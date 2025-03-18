This page contains the stable WARP client releases currently supported by Cloudflare. We recommend using stable releases for production environments. You can download stable releases from the links below after checking requirements.

Cloudflare also offers an unstable beta release track with the latest features and improvements. To preview new features before they are available in a stable release, refer to the beta release page.

Windows

Download latest stable release

OS version Windows 10, Windows 11 Processor AMD64 / x86-64 .NET Framework version 4.7.2 or later HD space 184 MB Memory 3 MB Network interface type WIFI or LAN Minimum MTU 1360 bytes 1

WireGuard requires 1360 bytes for IPv6 and 1340 bytes for IPv4. MASQUE requires 1350 bytes for IPv6 and 1330 bytes for IPv4. ↩

Latest release Version: Windows 2025.1.861.0 Date: 2025-02-19 Size: 128 MB Download Release notes This release contains only improvements. Changes and improvements Improved command line interface for Access for Infrastructure with added function for filtering and ordering.

Fixed client connectivity issues when switching between managed network profiles that use different WARP protocols.

Added support for WARP desktop to use additional DoH endpoints to help reduce NAT congestion.

Improved connectivity check reliability in certain split tunnel configurations.

Improved reading of device DNS settings at connection restart.

Improved WARP connectivity in environments with virtual machine interfaces.

Improved Wireguard connection stability on reconnections.

Improved reliability of device posture checks for OS Version, Unique Client ID, Domain Joined, Disk Encryption, and Firewall attributes.

Added additional HTTP/3 QUIC connectivity test to warp-diag.

Added support for collection of system health metrics for enhanced device Digital Experience Monitoring.

Automated the removal of active registrations for devices with multiple registrations with the same Zero Trust organization. Known issues DNS resolution may be broken when the following conditions are all true: WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. A custom DNS server address is configured on the primary network adapter. The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on.



Previous version history (9) Windows 2024.12.760.0 Version: Windows 2024.12.760.0 Date: 2025-01-09 Size: 126 MB Download Release notes This release contains only a hotfix from the 2024.12.554.0 release. Changes and improvements: Fixed an issue that could prevent clients with certain split tunnel configurations from connecting. Known issues: DNS resolution may be broken when the following conditions are all true: WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. A custom DNS server address is configured on the primary network adapter. The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on.

Windows 2024.12.554.0 Version: Windows 2024.12.554.0 Date: 2024-12-19 Size: 126 MB Download Release notes This release contains improvements to support custom Gateway certificate installation in addition to the changes and improvements included in version 2024.12.492.0. Changes and improvements: Adds support for installing all available custom Gateway certificates from an account to the system store.

Users can now get a list of installed certificates by running warp-cli certs . Known issues: DNS resolution may be broken when the following conditions are all true: WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. A custom DNS server address is configured on the primary network adapter. The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on.

Windows 2024.12.492.0 Version: Windows 2024.12.492.0 Date: 2024-12-18 Size: 126 MB Download Release notes This release contains minor fixes and improvements. Changes and improvements: Consumers can now set the tunnel protocol using warp-cli tunnel protocol set <protocol> .

. Extended diagnostics collection time in warp-diag to ensure logs are captured reliably.

to ensure logs are captured reliably. Improved captive portal support by disabling the firewall during captive portal login flows.

Improved captive portal detection on certain public networks.

Improved reconnection speed when a Cloudflare server is in a degraded state.

Fixed an issue where WARP may fail to remove certificates from the user store in Device Information Only mode.

Ensured at most one Powershell instance is opened when fetching the device serial number for posture checks.

Fixed an issue to prevent the daemon from following Windows junctions created by non-admin users that could be used to delete files as SYSTEM user and potentially gain SYSTEM user privileges.

Improved reliability of connection establishment logic under degraded network conditions.

Fixed an issue that caused high memory usage when viewing connection statistics for extended periods of time.

