Make server accessible only through a private tunnel over private WARP (virtual network?)

I’m not sure if my understanding of private networks created by Cloudflare Tunnels is correct, could you please help me clear this up?

I understand that Zero Trust tunnels help you route traffic from any point A to a single point B through Cloudflare’s network without exposing B to the internet.

I followed this tutorial

  • In this tutorial they assign an IP range ( to a newly created tunnel and make it “route-able” through WARP.
  • Let’s say we configured “Split Tunnels” in a way that this IP range is not excluded and therefore when a WARP client makes a request to any IP in this range, it should be “passed” through WARP to this tunnel. Is this correct?
  • Now the part that I’m confused/not sure about:
    1. Does this mean they just created a private, virtual network that all enrolled WARP clients can connect to and communicate over?
    2. When a client makes a request, for example, to, who does this request go to? Who receives this request? The server that this tunnel was created on?
    3. Follow-up question: How can I make sure that a server is accessible, for example, on and all clients can two-way communicate with it?
      • I tried creating a virtual network interface on the server and assigned it an IP from this range, then tried to ping it from a different computer (while connected to WARP), which didn’t seem to work.
      • What I’m trying to achieve by this, is that I’d like to make the server accessible only through the private Cloudflare tunnel and only by users that are enrolled in my WARP organization. Meaning that it cannot be accessible by a public hostname. Therefore the server’s own firewall should reject every public request and process only requests from authorized, enrolled devices through WARP.

Thank you for your clarifications