Cloudflare WARP Global Acceleration Installation Guide

Our Global Acceleration partner will provide the required override IP(s) to extend WARP into Mainland China. The following three endpoints will be overridden:

Wiki 更新於 2026/4/27 下午3:47:50 作者:system
#performance#warp#zero-trust

Cloudflare WARP Global Acceleration Installation Guide

Cloudflare One Updated March 18, 2026

WARP Overview

Prerequisites

  • Enrolled in a Cloudflare Zero Trust Enterprise Plan
  • Created a Zero Trust organization with a team name
  • Procured a PoC for Cloudflare Zero Trust WARP Global Acceleration for Mainland China
  • Agreed to the terms and conditions from our Global Acceleration partner and received a WARP Global Acceleration IP
  • Uninstalled other existing third-party VPN software (if possible) or any previous versions of WARP.

WARP Global Acceleration

Our Global Acceleration partner will provide the required override IP(s) to extend WARP into Mainland China. The following three endpoints will be overridden:

Endpoint Parameters WARP Client Function
override_api_endpoint Overrides the IP address that communicates with the client orchestration API
override_doh_endpoint Overrides the IP address to resolve DNS queries via DNS over HTTPS (DoH)
override_warp_endpoint Overrides the IP address and UDP port that sends traffic to Cloudflare's edge

Please ensure that your organization’s firewall allows the IP(s) provided by our Global Acceleration Partner. More Information .

Download and Install WARP

  1. Download the latest version of WARP for the device
  2. Follow the instructions to install Cloudflare certificates.
  3. Follow the instructions to enroll each device to the Zero Trust organization.
  4. For large scale deployments, please consider using a with the provided to push the configuration file to override endpoints for all managed devices.

Override with WARP Global Acceleration IPs

Wireguard vs MASQUE

  1. Verify which WARP tunnel protocol is being used for the Zero Trust organization. This can be verified with the following command after enrolling the device:

    warp-cli settings

    a. If the following is shown under the WARP settings:

    (local policy) WARP tunnel protocol: WireGuard

  • This means Wireguard is being used by the Zero Trust Organization. In which case, please use port 2408 for the override_warp_endpoint (tunnel endpoint).

    b. If the following is shown under the WARP settings:

    (local policy) WARP tunnel protocol: MASQUE
  • This means MASQUE is being used by the Zero Trust Organization. In which case, please use port443 for the override_warp_endpoint (tunnel endpoint).

Mac Deployment

Create a .plist File

NOTE: Recommended for PoC testing However, without being deployed by an MDM tool, the configuration will reset once the computer is rebooted.

  1. Download an example com.cloudflare.warp.plist file: https://developers.cloudflare.com/cloudflare-one/static/mdm/com.cloudflare.warp.plist

  2. Modify the file to with your desired including adding the following parameters: override_api_endpoint, override_doh_endpoint, override_warp_endpoint

    Example for WireGuard:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
<dict>
<key>organization</key>
<string>zt_team_name_here</string>
<key>warp_tunnel_protocol</key>
<string>wireguard</string>
<key>override_doh_endpoint</key>
<string>x.x.x.x</string>
<key>override_api_endpoint</key>
<string>x.x.x.x</string>
<key>override_warp_endpoint</key>
<string>x.x.x.x:2408</string>
</dict>
</plist>

Example for MASQUE:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
<dict>
<key>organization</key>
<string>zt_team_name_here</string>
<key>warp_tunnel_protocol</key>
<string>masque</string>
<key>override_doh_endpoint</key>
<string>x.x.x.x</string>
<key>override_api_endpoint</key>
<string>x.x.x.x</string>
<key>override_warp_endpoint</key>
<string>x.x.x.x:443</string>
</dict>
</plist>
  1. Optional: If you want to manually place the file in /Library/Managed Preferences

