Easy Tunnels + Private Network + Warp macOS: No routing

I’ve been trying to tunnel to my local network for several hours now and no combination of settings on the tunnel or Warp client seems to get it working.

I’ve

  1. Enabled Google Workspace Auth for my domain.
  2. Installed the Warp client a Mac, logging into the team I set up.
  3. Configured an easy tunnel for cloudflared on a Mac mini on my local network.
  4. Added a private network (192.168.0.0/16) to my tunnel. My local network uses 192.168.1.x and 192.168.0.x addresses.
  5. Set up cloudflared as system service to start one boot. Works correctly and connects to the easy tunnel.
  6. Set up a gateway in my zero trust settings to allow access for that IP range. I don’t know if this was necessary. No help document seems to say you should have a gateway with private network but I saw it in one of the threads here and tried it. Got it to show in a web request as a 502, not sure what’s wrong there.

So, all of that and I still can’t ping from my external client using Warp onto my private network. What am I missing?

Actually, it looks like at least some of the traffic is properly being routed. I can screen share to the IP and I can request the Plex web interface, though that fails due to a server closure. Performance on screen sharing isn’t great but it works. ping doesn’t work but ssh does.

Is there any way to bridge some .local addresses? Or would I have to run a local DNS server to provide custom address.

ICMP/Ping does not work from WARP → Tunnel.
General UDP/TCP proxying does work. That’s why your mention of other stuff (such as RDP/VNC, SSH, HTTP) works.
Just to make sure you saw it, here’s 2 useful links to set up WARP → Tunnel (which you have working now):

I think this is what you’re looking for: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/private-hostnames-ips/

2 Likes

Yeah, I used both of those. They really need to be updated for the new easy tunnels. It was very confusing to go through them not knowing that easy tunnels don’t actually require any of that local configuration.

I think I was asking more for actual Bonjour bridging so I can use multicast DNS to connect to internal resources rather than having to map all of the IPs. I don’t run an internal DNS server.

Otherwise things are working pretty well. I am running into an issue where, if I’m actually on the local network that I have bridged, it fails to connect to local resources, likely due to the removal of the split tunnel rules for that IP range. Is it possible to make those settings dynamic at all? I really don’t want to have to turn off Warp to access local resources and turn it back on to access remote. I usually like to keep all of my traffic going through the VPN except for the local network. I’ve created a second tunnel for another private network, so I’d like to be connected to both when I can.

Yeah, I think that’s on the plans cc @abe

Got it.

Right now there’s no perfect solution, but I think it’s on the roadmap to be addressed so that WARP can be configured with different settings depending on the network it is connected to. That would allow to change the Split Tunnel config depending on that. @abe knows about it and can keep me honest

2 Likes

Thank you for the raising this feedback. We do intend to refactor key tutorials and develop more content around Tunnel configuration through the dashboard. To @nuno.diegues 's point, we do not support any dynamic behavior for when to route through the local or remote (Tunnel) network, but this is on the roadmap. We’ll be sure to share with the community as we make progress on this front.

cc: @kkrum as well :slight_smile:

I recently raised similar feedback in the macOS app as well. In addition to being able to control which tunnels are active, it would be great to be able to switch between my regular Warp+ account and the Zero Trust account which gives me access to my private networks. Or somehow combine the two and allow me to toggle the Zero Trust connectivity on top of my existing Warp+ account.