Cloudflare Private Network Tunnel Not Working Within Overlapping Subnet


As a longtime Cloudflare user, we are getting started with Cloudflare Zero Trust and wanted to use a cloudflared tunnel to expose some devices on our local networks.

As an example we have a tunnel running with an IP on a DHCP IP assigned network (gateway running cloudflared and this allows remote access to other private devices within the network for example

We can access this using the WARP client in Windows / Android only if the local network of the device doesn’t have the same subnet This seems to force the request to to go locally rather than through the WARP routing. If the client has a /32 subnet then the routing works as expected - but this workaround would require manually setting IP assignment in all networks the client may use - not really feasible.

The Split tunnel feature doesn’t seem to make any difference even though we have removed the rule and added an exclusion for

This is similar to issues described by other users here Overlapping IP ranges in Tunnels unfortunately topic auto-closed with no resolution.

Is there a known workaround for this other than forcing the client onto a separate subnet? For example: Do you know if it is possible to add a virtual IP to the tunnel machine and use an obscure subnet such as (connection to the internet still over the gateway) and then a virtual routes so that →

Kind regards


Also seems same issue as here, using mobile data connection resolves the issue as there is no subnet overlap between client and destination route:

After reading about WireGuard tunnels in a bit more detail, I don’t think it will ever be possible to override this behaviour as it is inherent to interfaces. If this is the case then we will have to change all of our networks to use separate and uncommon IP spaces.

We will then be relying upon this to allow local routing to work as you can’t have more than one split tunnel configuration.

I think it would be worth adding some information regarding this to the docs.