Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Add a managed network

Cloudflare WARP allows you to selectively apply WARP client settings if the device is connected to a secure network location such as an office.

​​ 1. Choose a TLS endpoint

A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, WARP detects the TLS endpoint and validates its certificate against an uploaded SHA-256 fingerprint.

The TLS certificate can be hosted by any device on your network. However, the endpoint must be inaccessible to users outside of the network location. One option is to choose a host that is physically in the office which remote users do not need to access, such as a printer.

​​ Create a new TLS endpoint

If you do not already have a TLS endpoint on your network, you can set one up as follows:

  1. Create a local certificate:

    $ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout example.key -out example.pem -subj "/CN=example.com" -addext "subjectAltName=DNS:example.com"

    The command will output a PEM certificate and key. Store these files in a secure place.

  1. Run a simple HTTPS server to host the certificate:

    1. Create a Python 3 script called myserver.py:

      myserver.py
      import ssl, http.server
      class BasicHandler(http.server.BaseHTTPRequestHandler):
      def do_GET(self):
      self.send_response(200)
      self.send_header('Content-type', 'text/html')
      self.end_headers()
      self.wfile.write(b'OK')
      return
      server = http.server.HTTPServer(('0.0.0.0', 4443), BasicHandler)
      sslcontext = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
      sslcontext.load_cert_chain(certfile='./example.pem', keyfile='./example.key')
      server.socket = sslcontext.wrap_socket(server.socket, server_side=True)
      server.serve_forever()
    2. Run the script:

      $ python3 myserver.py

​​ 2. Extract the SHA-256 fingerprint

To obtain the SHA-256 fingerprint of a certificate:

$ openssl x509 -noout -fingerprint -sha256 -inform pem -in example.pem | tr -d :

The output will look something like:

SHA256 Fingerprint=DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8662

​​ 3. Add managed network to Zero Trust

  1. In Zero Trust, go to Settings > WARP Client.

  2. Scroll down to Network locations and select Add new.

  3. Name your network location.

  4. In Host and Port, enter the private IP address and port number of the TLS endpoint (for example, 192.168.185.198:4443).

    The example TLS endpoint created above would use the IP of the device running the Python script and the port configured for the HTTPS server.

  5. In TLS Cert SHA-256, enter the SHA-256 fingerprint of the TLS certificate.

​​ 4. Configure device profiles

  1. Create a settings profile for devices on this network. In the rule builder, the network name will appear when you choose the Managed network selector.
  2. For all device profiles, add a Split Tunnel rule to exclude the TLS endpoint’s IP address. This blocks remote users from accessing the TLS endpoint through the WARP tunnel.

Managed networks are now enabled. Every time a device in your organization connects to a network (for example, when waking up the device or changing WiFi networks), the WARP client will determine its network location and apply the corresponding settings profile.