(rather than use a management tool), convert the plist into binary format:

plutil -convert binary1
com.cloudflare.warp.plist

Create a .mobileconfig File

  1. an example .mobileconfig file.
  2. Modify the file to with your desired including adding the following parameters: override_api_endpoint, override_doh_endpoint, override_warp_endpoint

Example for WireGuard:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>WARP Configuration</string>
<key>PayloadIdentifier</key>
<string>com.cloudflare.warp.CB8B22D4-50E1-48E8-8874-A7594627013A</string>
<key>PayloadType</key>
<string>com.cloudflare.warp</string>
<key>PayloadUUID</key>
<string>CB8B22D4-50E1-48E8-8874-A7594627013A</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>configs</key>
<array>
<dict>
<key>organization</key>
<string>zt_team_name_here</string>
<key>warp_tunnel_protocol</key>
<string>wireguard</string>
<key>override_api_endpoint</key>
<string>x.x.x.x</string>
<key>override_doh_endpoint</key>
<string>x.x.x.x</string>
<key>override_warp_endpoint</key>
<string>x.x.x.x:2408</string>
</dict>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Cloudflare WARP</string>
<key>PayloadIdentifier</key>
<string>cloudflare_warp</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>2B7763B8-64F6-41EB-AA5E-7761651B8131</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

Example for MASQUE:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>WARP Configuration</string>
<key>PayloadIdentifier</key>
<string>com.cloudflare.warp.CB8B22D4-50E1-48E8-8874-A7594627013A</string>
<key>PayloadType</key>
<string>com.cloudflare.warp</string>
<key>PayloadUUID</key>
<string>CB8B22D4-50E1-48E8-8874-A7594627013A</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>configs</key>
<array>
<dict>
<key>organization</key>
<string>zt_team_name_here</string>
<key>warp_tunnel_protocol</key>
<string>masque</string>
<key>override_api_endpoint</key>
<string>x.x.x.x</string>
<key>override_doh_endpoint</key>
<string>x.x.x.x</string>
<key>override_warp_endpoint</key>
<string>x.x.x.x:443</string>
</dict>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Cloudflare WARP</string>
<key>PayloadIdentifier</key>
<string>cloudflare_warp</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>2B7763B8-64F6-41EB-AA5E-7761651B8131</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
  1. Run uuidgen from your macOS Terminal. This will generate a value for PayloadUUID, which you can use to replace the default value used for PayloadUUID.
  2. Open newly created .mobileconfig file with "Profile Installer"
  3. Navigate to “Profiles” under your MacOS settings
  4. Double-click “Cloudflare WARP” and click “Install…”

MacOS Terminal

NOTE: Recommended for PoC testing. Please note this method requires admin/root privilege. Additionally, the configuration will reset once the computer is rebooted.

  1. Open MacOS terminal

  2. Run the following commands with root privileges

    a. x.x.x.x is the provided WARP Global Acceleration IP(s).

sudo su // change to admin privileges
warp-cli dns endpoint set x.x.x.
warp-cli api endpoint set x.x.x.x
warp-cli tunnel endpoint set x.x.x.x:port // port 2408 for Wireguard, port 443 for MASQUE

Windows Deployment

Modify (or Create) mdm.xml File

  1. Navigate to C:\ProgramData\Cloudflare\mdm.xml, if a mdm.xml is not present, please create a “mdm.xml” file and save it.

    Example for Wireguard:

<dict>
<key>organization</key>
<string>zt_team_name_here</string> <key>warp_tunnel_protocol</key> <string>wireguard</string>
<key>override_doh_endpoint</key>
<string>x.x.x.x</string>
<key>override_api_endpoint</key>
<string>x.x.x.x</string>
<key>override_warp_endpoint</key> <string>x.x.x.x:2408</string>
</dict>

Example for MASQUE:

<dict>
<key>organization</key>
<string>zt_team_name_here</string> <key>warp_tunnel_protocol</key> <string>masque</string>
<key>override_doh_endpoint</key>
<string>x.x.x.x</string>
<key>override_api_endpoint</key>
<string>x.x.x.x</string>
<key>override_warp_endpoint</key> <string>x.x.x.x:443</string>
</dict>

Verifying WARP Connectivity

  1. Use “warp-cli settings” to verify the WARP tunnel protocol and that the endpoints have been overridden.
  2. Select the WARP icon and under "Preferences" and verify that the “Colocation center” is HKG.

