Skip to content
Cloudflare Docs

Replace your VPN

Give users secure, auditable network and application access.

Start path

  1. Concepts

    Concepts explain the basic ideas behind how Cloudflare Zero Trust works.

    Start module

    Contains 3 units
    1. What is Cloudflare?
    2. What is a VPN?
    3. Why should you replace your VPN?

  2. Get started with Zero Trust

    In this learning path, you will learn how to replace your existing VPN provider with Cloudflare’s ZTNA solution. Your users will run the WARP endpoint client on their devices, and you will run either Cloudflare Tunnel or Cloudflare WARP Connector in your network or on your application servers. After deploying Zero Trust, users will be able to connect to private resources (not exposed to the Internet) via TCP/UDP/ICMP, and administrators will be able to control access to these resources based on user identity, device posture, and other factors.

    Start module

    Contains 4 units
    1. Prerequisites
    2. Create a Cloudflare account
    3. Create a Zero Trust organization
    4. Configure an identity provider

  3. Connect your private network

    This module covers how to connect your private network services and applications to Cloudflare. In many ways, this connection will replace the concept of a traditional VPN concentrator or headend device.

    Start module

    Contains 5 units
    1. Choose a connection method
    2. Connect with cloudflared
    3. Manage overlapping IPs
    4. Tunnel capacity for cloudflared
    5. Connect with WARP Connector (optional)

  4. Configure the device agent

    The Cloudflare WARP client (known as the Cloudflare One Agent in mobile app stores) encrypts designated traffic from a user’s device to Cloudflare’s global network. In this learning path, we will first define all of your parameters and deployment rules, and then we will install and connect the client. If you prefer to start the client download now, refer to Download WARP.

    Start module

    Contains 6 units
    1. Define device enrollment permissions
    2. Customize device profiles
    3. Proxy traffic through Gateway
    4. Enable TLS decryption (optional)
    5. Define Split Tunnel settings
    6. Resolve private DNS

  5. Connect user devices

    Now that your device enrollment policies and WARP profiles are configured, you can begin deploying the WARP client to user devices for testing.

    Start module

    Contains 3 units
    1. Download and install WARP
    2. MDM deployment
    3. Verify device connectivity

  6. Build secure access policies

    With Cloudflare Zero Trust, you can apply granular security policies to all traffic proxied from the user device to your private network. Policies can key off of domain name, user identity, device posture, SNI, IP address, port, protocol, and other attributes. Building simple, well-structured policies is an important factor in having a secure organization with a manageable workflow.

    Start module

    Contains 6 units
    1. Policy design
    2. Create a list of IPs or domains
    3. Secure your first application
    4. Session timeouts
    5. Gateway block page
    6. Shadow IT discovery

  7. Troubleshooting

    Start module

    Contains 1 units
    1. Troubleshoot private networks
Cloudflare DashboardDiscordCommunityLearning CenterSupport Portal