| pcx_content_type | title | weight |
|---|---|---|
how-to |
Split Tunnels |
3 |
Split Tunnels can be configured to exclude or include IP addresses or domains from going through WARP. This feature is commonly used to run WARP alongside a VPN (in Exclude mode) or to provide access to a specific private network (in Include mode).
{{
}}Split Tunnels only impacts the flow of IP traffic. DNS requests are still resolved by Gateway and subject to DNS policies unless you add the domains to your Local Domain Fallback configuration.
{{
}}Changes made to your Split Tunnel configuration are immediately propagated to clients. Because Split Tunnels controls what Gateway has visibility on at the network level, we recommend testing all changes before rolling out updates to end users.
{{}}
{{}}
Use Split Tunnels when you need to bypass Gateway entirely for a site or allow traffic through the firewall that WARP creates. Common scenarios include:
- Connect to a third-party application which requires the actual IP address of the end-user device (for example, Microsoft 365).
- Optimize voice and video.
- Connect to a third-party VPN endpoint.
Do not exclude a site from Split Tunnels if you want to see the traffic in your Gateway logs. In particular, we do not recommend using Split Tunnels to:
- Solve connectivity issues with a specific website. For configuration guidance, refer to our troubleshooting guide.
- Solve performance issues with a specific website. Since Cloudflare operates within 50 milliseconds of 95% of the Internet-connected population, it is usually faster to send traffic through us. If you are encountering a performance-related issue, it is best to first explore your Gateway policies or reach out to Support.
Many Cloudflare Zero Trust services rely on traffic going through WARP, such as device posture checks and WARP session durations. If you are using Split Tunnels in Include mode, you will need to manually add the following domains in order for these features to function:
- The IdP used to authenticate to Cloudflare Zero Trust
<your-team-name>.cloudflareaccess.com- The application protected by the Access or Gateway policy
edge.browser.runif using Browser Isolation
Domain-based split tunneling has a few ramifications you should be aware of before deploying in your organization:.
- Routes excluded or included from WARP and Gateway visibility may change day to day, and may be different for each user depending on where they are.
- You may inadvertently exclude or include additional hostnames that happen to share an IP address. This commonly occurs if you add a domain hosted by a CDN or large Internet provider such as Cloudflare, AWS, or Azure. For example, if you wanted to exclude a VPN hosted on AWS, do not add
*.amazonaws.comas that will open up your devices to all traffic on AWS. Instead, add the specific VPN endpoint (*.cvpn-endpoint-<UUID>.prod.clientvpn.us-west-2.amazonaws.com). - Most services are a collection of hostnames. Until Split Tunnels mode supports App Types, you will need to manually add all domains used by a particular app or service.
- WARP must handle the DNS lookup request for the domain. If a DNS result has been previously cached by the operating system or otherwise intercepted (for example, via your browser's secure DNS settings), the IP address will not be dynamically added to your Split Tunnel.
{{}}
| Split tunnel domain | Matches | Does not match |
|---|---|---|
example.com |
exact match of example.com |
subdomains such as www.example.com |
example.example.com |
exact match of example.example.com |
example.com or subdomains such as www.example.example.com |
*.example.com |
subdomains such as www.example.com and sub2.sub1.example.com |
example.com |
| {{}} |
Domain-based Split Tunnels work differently on mobile clients than on desktop clients. If both mobile and desktop clients will connect to your organization, it is recommended to use Split Tunnels based on IP addresses or CIDR, which work the same across all platforms.
Clients on these platforms work by dynamically inserting the IP address of the domain immediately after it is resolved into the routing table for split tunneling. This allows the desktop clients to support wildcard domain prefixes (for example, *.example.com), not just a singular domain (like example.com or www.example.com).
Due to platform differences, mobile clients can only apply Split Tunnels rules when the tunnel is initially started. This means:
-
Domain-based Split Tunnels rules are created when the tunnel is established based on the IP address for that domain at that time. The route is refreshed each time the tunnel is established.
-
Wildcard domain prefixes (for example,
*.example.com) are supported only if they have valid wildcard DNS records. Other wildcard domains are not supported because the client is unable to match wildcard domains to hostnames when starting up the tunnel. Unsupported wildcard domain prefixes can still exist in your configuration, but they will be ignored on mobile platforms.
{{
}} Removing default Split Tunnel entries may cause users to lose Internet connectivity or block their access to local resources. {{}}-
In Zero Trust, go to Settings > WARP Client.
-
Under Device settings, locate the device profile you would like to modify and select Configure.
-
Under Split Tunnels. select Manage.
-
Find the IP address or hostname in the list and select Delete.
If you need to revert to the default Split Tunnel entries recommended by Cloudflare, select Restore default entries.