Several default routes are already configured, but if you have a specific route to exclude, click the plus button to enter a specific route.

Split Tunnels configuration.
Split Tunnels configuration.

Defining Local Domain Fallback Entries

Much like the internet route option, you may also specify specific domains that will be excluded from the Cloudflare WARP VPN, known as Local Domain Fallback entries. When excluded, these domains will fall back to using the local DNS resolvers on the system. The excluded domain may be a local intranet site or a corporate network.

Add either entry by navigating to the Advanced → Local Domain Fallback and clicking on the plus button to enter a domain and optional description.

Entering a Fallback Domain.
Entering a Fallback Domain.

Configuring Proxy Mode

The final advanced feature is the ability for Cloudflare WARP to act as a local proxy server. Perhaps you only want a specific application to route its traffic through the Cloudflare WARP VPN; with the local proxy server option, you can do just that.

The format defines a local proxy server. localhost:port (default port is 4000), that a SOCKS or HTTPS client may be configured to connect to and send traffic over.

Enabling the local proxy server.
Enabling the local proxy server.

Combining the Cloudflare WARP client with Cloudflare Teams

If you are a user of Cloudflare Teams, you may enhance the VPN connection via the Cloudflare WARP client to extend to filtering all DNS queries via Cloudflare Gateway DoH and HTTP filtering. There are three steps to make DNS and HTTP filtering work with Cloudflare Teams.

  1. Install the root Cloudflare certificate to allow Cloudflare to inspect and filter SSL traffic.
  2. Configure the Gateway DoH Subdomain, a value specific to an account to route DNS requests for filtering.
  3. Configure a device registration to connect a given device to a Cloudflare Teams account.

Let’s dive in and see how to combine these two tools.

Installing the Root Cloudflare Certificate

As a prerequisite to enabling HTTP filtering for Cloudflare Teams over the Cloudflare WARP client, you must first download, install, and trust the Cloudflare Root certificate to allow Cloudflare to inspect and filter SSL traffic. Follow along below to install the certificate on Windows 10.

1. First, download the root CA certificate.

2. Next, double-click on the certificate to start the installation.

Certificate Information.
Certificate Details.

3. First, click on Install Certificate and then choose Local Machine, to import the certificate for use with all users on the system.

Choose Local Machine to import the certificate to.
Choose Local Machine to import the certificate to.

4. Choose the option for “Place all certificates in the following store,” choose the Trusted Root Certificate Authorities and click OK.

As the Cloudflare root CA certificate is not intended for public use, your system will not trust this certificate by default. Installing the certificate will inform your system to trust this traffic.

Placing the certificate in the Trusted Root Certificate Authorities certificate store.
Placing the certificate in the Trusted Root Certificate Authorities certificate store.

5. Finally, click Finish to complete the certificate import.

Configuring a DNS over HTTPS (DoH) Subdomain

To allow the WARP client to use DNS filtering within Cloudflare Teams, you need to locate the DoH subdomain within Cloudflare Teams, which gives your system a Cloudflare account specific location to filter DNS traffic against. To do so, follow the steps below.

1. First, login via a web browser to the Cloudflare Teams dashboard.

2. Next, navigate to Gateway → Locations and click on Add Location. The location is a descriptive name for a set of DNS and HTTP filtering policies.

Adding a new location into Cloudflare Teams.
Adding a new location into Cloudflare Teams.

3. Name your location, set to External as an example in this article, and click Add Location.

Creating a new location.
Creating a new location.

4. Copy the highlighted subdomain section and click Done to add the location. The copied text will then be used in the Cloudflare WARP client.

Copying the subdomain for DoH set up in the Cloudflare WARP client.
Copying the subdomain for DoH set up in the Cloudflare WARP client.

5. Within the Cloudflare WARP client preferences Connection pane, enter the newly setup location DoH subdomain and click Save.

Configuring the Gateway DoH Subdomain.
Configuring the Gateway DoH Subdomain.

Enrolling the Cloudflare WARP Client in Cloudflare Teams

The final step for configuring the Cloudflare WARP client for Cloudflare Teams is via device registration and enrollment. The registration and enrollment step ensures that you are in explicit control of what devices are filtered.

Creating a Device Enrollment Policy

1. Open the Cloudflare Team dashboard and navigate to Settings → Devices. Click on Manage under Device Enrollment.

Navigating to the Manage Device Enrollment settings.
Navigating to the Manage Device Enrollment settings.

2. Click on Add Rule.

Creating a new Device Enrollment policy.
Creating a new Device Enrollment policy.

3. Create an Allow device rule with an include set to Everyone. By setting this rule to everyone, any device explicitly registered will be allowed without meeting additional conditions such as a specific country. All other values are set to their defaults and finally, click on Save.

Create an Allow rule set to include Everyone.
Create an Allow rule set to include Everyone.

4. Set a Session Duration before requiring a login, here it is set to 1 month but set yours to an appropriate length, the maximum, and click Save.

Set the session duration to a maximum of 1 month.
Set the session duration to a maximum of 1 month.

Registering the Cloudflare WARP Client

With the location defined and enrollment policies defined, you must register the device with Cloudflare Teams to start using the DNS and HTTP filtering abilities.

1. Open the Cloudflare WARP client preferences and navigate to the Account page. Once there, click on the Login with Cloudflare for Teams button.

Navigate to the Cloudflare WARP client Preferences → Account.
Navigate to the Cloudflare WARP client Preferences → Account.

2. Click Next on the overview prompt and Accept on the Privacy prompt.

Cloudflare Teams informational pop-up.
Cloudflare Teams overview pop-up.
Privacy agreement.
Privacy agreement.

3. Enter the Cloudflare Teams account name. You can find the account name on the Cloudflare Teams dashboard, Settings → General Settings → Team domain.

Entering the team name for registration.
Entering the team name for registration.

4. Sign in to register your device with Cloudflare for Teams.

Signing in to the Cloudflare Teams account.
Signing in to the Cloudflare Teams account.

5. If the sign-in was successful, you will see a success message. If so, click OK to dismiss.

Success message.
Success message.

Finally, the Cloudflare WARP client will have a different look to note that it is now connected to Teams rather than the WARP network by itself, as shown below.

Cloudflare WARP client
Cloudflare WARP client

Conclusion

The Cloudflare WARP client makes securing an internet connection quick with minimal configuration. By focusing on speed and portability, a powerful cross-platform VPN connection allows you to secure your connection with less of a performance hit to the overhead of the connection.

What will you use Cloudflare WARP to secure?

Subscribe to Stay in Touch

Never miss out on your favorite ATA posts and our latest announcements!

Looks like you're offline!