Cloudflare Docs
Learning Paths
Visit Learning Paths on GitHub
Set theme to dark (⇧+D)

Connect with the WARP client

  4 min read

The Cloudflare WARP client (known as the Cloudflare One Agent in mobile app stores) allows you to protect corporate devices by securely and privately sending traffic from those devices to Cloudflare’s global network, where Cloudflare Gateway can apply advanced web filtering.

Choose this option if:

  • You want to create DNS policies based on user identity.
  • You want to apply consistent policies for both remote and on-site users.
  • You are interested in progressing from DNS-only security to the advanced protection offered by a Secure Web Gateway.

​​ Deploy WARP on a test device

Most admins test by downloading the client and authenticating in with a one-time PIN.

  1. If you previously connected without an agent, undo the DoH configuration in your browser or OS. Otherwise, your device will continue to send queries to the DoH endpoint instead of forwarding requests through WARP.

  2. Enable one-time PIN authentication:

    1. In Zero Trust, go to Settings > Authentication.
    2. Under Login methods, select Add new.
    3. Select One-time PIN.
    4. If your organization uses a third-party email scanning service (for example, Mimecast or Barracuda), add to the email scanning allowlist.

  3. Enable device enrollment:

    1. In Zero Trust, go to Settings > WARP Client.
    2. In the Device enrollment card, select Manage.
    3. In the Rules tab, configure one or more Access policies to define who can join their device. For example, you could allow all users with a company email address:
      Rule type Selector Value
      Include Emails ending in
    4. In the Authentication tab, select the identity providers users can authenticate with. If you have not integrated an identity provider, you can use the one-time PIN.
    5. Select Save.
  4. Switch the agent to DNS-only mode:

    1. In Zero Trust, go to Settings > WARP Client.
    2. In the Device settings card, select the Default profile.
    3. Select Configure.
    4. For Service mode, select Gateway with DoH.
    5. Select Save profile.
  5. If you are running third-party firewall or TLS decryption software, verify that it does not inspect or block traffic to these IP addresses:

    • Client orchestration IPs:
      • IPv4 API Endpoints: and
      • IPv6 API Endpoints: 2606:4700:7::a29f:8969 and 2606:4700:7::a29f:8a69
    • Gateway DoH IPs:
      • IPv4 DoH Addresses: and
      • IPv6 DoH Addresses: 2606:4700:4700::1111 and 2606:4700:4700::1001
      For more information, refer to WARP with firewall.
  6. Uninstall any existing third-party software that may manage DNS resolution. Sometmes products placed in a disconnected or disabled state will still interfere with the WARP client.

  7. Manually install WARP on the device:

Windows and macOS
  1. Download and install the WARP client.

  2. Launch the WARP client.

  3. Select the Cloudflare logo in the menu bar.

  4. Select the gear icon.

  5. Go to Preferences > Account.

  6. Select Login with Cloudflare Zero Trust.

  7. Enter your team name.

  8. Complete the authentication steps required by your organization.

    Once authenticated, you will see a Success page and a dialog prompting you to open WARP.

  9. Select Open Cloudflare to complete the registration.

  1. Download and install the WARP package.

  2. Open a terminal window. Ensure that you are logged into the terminal as the current user and not as root.

  3. Enroll into Cloudflare Zero Trust using your organization’s team name:

    $ warp-cli teams-enroll <your-team-name>
  4. In the browser window that opens, complete the authentication steps required by your organization.

    Once authenticated, you will see a Success page and a dialog prompting you to open a link.

  5. Select Open Link.

  6. Verify the registration in the terminal:

    $ warp-cli account
Troubleshoot missing registration

The registration process may take a few minutes to complete. If the registration continues to be missing, then manually copy the authentication token from the browser to the WARP client:

  1. On the Success page, right-click and select View Page Source.
  2. Find the HTML metadata tag that contains the token. For example, <meta http-equiv="refresh" content"=0;url=com.cloudflare.warp://" />
  3. Copy the URL field: com.cloudflare.warp://<your-team-name><your-token>
  4. In the terminal, run the following command using the URL obtained in the previous step.

    $ warp-cli teams-enroll-token com.cloudflare.warp://<your-team-name><your-token>

If you get an API error, then the token has expired. Generate a new one by refreshing the web page and quickly grab the new token from the page source.

  1. If you did not configure WARP to auto-connect, manually turn on WARP:

    $ warp-cli connect
iOS, Android, and ChromeOS
  1. Download and install the Cloudflare One Agent app.
  2. Launch the Cloudflare One Agent app.
  3. Select Next.
  4. Review the privacy policy and select Accept.
  5. Enter your team name.
  6. Complete the authentication steps required by your organization.
  7. After authenticating, select Install VPN Profile.
  8. In the Connection request popup window, select OK.
  9. If you did not enable auto-connect, manually turn on the switch to Connected.

The WARP client should show as Connected. By default, all DNS queries from the device will be forwarded to Cloudflare Gateway for filtering.