Cloudflared Tunnel IP Route

I’m running into some issues routing my private IP space through a Cloudflare Tunnel.

This is my (anonymized) cloudflared yaml:

tunnel: <GUID>
credentials-file: /etc/cloudflared/<GUID>.json
  enabled: true
  - hostname:
    service: ssh://
  - hostname:
  - service: http_status:404

For the 2 hostnames I added CNAME records pointing to and I also ran the command to add an IP range to the tunnel. “sudo cloudflared tunnel route ip show” returns the correct IP range. The cloudflared output shows “Warp-routing is enabled” and a few “Connection registered connIndex=1 location=HAM” (but for different locations of course). No errors in the output.

In the Cloudflare Teams dashboard the “Split tunnel” config has been set to “Include IPs and domains” and I added the same IP range here.

I installed the WARP client on my Android phone and logged into my Teams accounts. Connection gets established but I can seem to use my browser to connect to and internal webserver on the IP address. “wget” for the same URL works from the server running cloudflare, so it’s not a firewall between the tunnel endpoint and the internal server. WARP client is set to “Gateway with WARP” and I can see the correct IP range under Advanced → Connection options → Manage included routes. The 2 hostnames from the ingress rule work without any issues.

The only thing I was able to find is that in the Cloudflare Teams dashboard under Access → Tunnels the route is not visible in the “Routes” column. Only my hostnames are listed there.

Any help would be much appreciated!

Are you trying to publish an application via Access or use Warp to tunnel? The description appears to be a combination of the two.

An application pointing (ssh, rdp, http or arbitrary tcp) would use ingress rules and cloudflared on the client side to connect. A connection using the Warp client would use warp-routing, CIDR definitions and DNS entries pointing to the origin IP addresses.

To add on what @cscharff wrote:

  • the ingress hostnames are for Internet-resolvable addresses, so you can access your private origin on any device with a browser
  • for ingress hostnames that are SSH/TCP/RDP (i.e., not L7), you need cloudflared access on the device to access those
  • if instead, you are trying to build a private network, then you have to install WARP on the user devices (which you did) and configure IP Routes — forget the Hostname Routes in this case, since no public DNS is involved anymore
  • so, with WARP, you access based on IP
  • or, more recently, you can access based on private DNS resolution since we now support UDP transport

I’m trying to access my network through WARP. I already have this Cloudflared Tunnel running and added the details on the working published applications to show that the tunnel itself is working fine.

So the issue I have is just with routing my internal IP range through WARP.

Ok thanks for the clarification. Running Warp it sounds like you’ve chosen to run it include mode vs the default exclude mode is that correct?

The DNS records you are trying to connect to should point to the IP you are trying to connect to not anything cfargotunnel related.

Yes, include mode with only my internal subnet defined.

I’m not trying to connect to a (internal) DNS name but directly to the IP address.

Do you have Warp enabled in the client along with TLS inspection in the Teams dashboard?

I’m 100% sure I had this enabled and that routing was still not working when initially setting this up. So I played around with a lot of the settings and in the end TLS inspection was disabled.

After re-enabling proxy and TLS the tunnel is now working fine!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.