Cloudflare WARP-to-WARP is an overlay network just like ZeroTier and Tailscale but instead of peer-to-peer, you connect to the nearest Cloudflare PoP using WireGuard.
Because Cloudflare WARP uses WireGuard, we can run Cloudflare WARP on MikroTik and port forward on our virtual network at Cloudflare.
Cloudflare Zero Trust settings
- Go to Settings, and Network.
- Enable Proxy.
- Check UDP and ICMP.
- Enable WARP to WARP.
- Go to Settings, and WARP Client.
- Click Default profile, and configure.
- Make sure split tunnels is set to Exclude IPs and domains.
- Click Manage on split tunnels.
- Remove IP range
Generate Cloudflare Zero Trust WireGuard configuration
- Download wgcf-teams.
- Open wgcf-teams.
- On your browser, open
- Login to Cloudflare Zero Trust on your browser.
- After logging in to Cloudflare Zero Trust, get your JWT token using this guide.
- Paste the JWT token on the command prompt that is opened by wgcf-teams and press enter.
The program will output a WireGuard configuration like this:
Setup MikroTik Cloudflare WARP WireGuard
- Add new WireGuard interface.
/interface wireguard add mtu=1420 name=Cloudflare-WARP private-key="your_private_key"
- Add WireGuard peer to connect to Cloudflare WARP. For Zero Trust,
18.104.22.168should be the endpoint.1 Persistent keepalive is enabled so that the tunnel will not timeout when not in use.
/interface wireguard peers add allowed-address=0.0.0.0/0,::/0 endpoint-address=22.214.171.124 endpoint-port=2408 interface=Cloudflare-WARP persistent-keepalive=2m40s public-key="bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="
- Add Cloudflare WARP’s IPv4 address to the WireGuard interface.
/ip address add address=172.16.0.2 interface=Cloudflare-WARP
- Enable NAT44. The
to-addressshould be set to the IPv4 address of the WireGuard interface.
/ip firewall nat add action=src-nat chain=srcnat out-interface=Cloudflare-WARP to-addresses=172.16.0.2
- Add IPv4 route of Cloudflare WARP-to-WARP IPv4 range.
/ip route add dst-address=100.96.0.0/12 gateway=Cloudflare-WARP
IPv4 port forwarding example
dst-address should be set to the IPv4 address of the WireGuard interface.
To port forward TCP port
If you have native IPv6 already, you probably don’t need this.
It is recommended to just set static IPv6 address to every device that needs IPv6 port forwarding instead of relying on SLAAC so that IPv6 address for port forwarding does not change.
- Add Cloudflare WARP’s IPv6 address to the WireGuard interface.
/ipv6 address add address=2606:4700:110:8ced:11b5:d064:abc:ee89/128 interface=Cloudflare-WARP
- Add IPv6 ULA to your LAN interface. Make sure the prefix you chosen does not conflict with Cloudflare WARP-to-WARP IPv6 range.
/ipv6 address add address=fd00:1234:5678:9abc::/64 advertise=no interface=bridge
- Enable NAT66. Yes, I know NAT is bad, awful when we are talking about IPv6, but since Cloudflare WARP only provides a single IPv6 address, it’s necessary to use NAT in IPv6. The
to-addressshould be set to the IPv6 address of the WireGuard interface.
/ipv6 firewall nat add action=src-nat chain=srcnat out-interface=Cloudflare-WARP to-address=2606:4700:110:8b7b:2edb:5201:dddd:19fd/128
- Add IPv6 route. If you have native IPv6 connectivity, use Cloudflare WARP-to-WARP IPv6 range
fd00::/8, if you don’t have native IPv6, use
/ipv6 route add dst-address=::/0 gateway=Cloudflare-WARP
- Allow IPv6 firewall to accept packets that are port forwarded. (Optional if you want to port forward on IPv6.)
/ipv6 firewall filter set [find action=drop chain=forward in-interface-list="!LAN"] comment="defconf: drop everything else not coming from LAN not DSTNATed" connection-nat-state=!dstnat
IPv6 port forwarding example
dst-address should be set to the IPv6 address of the WireGuard interface.
To port forward TCP port
Test port forwarding
Check your MikroTik router’s IP address on Cloudflare virtual network
- Go to My Team, and Devices.
- Select the device name besides the email that you used for your MikroTik router.
For this example, the IP address is
On your device outside of your LAN
- Download Cloudflare WARP on your device.
- Login to Cloudflare Zero Trust.
- Turn on Cloudflare Zero Trust.
- Try to ping and access the server that is port forwarded at
If you own a domain name, you can use a subdomain that is pointed at
fd10:ec7e:5e94::1 since the IP allocation on the Cloudflare virtual network is static.