Cloudflare Tunnel
Magic WAN can work together with Cloudflare Tunnel to provide easy access between your networks and applications.
By default, TCP, UDP, and ICMP traffic routed through Magic WAN tunnels and destined to routes behind Cloudflare Tunnel is proxied and filtered through Cloudflare Gateway.
Private network routes are evaluated together across the Cloudflare Tunnel and Magic Networking routing tables. If traffic matches either a Cloudflare Tunnel route (in any virtual network) or a Magic Networking route, the matched route determines the next hop.
When a destination IP matches both a Cloudflare Tunnel private network route and a Magic Networking route, Cloudflare Tunnel takes precedence. This happens whenever a cloudflared tunnel CIDR matches a packet, regardless of prefix length. For example, a cloudflared tunnel with prefix 10.1.2.0/24 takes precedence over a static route configured to 10.1.2.4/32, and Cloudflare sends packets over the tunnel instead of a GRE tunnel.
For complex deployments where you need overlapping routes in both Cloudflare Tunnel and Magic Networking, consult your Solutions Engineering team for guidance.
For more information about private network routes with cloudflared, refer to Connect with cloudflared.
To verify that a cloudflared tunnel works correctly with your Magic WAN connection:
- From a host behind your customer premises equipment, open a browser.
- Browse to an IP address or hostname that is reachable through a Cloudflare Tunnel private network route, such as the example destination
10.1.2.3. - Confirm that the application loads as expected.
If the application loads correctly, Cloudflare Tunnel is handling the traffic as configured.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark