Cloudflare Private Network Tunnel Not Working Within Overlapping Subnet

Hello,

As a longtime Cloudflare user, we are getting started with Cloudflare Zero Trust and wanted to use a cloudflared tunnel to expose some devices on our local networks.

As an example we have a tunnel running with an IP on a DHCP IP assigned network 192.168.1.1/24 (gateway 192.168.1.254) running cloudflared and this allows remote access to other private devices within the network for example 192.168.1.51.

We can access this using the WARP client in Windows / Android only if the local network of the device doesn’t have the same subnet 192.168.1.1/24. This seems to force the request to 192.168.1.51 to go locally rather than through the WARP routing. If the client has a /32 subnet then the routing works as expected - but this workaround would require manually setting IP assignment in all networks the client may use - not really feasible.

The Split tunnel feature doesn’t seem to make any difference even though we have removed the 192.168.0.0/16 rule and added an exclusion for 192.168.1.51.

This is similar to issues described by other users here Overlapping IP ranges in Tunnels unfortunately topic auto-closed with no resolution.

Is there a known workaround for this other than forcing the client onto a separate subnet? For example: Do you know if it is possible to add a virtual IP to the tunnel machine and use an obscure subnet such as 10.10.8.0/24 (connection to the internet still over the 192.168.1.254 gateway) and then a virtual routes so that 10.10.8.51 → 192.168.1.51.

Kind regards

Scott

Also seems same issue as here, using mobile data connection resolves the issue as there is no subnet overlap between client and destination route:

After reading about WireGuard tunnels in a bit more detail, I don’t think it will ever be possible to override this behaviour as it is inherent to interfaces. If this is the case then we will have to change all of our networks to use separate and uncommon IP spaces.

We will then be relying upon this to allow local routing to work as you can’t have more than one split tunnel configuration.

I think it would be worth adding some information regarding this to the docs.

Scott