Cloudflare Docs
Learning Paths
Edit this page on GitHub
Set theme to dark (⇧+D)

Connect with the WARP client

  3 min read

The Cloudflare WARP client (known as the Cloudflare One Agent in mobile app stores) allows you to protect corporate devices by securely and privately sending traffic from those devices to Cloudflare’s global network, where Cloudflare Gateway can apply advanced web filtering.

Choose this option if:

  • You want to create DNS policies based on user identity.
  • You want to apply consistent policies for both remote and on-site users.
  • You are interested in progressing from DNS-only security to the advanced protection offered by a Secure Web Gateway.

​​ Deploy WARP on a test device

Most admins test by downloading the client and authenticating in with a one-time PIN.

  1. If you previously connected without an agent, undo the DoH configuration in your browser or OS. Otherwise, your device will continue to send queries to the DoH endpoint instead of forwarding requests through WARP.

  2. Enable one-time PIN authentication:

    1. In Zero Trust, go to Settings > Authentication.
    2. Under Login methods, select Add new.
    3. Select One-time PIN.
    4. If your organization uses a third-party email scanning service (for example, Mimecast or Barracuda), add noreply@notify.cloudflare.com to the email scanning allowlist.
  3. Enable device enrollment:

    1. In Zero Trust, go to Settings > WARP Client.
    2. In Device enrollment permissions, select Manage.
    3. In the Rules tab, configure one or more Access policies to define who can join their device. For example, you could allow all users with a company email address:
      Rule typeSelectorValue
      IncludeEmails ending in@company.com
    4. In the Authentication tab, select the identity providers users can authenticate with. If you have not integrated an identity provider, you can use the one-time PIN.
    5. Select Save.
  4. Switch the agent to DNS-only mode:

    1. In Zero Trust, go to Settings > WARP Client.
    2. In the Device settings card, select the Default profile.
    3. Select Configure.
    4. For Service mode, select Gateway with DoH.
    5. Select Save profile.
  5. If you are running third-party firewall or TLS decryption software, verify that it does not inspect or block traffic to these IP addresses:

    • Client orchestration IPs:
      • IPv4 API Endpoints: 162.159.137.105 and 162.159.138.105
      • IPv6 API Endpoints: 2606:4700:7::a29f:8969 and 2606:4700:7::a29f:8a69
    • Gateway DoH IPs:
      • IPv4 DoH Addresses: 162.159.36.1 and 162.159.46.1
      • IPv6 DoH Addresses: 2606:4700:4700::1111 and 2606:4700:4700::1001
      For more information, refer to WARP with firewall.
  6. Uninstall any existing third-party software that may manage DNS resolution. Sometimes products placed in a disconnected or disabled state will still interfere with the WARP client.

  7. Manually install WARP on the device.

Window, macOS, and Linux

To enroll your device using the WARP GUI:

  1. Download and install the WARP client.

  2. Launch the WARP client.

  3. Select the Cloudflare logo in the menu bar.

  4. Select the gear icon.

  5. Go to Preferences > Account.

  6. Select Login with Cloudflare Zero Trust.

  7. Enter your team name.

  8. Complete the authentication steps required by your organization.

    Once authenticated, you will see a Success page and a dialog prompting you to open WARP.

  9. Select Open Cloudflare WARP.app to complete the registration.

iOS, Android, and ChromeOS
  1. Download and install the Cloudflare One Agent app.
  2. Launch the Cloudflare One Agent app.
  3. Select Next.
  4. Review the privacy policy and select Accept.
  5. Enter your team name.
  6. Complete the authentication steps required by your organization.
  7. After authenticating, select Install VPN Profile.
  8. In the Connection request popup window, select OK.
  9. If you did not enable auto-connect, manually turn on the switch to Connected.

The WARP client should show as Connected. By default, all DNS queries from the device will be forwarded to Cloudflare Gateway for filtering.