WARP with legacy VPN
We understand that you may be required to run a legacy third-party VPN alongside the Cloudflare WARP client. Because the WARP client and third-party VPN both enforce firewall, routing, and DNS rules on your local device, the two products will compete with each other for control over network traffic.
For the most stable and consistent connection, we recommend using Cloudflare Tunnel to connect your private network or individual applications to our global edge network. However, until you can migrate, the following guidelines will help get your Zero Trust deployment up and running.
Requirements
The Cloudflare WARP client is compatible with most third-party VPN configurations assuming the following requirements are met:
-
WARP must be responsible for resolving all DNS traffic on your device. The WARP client captures all DNS traffic and sends it to Gateway for policy enforcement. For WARP to function, DNS configuration settings must be disabled on your VPN. You can use features like Local Domain Fallback to route DNS requests to a server behind your third-party VPN or firewall, but the WARP client must still proxy that traffic.
-
All traffic relating to the third-party VPN must bypass the WARP client. You can configure Split Tunnels mode to exclude your VPN server from WARP.
Configuring for compatibility
We recommend the following workflow when configuring WARP alongside a third-party VPN service.
-
Disable DNS configuration in your third-party VPN.
-
Ensure that your Split Tunnels mode is set to Exclude IPs and domains.
-
In your Split Tunnels configuration, add the following IP addresses to your Exclude list:
- The IP address of the server your third-party VPN connects to.
- The private IP address space your third-party VPN exposes.
-
(Optional) If your company uses fully qualified domain names such as
example.local
, exclude your local domains from Gateway processing.