Improved WARP connectivity in environments with virtual interfaces from VirtualBox, VMware, and similar tools.

Reduced connectivity interruptions on WireGuard Split Tunnel Include mode configurations.

Fixed connectivity issues switching between managed network profiles with different configured protocols.

QLogs are now disabled by default and can be enabled with warp-cli debug qlog enable . The QLog setting from previous releases will no longer be respected. Known issues: DNS resolution may be broken when the following conditions are all true: WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. A custom DNS server address is configured on the primary network adapter. The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on.

Windows 2024.11.309.0 Version: Windows 2024.11.309.0 Date: 2024-11-18 Size: 123 MB Download Release notes This release contains minor fixes and improvements. Changes and improvements: Fixed an issue where SSH sessions and other application connections over TCP or UDP could drop when a device that is using MASQUE changes its primary network interface.

Fixed an issue to ensure the Cloudflare root certificate (or custom certificate) is installed in the trust store if not already there.

Fixed an issue with the WARP client becoming unresponsive during startup.

Extended diagnostics collection time in warp-diag to ensure logs are captured reliably.

to ensure logs are captured reliably. Fixed an issue that was preventing proper operation of DNS-over-TLS (DoT) for consumer users. Known issues: DNS resolution may be broken when the following conditions are all true: WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. A custom DNS server address is configured on the primary network adapter. The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on.

Windows 2024.9.346.0 Version: Windows 2024.9.346.0 Date: 2024-10-03 Size: 122 MB Download Release notes This release contains minor fixes and improvements. Changes and improvements: Added target list to the warp-cli to enhance the user experience with the Access for Infrastructure SSH solution.

to the to enhance the user experience with the solution. Added pre-login configuration details to the warp-diag output.

configuration details to the output. Added a tunnel reset mtu subcommand to the warp-cli .

subcommand to the . Added a JSON output option to the warp-cli .

. Added the ability for warp-cli to use the team name provided in the MDM file for initial registration.

to use the team name provided in the MDM file for initial registration. Added the ability to execute a PCAP on multiple interfaces with warp-cli and warp-dex .

and . Improved warp-dex default interface selection for PCAPs and changed warp-dex CLI output to JSON.

default interface selection for PCAPs and changed CLI output to JSON. Fixed an issue where the client, when switching between WireGuard and MASQUE protocols, sometimes required a manual tunnel key reset.

Added MASQUE tunnel protocol support for the consumer version of WARP ( 1.1.1.1 w/ WARP ). Known issues: Using MASQUE as the tunnel protocol may be incompatible if your organization has Regional Services enabled. Windows 2024.8.458.0 Version: Windows 2024.8.458.0 Date: 2024-09-26 Size: 121 MB Download Release notes This release contains minor fixes and improvements. Notable updates Added the ability to customize PCAP options in the warp-cli.

Added a list of installed applications in warp-diag.

Added a summary of warp-dex traceroute results in its JSON output.

Improved the performance of firewall operations when enforcing split tunnel configuration.

Reduced the time it takes for a WARP client update to complete.

Fixed an issue where clients using service tokens failed to retry the initial connection when there is no network connectivity on startup.

Fixed issues where incorrect DNS server addresses were being applied following reboots and network changes. Any incorrect static entries set by previous WARP versions must be manually reverted.

Fixed a known issue which required users to re-register when an older single configuration MDM file was deployed after deploying the newer, multiple configuration format.

Deprecated warp-cli commands have been removed. If you have any workflows that use the deprecated commands, please update to the new commands where necessary. Known issues Using MASQUE as the tunnel protocol may be incompatible if your organization has Regional Services enabled.

DNS resolution may be broken when the following condition are all true: WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. A custom DNS server address is configured on the primary network adapter. The custom DNS server address on the primary network adapter is changed while WARP is connected.To work around this issue, please reconnect the WARP client by toggling off and back on.

