Skip to content

Proxy traffic through Gateway

With Cloudflare Gateway, you can log and filter DNS, network, and HTTP traffic from devices running the WARP client. This includes traffic to the public Internet and traffic directed to your private network. DNS filtering is enabled by default since the WARP client sends DNS queries to Cloudflare’s public DNS resolver, 1.1.1.1. To enable network and HTTP filtering, you will need to allow Cloudflare Gateway to proxy that traffic.

Enable the proxy

  1. Go to Settings > Network.
  2. Enable Proxy for TCP.
  3. (Recommended) To proxy traffic to internal DNS resolvers, select UDP.
  4. (Recommended) To proxy traffic for diagnostic tools such as ping and traceroute, select ICMP. You may also need to update your system to allow ICMP traffic through cloudflared:

Linux

  1. Ensure that ping_group_range includes the Group ID (GID) of the user running cloudflared.

    1. To get the Group ID of the user, run id -g.
    2. To verify the Group IDs that are allowed to use ICMP:
    Terminal window
    $ sudo sysctl net.ipv4.ping_group_range
    net.ipv4.ping_group_range= 0 10000
    1. Either add the user to a group within that range, or update the range to encompass a group the user is already in. To update ping_group_range:
    Terminal window
    $ echo 0 10001 | sudo tee /proc/sys/net/ipv4/ping_group_range
  2. If you are running multiple network interfaces (for example, eth0 and eth1), configure cloudflared to use the external Internet-facing interface:

    Terminal window
    $ cloudflared tunnel run --icmpv4-src <IP of primary interface>

Docker

In your environment, modify the ping_group_range parameter to include the Group ID (GID) of the user running cloudflared.

By default the cloudflared Docker container executes as a user called nonroot inside of the container. nonroot is a specific user that exists in the base image we use, and its Group ID is hardcoded to 65532.

Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your split tunnel settings. For more information on how Gateway forwards traffic, refer to Gateway proxy.

Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your split tunnel settings. For more information on how Gateway forwards traffic, refer to Gateway proxy.