Using the Cloudflare WARP VPN Client for Split Tunneling with Zero Trust

What is Cloudflare WARP?

Cloudflare WARP is a VPN-like client that creates an encrypted tunnel between your device and Cloudflare’s global network. When used with Cloudflare Zero Trust, the goal isn’t to “switch countries” or provide “full anonymity,” but to secure connections and enforce policies (such as filtering, logging, and identity-based access) for the traffic you choose. In this article, we’ll use split tunneling so only specific destinations (e.g., IP ranges/internal resources) go through WARP/Zero Trust, while other traffic goes directly to the internet, making it more flexible and often more efficient for everyday use. 

The core idea: Split Tunnels in WARP (Include vs Exclude)

In Cloudflare Zero Trust, Split Tunnels can be configured to Include or Exclude based on IP/CIDR and domain/hostname.

1. Exclude mode (commonly the default)

All traffic is routed through WARP/Gateway except what you explicitly exclude. This is a good fit if:

• You want “almost everything” protected (Gateway policies, logging, filtering).

• You need to exclude specific apps/services due to compatibility issues.

• You want WARP to run alongside another legacy/third-party VPN.

2. Include mode

Only traffic you explicitly include will go through WARP. This is a good fit if:

• You only want corporate/private resources to use Zero Trust.

• You don’t want all user browsing to enter the tunnel (lighter routing, fewer side effects).

Important: Split Tunnel affects IP traffic, DNS can be a different story

Cloudflare’s key point is:

• Split Tunnels only affect IP traffic flow.

• DNS requests may still be resolved by Gateway and still be subject to DNS policies, unless you configure Local Domain Fallback for specific domains.

So even if you “exclude” a domain from tunneling, its DNS queries may still go to Gateway depending on your mode and configuration. For private hostnames (like internal.company.local), you’ll often need Local Domain Fallback so DNS resolution is sent to your internal resolver.

Prerequisites (so setup goes smoothly)

1. An active Cloudflare Zero Trust account.

2. Users/devices are enrolled into your Zero Trust organization (so device posture and profiles can apply).

3. You’ve clearly defined your split tunneling goal:

   • Include (only internal/corporate traffic via Zero Trust)

   • or Exclude (everything via WARP except what you exempt)

How to configure split tunneling in Cloudflare Zero Trust

Menu labels can shift as the UI evolves, but the concept is typically:
Device profiles → WARP settings → Split Tunnels

1. Create / choose a Device Profile

In the Zero Trust dashboard, create a profile for a group of devices (e.g., “Employees,” “Engineering,” “Contractors”). This profile controls WARP behavior on endpoints, including Split Tunnels.

2. Choose the appropriate WARP mode

Pick the WARP mode that matches what you want (commonly a mode that enables Gateway enforcement and tunneling).

Important note: There is a mode often described as Secure Web Gateway without DNS filtering (sometimes “tunnel-only”). This can disable DNS-based features, including domain-based split tunneling and Local Domain Fallback. If you need domain/hostname split tunneling, avoid that mode.

3. Configure Split Tunnels

Go to Split Tunnels and choose your strategy:

Option A: Include (only corporate traffic goes through WARP)

• Set mode: Include IPs and domains

• Add:

  • Your internal CIDRs (e.g., 10.0.0.0/8, 192.168.0.0/16, or whatever your org uses)

  • Internal domains that should be routed via WARP (e.g., youtube.com)

• Result: general internet browsing stays “direct,” and only internal traffic goes through Zero Trust.

Option B: Exclude (everything goes through WARP except exceptions)

• Set mode: Exclude IPs and domains

• Typical exclusions:

  • Local LAN (printers/NAS) or home subnets when needed

  • Apps/endpoints that break when routed through the tunnel

  • If using another VPN: exclude the VPN IP ranges and the VPN gateway domains/endpoints

Cloudflare also provides a client option to temporarily “exclude local network” (helpful for private IP conflicts). This usually requires Split Tunnels to be set to Exclude.

4. (Optional but often required) Configure Local Domain Fallback for internal DNS

If you have internal domains (like corp.local, internal.company, or split-horizon DNS):

• Add those domains to Local Domain Fallback

• Point them to the correct internal DNS resolver IPs

This is often the missing piece, because split tunneling alone doesn’t always fix DNS resolution behavior.

Common split tunneling designs

Scenario 1: “Only internal apps through WARP” (great for many small teams)

• Include mode

• Include internal CIDRs + internal domains

• Benefits: lightweight, fewer surprises, strong Zero Trust for what matters.

Scenario 2: “Everything through WARP, except what causes issues” (maximum control)

• Exclude mode

• Exclude local LAN, special services, and anything that conflicts

• Great when you want broad enforcement via Gateway.

Scenario 3 — “WARP + legacy VPN together” (gradual migration)

Cloudflare supports running WARP alongside a traditional VPN during migration. The usual approach is Exclude mode, excluding VPN ranges and endpoints, plus DNS fallback where needed.

Best practices: stable, secure, easy to maintain

• Start with Include mode if your primary goal is internal access (lowest risk and fewest side effects).

• Use Exclude mode when you want broad control and you’re ready to manage exceptions.

• Document your IP/CIDR/domain entries, switching modes or reworking profiles can cause confusion later.

• Pilot on 1–2 devices before rolling out organization-wide.