Connect with the WARP client
3 min read
The Cloudflare WARP client (known as the Cloudflare One Agent in mobile app stores) allows you to protect corporate devices by securely and privately sending traffic from those devices to Cloudflare’s global network, where Cloudflare Gateway can apply advanced web filtering.
Choose this option if:
- You want to create DNS policies based on user identity.
- You want to apply consistent policies for both remote and on-site users.
- You are interested in progressing from DNS-only security to the advanced protection offered by a Secure Web Gateway.
Deploy WARP on a test device
Most admins test by downloading the client and authenticating in with a one-time PIN.
If you previously connected without an agent, undo the DoH configuration in your browser or OS. Otherwise, your device will continue to send queries to the DoH endpoint instead of forwarding requests through WARP.
Enable one-time PIN authentication:
- In Zero Trust, go to Settings > Authentication.
- Under Login methods, select Add new.
- Select One-time PIN.
- If your organization uses a third-party email scanning service (for example, Mimecast or Barracuda), add
noreply@notify.cloudflare.comto the email scanning allowlist.
Enable device enrollment:
- In Zero Trust, go to Settings > WARP Client.
- In Device enrollment permissions, select Manage.
- In the Rules tab, configure one or more Access policies to define who can join their device. For example, you could allow all users with a company email address:
Rule type Selector Value Include Emails ending in @company.com - In the Authentication tab, select the identity providers users can authenticate with. If you have not integrated an identity provider, you can use the one-time PIN.
- Select Save.
Switch the agent to DNS-only mode:
- In Zero Trust, go to Settings > WARP Client.
- In the Device settings card, select the Default profile.
- Select Configure.
- For Service mode, select Gateway with DoH.
- Select Save profile.
If you are running third-party firewall or TLS decryption software, verify that it does not inspect or block traffic to these IP addresses:
- Client orchestration IPs:
- IPv4 API Endpoints:
162.159.137.105and162.159.138.105 - IPv6 API Endpoints:
2606:4700:7::a29f:8969and2606:4700:7::a29f:8a69
- IPv4 API Endpoints:
- Gateway DoH IPs:
- IPv4 DoH Addresses:
162.159.36.1and162.159.46.1 - IPv6 DoH Addresses:
2606:4700:4700::1111and2606:4700:4700::1001
- IPv4 DoH Addresses:
- Client orchestration IPs:
Uninstall any existing third-party software that may manage DNS resolution. Sometimes products placed in a disconnected or disabled state will still interfere with the WARP client.
Manually install WARP on the device.
Window, macOS, and Linux
To enroll your device using the WARP GUI:
Download and install the WARP client.
Launch the WARP client.
Select the Cloudflare logo in the menu bar.
Select the gear icon.
Go to Preferences > Account.
Select Login with Cloudflare Zero Trust.
Enter your team name.
Complete the authentication steps required by your organization.
Once authenticated, you will see a Success page and a dialog prompting you to open WARP.
Select Open Cloudflare WARP.app to complete the registration.
iOS, Android, and ChromeOS
- Download and install the Cloudflare One Agent app.
- Launch the Cloudflare One Agent app.
- Select Next.
- Review the privacy policy and select Accept.
- Enter your team name.
- Complete the authentication steps required by your organization.
- After authenticating, select Install VPN Profile.
- In the Connection request popup window, select OK.
- If you did not enable auto-connect, manually turn on the switch to Connected.
The WARP client should show as Connected. By default, all DNS queries from the device will be forwarded to Cloudflare Gateway for filtering.