Switching between Profiles (China and Global) in WARP

1. Mac Deployment

  1. Download an example com.cloudflare.warp.plist file: https://developers.cloudflare.com/cloudflare-one/static/mdm/com.cloudflare.warp.plist
  2. Modify the file with your desired deployment arguments
  3. Example:
  1. (Optional) If you want to manually place the file in /Library/Managed

Preferences (rather than use a management tool), convert the plist into binary format:

plutil -convert binary1 com.cloudflare.warp.plist

Cloudflare WARP Global Acceleration Installation Guide

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
<dict>
<key>configs</key>
<array>
<dict>
<key>organization</key>
<string>**[Your_ZT_Team_Name_here]**</string>
<key>override_api_endpoint</key>
<string>**[China Network Global Acceleration IP here]**</string>
<key>override_doh_endpoint</key>
<string>**[China Network Global Acceleration IP here]**</string>
<key>override_warp_endpoint</key>
<string>**[China Network Global Acceleration IP here]:port**</string> // port 2408 for Wireguard, port 443 for MASQUE
<key>display_name</key>
<string>China network</string>
</dict>
<dict>
<key>organization</key>
<string>**[Your_ZT_Team_Name_here]**</string>
<key>display_name</key>
<string>Outside China</string>
</dict>
</array>
</dict>
</plist>
  1. the plist could be pushed by an MDM tool in order to persist after reboot. Manually-placed files will be automatically deleted by the OS.
  2. References: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/

2. Windows Deployment

The on-disk configuration of the Windows client can be changed at any time by modifying or replacing the contents of C:\ProgramData\Cloudflare\mdm.xml. The format of this file is as follows:

<dict>
<key>configs</key>
<array>
<dict>
<key>organization</key>
<string>mycompany</string>
<key>display_name</key
<string>Production environment</string>
</dict>
<dict>
<key>organization</key>
<string>**[Your_ZT_Team_Name_here]**</string>
<key>override_api_endpoint</key>
<string>**[China Network Global Acceleration IP here]**</string>
<key>override_doh_endpoint</key>
<string>**[China Network Global Acceleration IP here]**</string>
<key>override_warp_endpoint</key>
<string>**[China Network Global Acceleration IP here]:port**</string> // port 2408 for Wireguard, port 443 for MASQUE
<key>display_name</key>
<string>Cloudflare China network</string>
</dict>
<dict>
<key>organization</key>
<string>**[Your_ZT_Team_Name_here]**</string>
<key>display_name</key>
<string>Global</string>
</dict>
</array>
</dict>

You can create a xml file and keep it in the folder: C:\ProgramData\Cloudflare\mdm.xml You need to choose “China network” on switch configurations when you are in China and choose Outside China when you‘re outside China.

Switching between Organizations in WARP

  1. Open the WARP client on your device.
  2. Select the gear icon.
  3. Select Switch configurations. The menu will show the organizations that the admin has configured for your device.
  4. Select the organization that you want to connect to.
  5. If prompted, complete the authentication steps required for the new organization. Your authentication information will be saved and you will be able to switch back and forth between organizations.

WARP Troubleshooting

Verifying UDP ports are open

For port 2408 (Wireguard):

dig +short www.2408check.com -p 2408 @139.224.71.48 -u

For port 443 (MASQUE):

dig +short www.2408check.com -p 443 @139.224.71.48 -u

If an IP is returned, this means that the port is not blocked. If an IP is not returned, this means

the port may be blocked by an ISP or firewall.

Back to Wiki