๐Ÿ“Œ Cloudflare WARP (warp-cli) Split-Tunneling โ€” Key Notes

๐Ÿง  Core facts (most important)

  • Your warp-cli version:

    • Uses exclude-mode split tunneling by default
    • Does NOT support --exclude, exclude, or CIDR flags in tunnel ip add
    • Accepts single IPs only, not /32

  • Local network override is blocked by policy (Zero Trust / org-managed)

  • Split tunneling is enforced via:

    • Policy routing
    • Firewall rules
    • WARP daemon (not just ip route)

๐ŸŽฏ Routing behavior (final result)

Traffic type Route
Public internet โœ… via WARP
Private IPs (10/172/192) โŒ bypass WARP
localhost / 127.0.0.1 โŒ never goes through WARP
Excluded public IPs โŒ bypass WARP

โœ… Commands that WORK (copy-paste safe)

Set WARP mode

warp-cli mode warp

Connect / reconnect

warp-cli connect
warp-cli disconnect

Add IP exclusions (exclude mode)

warp-cli tunnel ip add 103.86.26.3
warp-cli tunnel ip add 172.18.210.49

๐Ÿ“Œ These IPs will bypass WARP

View split-tunnel configuration (MOST IMPORTANT)

warp-cli tunnel dump

Look for:

  • Excluded: list
  • Your custom IPs present

Check connection state

warp-cli status

โŒ Commands that do NOT work (by design)

warp-cli split-tunnel ...
warp-cli tunnel ip add exclude ...
warp-cli tunnel ip add <ip>/32
warp-cli override local-network enable
warp-cli override local-network allow   # blocked by policy

Reason:

  • New CLI syntax
  • Org / Zero Trust policy restrictions

๐Ÿ” Verification commands (kernel-level truth)

See routing decision for a specific IP

ip route get 103.86.26.3

Expected:

  • Normal NIC (eth0 / wlan0)
  • โŒ not warp0

Test normal public IP

ip route get 1.1.1.1

Expected:

  • dev warp0

View routing tables

ip route
ip rule show
ip route show table all

๐Ÿงช Traffic proof (optional)

sudo tcpdump -i warp0 host 103.86.26.3

Should show no traffic.

๐ŸŒ URL vs routing (important concept)

Routing only cares about:

https://103.86.26.3/...

Everything after the IP:

/prx/000/http/localhost/login/index.html

โžก Application layer, irrelevant to routing.

๐Ÿง  Why warp-cli tunnel dump looks long / duplicated

It includes:

  • RFC1918 private ranges
  • Multicast & link-local ranges
  • IPv6 equivalents
  • Cloudflare control-plane IPs
  • Your manual exclusions

Duplicates are normal and harmless.

๐Ÿšฆ Policy reality (no workaround)

If you see:

Error: Operation not authorized in this context

It means:

  • You are on Zero Trust / org-managed WARP
  • Local-network override is admin-controlled
  • CLI cannot bypass policy