Use cloudflare for teams and argo tunnel as vpn to my server

In my work I use two servers which are located in different places in the local networks. They are not accessible to the Internet except for a few approved web applications, and I access the server control panel by typing into my browser the address of that server, e.g.

I use wireguard VPN tunnels to access these two networks. They connect and I get access to the whole subnet (e.g. I was wondering if I could use cloudflare for teams (CFT) to replace wireguard so that I can access my server transparently from anywhere with internet access simply by typing in the server address (like h[tt]p:// or connecting to it via SSH.

I have WARP on my phone and computer all the time because I’m worried about my traffic, and I like the option described above since I wouldn’t have to worry about multiple VPN applications anymore.

From what I understand, this can even be done as part of the free CFT plan, but the problem is that I don’t understand exactly what I have to do in the cloudflare control panel to get multiple devices into a single network. I have created an organization in CFT, and logged into it on my client devices using the WARP client, but I still don’t understand what I need to do on the server to make it accessible from the client devices.

I’ve attached a picture below that depicts what the overall operation of this system should look like. There are WAPR clients running on the devices, which proxies all traffic from these devices to prevent the operator/provider/owner of the wifi router from having access to my traffic, as well as to bypass some restrictions on access to Internet resources in my country. But at the same time, these warp clients connect my devices to my servers located in private networks.

As far as I understand, what I want is described in this section: h[tt]ps://

I do not understand how to make this solution work. At the moment I have done the following:
1)Added a website to cloudflare (h[tt]ps://, including moving the name servers (h[tt]ps://
2)Installed cloudflared (h[tt]ps:// on a server on your local network.
3)Enabled the “Argo” switch under “traffic” in the site control panel.
4)Performed “cloudflared tunnel login” successfully, authorizing cloudflared for my site
5)Executed “cloudflared tunnel create”.
6)Executed “cloudflared tunnel route ip add” where is my home subnet. For example, the router is and the server is
7)Executed “cloudflared tunnel route ip show”, and got the following:
vvzvlad@debian:~$ cloudflared tunnel route ip show

NETWORK COMMENT TUNNEL ID TUNNEL NAME CREATED DELETED 72d62d91-7879-479b-a38e-ab4dafd33dcc farewell-vm 2021-03-22T22:02:28Z -  

8)Did “cloudflared tunnel route ip get” where is my server on my home network. According to the h[tt]ps:// documentation page, this command checks if the route matches the address. The output is the following:

NETWORK COMMENT TUNNEL ID TUNNEL NAME CREATED DELETED 72d62d91-7879-479b-a38e-ab4dafd33dcc farewell-vm 2021-03-22T22:02:28Z  

Which, as I understand it, shows that this IP is properly routed to this tunnel.

9)Created a configuration file(etc/clouddflared/config.yml) and wrote the following into it:

tunnel: xxxxxx-xxx-xxx-xxx
credentials-file: /etc/cloudflared/xxxxx-xxx-xxx.json
  enabled: true

10)Started the tunnel as a service (h[tt]ps://

11)Logged into CFT on my mobile devices in the account corresponding to the organization(logged in through the email corresponding to the site above), and I see these devices in the appropriate sections of the team at h[tt]ps://

But after all this, I still can’t access from my devices running WARP to What did I do wrong?

Are you using regular Warp or Warp For Teams About Cloudflare WARP · Cloudflare Zero Trust docs

Windows Warp+ For Teams

where Warp client advanced connection is via Team Gateway DoH subdomain


As far as I understand, for iOS/MacOS the client is the same program, which can work both as a WARP client and as a WARP for Teams client, depending on the settings. As I wrote in point 11, I’m logged into a WARP for Teams account in this app, and apparently I’m using the WARP for Teams version.
In the Team Gateway DoH subdomain field I have an automatically generated subdomain as a long string of hexadecimal digits, I have not changed it.

I configured the DoH subdomain as described in this article(How To Use w/ WARP App And Cloudflare Gateway To Protect Your Phone From Security Threats), and I can now see the stats from my devices in the control panel, but it has not brought me any closer to accessing my servers.

Hi @vvzvlad - thanks for the post. Let me try and walk through what I think is going on here.

Couple limitations:

  • The Teams mobile client does not currently work with the private routing feature. That will be coming soon.
  • You need to configure Cloudflare Gateway to use Split Tunnel mode - where you tell Gateway that certain private IPs should traverse the WARP tunnel.
  • Once you control the Split Tunnel settings, you’ll need to enroll your client once more - it only picks up the settings on enrollment - that’s also something we’re fixing soon.

Let me know if that helps on the notebook flow.


Ah that explains part of the problem! Thanks @SamRhea

Part of this is my fault for adding to confusion - should have said that the mobile version of the client does not work with the private routing feature, but the desktop does.

1 Like

What I did next:
1)In the control panel at gateway/policies/settings/split_tunnels, I created a new entry with the value “”
2)On my computer in the WARP client, I clicked “logout from teams” and then re-logged into my cloudflare account for teams.
3)Connected via mobile Internet, waited for the WARP client to connect to the server and checked the availability of It is still inaccessible from my laptop. Although in the “excluded IPs” window in preferences - advanced I see the created subnet with the comment that I left on the split_tunnels settings page, it means that it was successfully loaded from the server. However, I don’t see this subnet in the routing table in the netstat.txt file in the logs folder.

Just to be clear: the WARP Policies for Split Tunnels are identifying networks that are not sent to Cloudflare edge.

Hence, you want to make sure that no network there is covering yours.

By default I believe that is present in the Split Tunnel config, which would be a super-set of your network Therefore, you need to make sure that those values are deleted from the Split Tunnel policy so that traffic egressing from your WARP-enable device into those IPs is effectively sent to Cloudflare.

This bit is part of the tutorial at Connect from WARP to a private network on Cloudflare using Cloudflare Tunnel · Cloudflare Zero Trust docs


Oh, I see, it was the other way around. That’s why I was thinking “why is it called something wrong”. :slight_smile:

Now, I removed all the entries from Split Tunnel config that include - my entry “” and the default entry “192.168.0. 0/16”, re-logged in, and I don’t see anything else in the “excluded IPs” in the warp client related to my subnet (only, but apparently it covers the range, and can’t affect my subnet).
But is still inaccessible, and there’s no entry in netstat.txt that says to somehow specifically routing subnet

Can you confirm that you have Layer 7 filtering enabled?

Cloudflare for Teams dash → Gateway → Policies → Settings → Proxy Settings, enabled

For any of these changes, note that it can take a couple minutes for them to propagate and become active.

1 Like

No, Layer 7 filtering was inactive. When I try to toggle it to “enable” a couple of seconds after toggling it, the red message “Error enabling HTTP traffic filtering.” appears at the bottom, and the switch returns to the disabled state.

I suspect you may be lacking something in your account to allow to do that. I’m sure that @SamRhea can point you in the right direction.

Hi @vvzvlad - that shouldn’t be happening in the UI. What Cloudflare for Teams plan do you have?

Free plan Cloudflare For Teams and minimal plan for argo

Thanks for the report, I’ve asked our team to take a look.

1 Like

Is the issue related to this bug that was fixed a couple of days ago?