Windows 2024.6.473.0 Version: Windows 2024.6.473.0 Date: 2024-07-30 Size: 120 MB Download Release notes This release only contains a hotfix from the 2024.6.415.0 release. Notable updates Fixed an issue which could cause alternate network detections to fail for hosts using TLS 1.2 which do not support TLS Extended Master Secret (EMS).

Improved the stability of device profile switching based on alternate network detection. Known issues If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the warp-cli registration delete command to clear the registration, and then re-register the client.

command to clear the registration, and then re-register the client. There are certain known limitations preventing the use of the MASQUE tunnel protocol in certain scenarios. Do not use the MASQUE tunnel protocol if: A Magic WAN integration is on the account and is not yet migrated to the warp_unified_flow. Please check migration status with your account team. Your account has Regional Services enabled.

Windows 2024.6.415.0 Version: Windows 2024.6.415.0 Date: 2024-06-28 Size: 119 MB Download Release notes This release includes some exciting new features. It also includes additional fixes and minor improvements. New features Admins can now elect to have ZT WARP clients connect using the MASQUE protocol; this setting is in Device Profiles. Note: before MASQUE can be used, the global setting for Override local interface IP must be enabled. For more detail, see https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#device-tunnel-protocol . This feature will be rolled out to customers in stages over approximately the next month.

. This feature will be rolled out to customers in stages over approximately the next month. The ZT WARP client on Windows devices can now connect before the user completes their Windows login. This Windows pre-login capability allows for connecting to on-premise Active Directory and/or similar resources necessary to complete the Windows login.

The Device Posture client certificate check has been substantially enhanced. The primary enhancement is the ability to check for client certificates that have unique common names, made unique by the inclusion of the device serial number or host name (for example, CN = 123456.mycompany, where 123456 is the device serial number). Additional details can be found here: https://developers.cloudflare.com/cloudflare-one/identity/devices/warp-client-checks/client-certificate/ Additional changes and improvements Added a new message explaining why WARP was unable to connect, to help with troubleshooting.

The upgrade window now uses international date formats.

Made a change to ensure DEX tests are not running when the tunnel is not up due to the device going to or waking from sleep. This is specific to devices using the S3 power model.

Fixed a known issue where the certificate was not always properly left behind in %ProgramData%\Cloudflare\installed_cert.pem .

. Fixed an issue where ICMPv6 Neighbor Solicitation messages were being incorrectly sent on the WARP tunnel.

Fixed an issue where a silent upgrade was causing certain files to be deleted if the target upgrade version is the same as the current version. Warning This is the last GA release that will be supporting older, deprecated warp-cli commands. There are two methods to identify these commands. One, when used in this release, the command will work but will also return a deprecation warning. And two, the deprecated commands do not appear in the output of warp-cli -h . Known issues If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the warp-cli registration delete command to clear the registration, and then re-register the client.

command to clear the registration, and then re-register the client. There are certain known limitations preventing the use of the MASQUE tunnel protocol in certain scenarios. Do not use the MASQUE tunnel protocol if: A Magic WAN integration is on the account and is not yet migrated to the warp_unified_flow. Please check migration status with your account team. Your account has Regional Services enabled.

Managed network detection will fail for TLS 1.2 endpoints with EMS (Extended Master Secret) disabled Windows 2024.3.409.0 Version: Windows 2024.3.409.0 Date: 2024-03-29 Size: 116 MB Download Release notes This release contains no new features and is focused exclusively on improvements. Notable updates Windows client downloads will now contain version numbers in the file name to allow easy identification.

Enabled re-authentication and other notifications to always be shown (without sound) regardless of Windows Focus Assist settings.

Suppressed the GUI certificate error message "Limited connectivity: A certificate missing; please contact your administrator" for a scenario where it was not needed.

Improved the re-connection logic to minimize impact to existing tunneled TCP sessions.

Corrected an issue where the DNS server information was being improperly persisted across network changes.

