Does Cloudflare Warp for Teams use a static or dynamic IP address?

Trying to create a Cloudflare Access rule that will automatically permit entry (without needing to enter a one-time password) to anybody in my organization that is connecting via Cloudflare Warp.

I know from reading other threads here that using “Gateway” as a standalone bypass rule is not supported yet. So it seems like a good workaround would be to create a bypass rule that includes the “Warp” rule (meaning anybody running Warp can connect), then adding a source IP address requirement to stop just anybody from connecting.

So my question is: Does Cloudflare Warp for Teams use a static or dynamic public IP address? Is that IP address unique to my team? If my organization uses a unique static IP address then I should be able to easily restrict access to only people in my organization until Gateway is supported as a bypass rule.

sometimes dynamic, sometimes static

Hi @IAN4000
This is interesting!
Cloudflare WARP uses dynamic Public IP addresses from a pool of IP range.

However, to achieve your goal, can you try to create a rule as shown below with action as Bypass

The “IP ranges” should be your static IP/ CIDR of your organisation.

This would allow all the users with Warp coming from your Public IPv4/v6/ CIDR access the application without OTP.

If any requests comes without Warp, they will get a message that says “Unauthorized” unless you have another rule for authenticating users based on “Emails” or “Emails ending in” options then they will get option to authenticate via OTP.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.