WARP
The Cloudflare WARP client allows you to protect corporate devices by securely and privately sending traffic from those devices to Cloudflare's global network, where Cloudflare Gateway can apply advanced web filtering. The WARP client also makes it possible to apply advanced Zero Trust policies that check for a device's health before it connects to corporate applications.
WARP is a device client that builds proxy tunnels using either Wireguard or MASQUE, and builds a DNS proxy using DNS-over-HTTPS. WARP supports all major operating systems, all common forms of endpoint management tooling, and has a robust series of management parameters and profiles to accurately scope the needs of a diverse user base.
The WARP client consists of:
- Graphical User Interface (GUI): Control panel that allows end users to view WARP's status and perform actions such as turning WARP on or off.
- WARP daemon (or service): Core background component responsible for establishing secure tunnels (using WireGuard or MASQUE) and handling all WARP functionality on your device.
Refer to WARP architecture for more information on how WARP client interacts with a device's operating system to route traffic.
Deploying the WARP client significantly enhances your organization's security and visibility within Cloudflare Zero Trust:
-
Unified security policies everywhere: With the WARP client deployed in the Gateway with WARP mode, Gateway policies are not location-dependent — they can be enforced anywhere.
-
Advanced web filtering and threat protection: Activate Gateway features for your device traffic, including:
-
Application and device-specific insights: With WARP installed on your corporate devices, you can view detailed application and user-level activity on the Zero Trust Shadow IT Discovery page, while also monitoring device and network performance with Digital Experience Monitoring (DEX) to proactively detect and resolve issues.
-
Device posture checks: The WARP client provides advanced Zero Trust protection by making it possible to check for device posture. By setting up device posture checks, you can build Zero Trust policies that check for a device's location, disk encryption status, OS version, and more.
-
Secure private and infrastructure access: WARP lets devices connect to private networks over Cloudflare Tunnel and is required for Access for Infrastructure, enabling secure SSH with short-lived certificates and detailed logging.
WARP offers flexible operating modes to suit your specific needs. WARP can control device traffic as a full proxy, manage only DNS traffic as a DNS proxy, or both. WARP is the most common method for sending user device traffic through Cloudflare Gateway for filtering and decryption.
- Review the first-time setup guide to install and deploy the WARP client on your corporate devices.
- Review possible WARP modes and settings to best suit your organization's needs.
- Explore Cloudflare Gateway to enforce advanced DNS, network, HTTP, and egress policies with WARP.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