Increased the data collected by warp-diag to improve debugging capabilities. Known issues When Install CA to system certificate store is enabled, the certificate is not always properly left behind in %ProgramData%\Cloudflare\installed_cert.pem . This issue will be fixed in a future release.

macOS

Download latest stable release

OS version Big Sur 11.0+, Monterey 12.0+, Ventura 13.0+, Sonoma 14.0+, Sequoia 15.1+ (15.0.x is not supported) Processor Intel or M series HD space 75 MB Memory 35 MB Network interface type WIFI or LAN Minimum MTU 1360 bytes 1

WireGuard requires 1360 bytes for IPv6 and 1340 bytes for IPv4. MASQUE requires 1350 bytes for IPv6 and 1330 bytes for IPv4. ↩

Latest release Version: macOS 2025.1.861.0 Date: 2025-02-19 Size: 92.4 MB Download Release notes This release contains minor fixes and improvements. Note: If using macOS Sequoia, Cloudflare recommends the use of macOS 15.3 or later. With macOS 15.3, Apple addressed several issues that may have caused the WARP client to not behave as expected when used with macOS 15.0.x. Changes and improvements Improved command line interface for Access for Infrastructure with added function for filtering and ordering.

Fixed client connectivity issues when switching between managed network profiles that use different WARP protocols.

Improved OS version posture checks on macOS for greater reliability and availability.

Added support for WARP desktop to use additional DoH endpoints to help reduce NAT congestion.

Improved Wireguard connection stability on reconnections.

Added additional HTTP/3 QUIC connectivity test to warp-diag .

. Added support for collection of system health metrics for enhanced device Digital Experience Monitoring.

Automated the removal of active registrations for devices with multiple registrations with the same Zero Trust organization.

Fixes issues with deleted registration at start up. Known issues macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.3 or later.

Previous version history (9) macOS 2024.12.554.0 Version: macOS 2024.12.554.0 Date: 2024-12-19 Size: 86.1 MB Download Release notes This release contains improvements to support custom Gateway certificate installation in addition to the changes and improvements included in version 2024.12.492.0. Note: If using macOS Sequoia, Cloudflare recommends the use of macOS 15.2 or later. With macOS 15.2, Apple addressed several issues that may have caused the WARP client to not behave as expected when used with macOS 15.0 and 15.1. Changes and improvements: Adds support for installing all available custom Gateway certificates from an account to the system store.

Users can now get a list of installed certificates by running warp-cli certs . Known issues: macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.2 or later. macOS 2024.12.492.0 Version: macOS 2024.12.492.0 Date: 2024-12-19 Size: 84.7 MB Download Release notes This release contains minor fixes and improvements. Note: If using macOS Sequoia, Cloudflare recommends the use of macOS 15.2 or later. With macOS 15.2, Apple addressed several issues that may have caused the WARP client to not behave as expected when used with macOS 15.0 and 15.1. Changes and improvements: Consumers can now set the tunnel protocol using warp-cli tunnel protocol set <protocol> .

. Extended diagnostics collection time in warp-diag to ensure logs are captured reliably.

to ensure logs are captured reliably. Improved captive portal support by disabling the firewall during captive portal login flows.

Improved reliability of connection establishment logic under degraded network conditions.

Improved reconnection speed when a Cloudflare server is in a degraded state.

Improved captive portal detection on certain public networks.

Fixed an issue where admin override displayed an incorrect override end time.

Reduced connectivity interruptions on WireGuard Split Tunnel Include mode configurations.

Fixed connectivity issues switching between managed network profiles with different configured protocols.

QLogs are now disabled by default and can be enabled with warp-cli debug qlog enable . The QLog setting from previous releases will no longer be respected. Known issues: macOS Sequoia: Due to changes Apple introduced in macOS 15.0, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.2 or later. macOS 2024.11.309.0 Version: macOS 2024.11.309.0 Date: 2024-11-18 Size: 81 MB Download Release notes This release contains reliability improvements and general bug fixes. Changes and improvements: Fixed an issue where SSH sessions and other application connections over TCP or UDP could drop when a device that is using MASQUE changes its primary network interface.

