Cloudflare Tunnel resources not accessible when connecting from the same VLAN/network as the tunnel

Hoping for some guidance here…I have a tunnel that is set up to my local office network. When outside of that network and on Cloudflare WARP everything works as expected. I can access the local servers and share drives just as if I were on our old VPN client or in the office on the same VLAN. However I noticed that since Cloudflare WARP is always on, if I do go into the office and I am on the VLAN with these resources and I am connected to Cloudflare WARP then I am unable to connect to those resources. I can simply turn off Cloudflare WARP and everything is back to normal and working but I was hoping, if possible, to make this as “fool proof” as possible so that these resources would be accessible either on or off of WARP when in the office so that users do not have to even think about it.

Thank you for any help!

I’ve had similar problems with this too. What worked for me was to change my split tunnel settings from the default “exclude IP and domains” to “INCLUDE” . This can be found at:

Settings → WARP CLIENT → Device Settings → Default Profile → Configure → At the bottom of the page are the split tunnel settings. Press “Include IPs and domains”

Pressing the button will bring up a warning about changes causing potential connection problems so that’s something to keep it mind. If you’re part of a larger company it might be worth testing this configuration out on a separate test Cloudflare ZT account) first.

In this setting you have to specifically state the IPs and Domains you want to be included with Zero Trust. This requires a bit more setup, but Cloudflare says what you should include here:

Split Tunnels · Cloudflare Zero Trust docs

The main things to include are: your work network address CIDR (like: and any domains used in “Access” Applications like *,

When you’re done configuring, press “Back to Profile” and then don’t forget to click “Save Profile” at the very bottom. From there clarify that the same network CIDR is included in the tunnel “private network” and from there it should work both internally and externally.

Hope this helps!

Thank you for your suggestion. I am using the default of “Exclude IPs and domains” and we have a few domains listed to exclude, and I have removed the local IP range of my office from that list so it should be included. It is strange that adding these to an include list would behave differently but it might be worth a try so thank you for the idea. I do like the current configuration as we have a handful of sites so I would prefer to have all traffic be routed through Cloudflare so I’ll have to weigh that and forcing users to disconnect when in the office.

Thank you!

Yeah. It’s very strange. Honestly I think there might be a few gremlins in the system.

Having looked into it a bit more what might be better is if you create a “managed network” which selectively applies WARP settings based on set criteria - like say “when a device joins the office network” the client applies a different “device profile”.

It’s a bit more involved (setting up a server that the device pings on startup) and then creating a different WARP “profile” which changes the “service mode” but once it’s setup it’s automatic - and you could do it without changing “split tunnel settings” - keeping exclude etc.

There’s an extensive tutorial from start to finish about setting up a managed network and the selecting the conditions here:

Managed networks · Cloudflare Zero Trust docs

Hopefully that’s more helpful.