Cloudflare Tunnel
Cloudflare WAN (formerly Magic WAN) can work together with Cloudflare Tunnel to provide easy access between your networks and applications.
By default, Cloudflare Gateway proxies and filters TCP, UDP, and ICMP traffic routed through IPsec/GRE tunnels and destined to routes behind Cloudflare Tunnel.
Cloudflare evaluates private network routes using longest-prefix-match. A prefix combines a base IP address with a prefix length that indicates how many bits define the network portion (for example, 192.168.0.0/24). When multiple routes could match a destination IP, Cloudflare selects the route with the longest prefix (most specific match).
For example, if you have routes for both 10.0.0.0/16 and 10.0.1.0/24, traffic destined for 10.0.1.50 matches the /24 route because it is more specific.
Within a virtual network, each prefix can only appear once in the Zero Trust routing table. You cannot create two Zero Trust routes with the same prefix pointing to different tunnels in the same virtual network.
To route the same prefix to different destinations, use separate virtual networks.
Cloudflare reserves the following IP ranges for Zero Trust services:
| IP range | Purpose |
|---|---|
100.64.0.0/12 | Cloudflare Source IPs |
100.96.0.0/12 | Device IPs |
100.80.0.0/16 | Initial resolved IPs |
100.112.0.0/16 | Private Load Balancers |
Do not configure routes that overlap with these reserved ranges.
If your account also uses WAN connections (IPsec, GRE, and CNI), route selection behavior depends on your routing mode.
For more information, refer to Route evaluation with Zero Trust connections.
Longest-prefix-match routing is the default route selection method. Other mechanisms can bypass or augment route evaluation.
Automatic Return Routing bypasses route lookup for return traffic.
When ARR is enabled:
- Cloudflare tags each flow with the source connection (tunnel or interconnect) when the flow is established.
- For return traffic, Cloudflare routes packets back to the tagged source connection directly, bypassing the routing table.
- This allows multiple sites to use identical private IP ranges without NAT or VRF configuration.
ARR requires Unified Routing mode. For more information, refer to Automatic Return Routing.
Hostname-based routing uses Gateway DNS to resolve hostnames to Initial resolved IPs, which then map to specific next hops.
When Hostname Routes are enabled:
- Gateway DNS resolves the hostname to an Initial resolved IP (from
100.80.0.0/16). - The client sends traffic to the Initial resolved IP.
- Cloudflare looks up the Initial resolved IP to determine the real destination IP and the assigned next hop (specific tunnel or interconnect).
- Traffic is forwarded to the assigned next hop, bypassing route evaluation for next-hop selection.
This enables hostname-based policies for non-HTTP traffic without requiring you to know destination IPs in advance.
To verify that a cloudflared tunnel works correctly with your Cloudflare WAN connection:
- From a host behind your customer premises equipment, open a browser.
- Browse to an IP address or hostname that is reachable through a Cloudflare Tunnel private network route, such as the example destination
10.1.2.3. - Confirm that the application loads as expected. If it does, Cloudflare Tunnel is handling the traffic as configured.