Hi, I’m doing some local testing before considering using this ztna product in other parts of my work infra, and I am running into some issues that I appear not to be smart enough to solve on my own.
I’m using ztna (with arp gateway) to be able to reach a local network (subnet 10.0.0.0/25) from remote. This was rather easy to setup and works as intended.
However now if I actually am in this local network with the client pc, and have WARP connected, I no longer can reach the local subnet. for example ping 10.0.0.1 is not working. You can clearly see this in the netstat -rn output of this client.
Destination Gateway Flags Netif Expire
0/2 utun3 Ucg utun3
default 10.0.0.1 UGScg en0
default link#26 UCSIg utun3
3.68.63.139 link#26 UHWIig utun3
10/25 link#14 UCS en0 !
10.0.0.1/32 link#14 UCS en0 !
10.0.0.1 56:1:c5:89:ca:3a UHLWIir en0 1148
10.0.0.15 ea:19:4a:9d:dd:eb UHLWI en0 !
10.0.0.16 link#14 UHLWI en0 !
10.0.0.20 0:11:32:94:bf:8d UHLWIi en0 711
10.0.0.26 92:2d:d8:6d:df:13 UHLWIi en0 !
10.0.0.27 76:42:58:8:d5:20 UHLWI en0 !
10.0.0.29 7e:3b:61:91:c5:5e UHLWI en0 !
10.0.0.45 link#14 UHLWI en0 !
10.0.0.71 da:ff:fb:8:17:ec UHLWI en0 !
10.0.0.74 link#14 UHLWI en0 !
10.0.0.79/32 link#14 UCS en0 !
10.0.0.79 f8:4d:89:76:5e:f6 UHLWI lo0
10.0.0.104 98:5d:ad:70:e5:51 UHLWI en0 !
10.0.0.127 ff:ff:ff:ff:ff:ff UHLWbI en0 !
10.0.1.67 link#26 UHWIig utun3
17.57.146.22 link#26 UHWIig utun3
23.1.127.72 link#26 UHWIig utun3
34.111.208.231 link#26 UHWIig utun3
and ifconfig to proof that i am indeed in the same local subnet 10/25:
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=6463<RXCSUM,TXCSUM,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
ether f8:4d:89:76:5e:f6
inet6 fe80::18e1:d757:6acf:c8ac%en0 prefixlen 64 secured scopeid 0xe
inet 10.0.0.79 netmask 0xffffff80 broadcast 10.0.0.127
inet6 2003:ed:af10:0000::1f71 prefixlen 128 dynamic
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
~
utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 172.16.0.2 --> 172.16.0.2 netmask 0xffffffff
inet6 fe80::fa4d:89ff:fe76:5ef6%utun3 prefixlen 64 scopeid 0x1a
inet6 2606:4700:110:83ee:cadb:1454:1b51:bf46 prefixlen 128
nd6 options=201<PERFORMNUD,DAD>
And here the cloudflared configured routes:
cloudflared tunnel route ip list
NETWORK VIRTUAL NET ID COMMENT TUNNEL ID TUNNEL NAME CREATED DELETED
10.0.0.0/25 xxxxxx-xxx-xxx-xxx-xxxxxxx xxxxxx-xxx-xxx-xxx-xxxxxxx mytunnel 2023-03-07T18:00:40Z -
10.0.1.64/26 xxxxxx-xxx-xxx-xxx-xxxxxxx xxxxxx-xxx-xxx-xxx-xxxxxxx mytunnel 2023-03-08T08:25:34Z -
So both local subnets have been configured in the tunnel (and both work fine from remote) 10.0.0.0/25 & 10.0.1.64/26
However when the client device is located inside the local 10.0.0.0/25 the addresses inside this network are no longer reachable for this device. As you can see in the netstat output it appears that these are not added to the utun3 route.
In the work environment, I would like to create a situation where employees have WARP installed, and it would be forced to be always on, on their devices. But it should obviously not break stuff if these employees decide to come into the office 
Anyone any clue? I somehow am stuck staring at this at the moment.