Fixed an issue to ensure the Cloudflare root certificate (or custom certificate) is installed in the trust store if not already there.

Fixed an issue with the WARP client becoming unresponsive during startup.

Extended warp-diag to collect system profiler firewall state as part of diagnostics.

to collect system profiler firewall state as part of diagnostics. Fixed an issue with the WARP client becoming unresponsive while handling LAN inclusion.

Fixed an issue where users were unable to connect with an IPC error message displayed in the UI.

Fixed an issue that was preventing proper operation of DNS-over-TLS (DoT) for consumer users. Known issues: macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.1 or later. macOS 2024.9.346.0 Version: macOS 2024.9.346.0 Date: 2024-10-03 Size: 80 MB Download Release notes This release contains minor fixes and improvements. All customers running macOS Ventura 13.0 and above (including macOS Sequoia) are advised to upgrade to this release. This release fixes an incompatibility with the firewall that may sometimes result in the firewall becoming disabled. Changes and improvements: Added target list to the warp-cli to enhance the user experience with the Access for Infrastructure SSH solution.

to the to enhance the user experience with the solution. Added a tunnel reset mtu subcommand to the warp-cli .

subcommand to the . Added the ability for warp-cli to use the team name provided in the MDM file for initial registration.

to use the team name provided in the MDM file for initial registration. Added a JSON output option to the warp-cli .

. Added the ability to execute a PCAP on multiple interfaces with warp-cli and warp-dex .

and . Improved warp-dex default interface selection for PCAPs and changed warp-dex CLI output to JSON.

default interface selection for PCAPs and changed CLI output to JSON. Improved application posture check compatibility with symbolically linked files.

compatibility with symbolically linked files. Fixed an issue where the client, when switching between WireGuard and MASQUE protocols, sometimes required a manual tunnel key reset.

Added MASQUE tunnel protocol support for the consumer version of WARP ( 1.1.1.1 w/ WARP ). Known issues: Using MASQUE as the tunnel protocol may be incompatible if your organization has Regional Services enabled. macOS 2024.8.457.0 Version: macOS 2024.8.457.0 Date: 2024-09-26 Size: 77.8 MB Download Release notes This release contains minor fixes and improvements. Notable updates: Added the ability to customize PCAP options in warp-cli .

. Added a list of installed applications in warp-diag .

. Added a summary of warp-dex traceroute results in its JSON output.

traceroute results in its JSON output. Improved the performance of firewall operations when enforcing Split Tunnels configuration.

Fixed an issue where the DNS logs were not being cleared when the user switched configurations.

Fixed an issue where clients using service tokens failed to retry after a network change.

Fixed a known issue which required users to re-register when an older single configuration MDM file was deployed after deploying the newer, multiple configuration format.

Fixed an issue which prevented the use of private IP ranges that overlapped with end users' home networks.

Deprecated warp-cli commands have been removed. If you have any workflows that use the deprecated commands, update to the new commands where necessary. Known issues: Cloudflare is investigating temporary networking issues on macOS 15 (Sequoia) that seem to affect some users.

Using MASQUE as the tunnel protocol may be incompatible if your organization has Regional Services enabled. macOS 2024.6.474.0 Version: macOS 2024.6.474.0 Date: 2024-07-30 Size: 76.9 MB Download Release notes This release only contains a hotfix from the 2024.6.416.0 release. Notable updates Fixed an issue which could cause alternate network detections to fail for hosts using TLS 1.2 which do not support TLS Extended Master Secret (EMS).

Improved the stability of device profile switching based on alternate network detection. Known issues If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the warp-cli registration delete command to clear the registration, and then re-register the client.

command to clear the registration, and then re-register the client. There are certain known limitations preventing the use of the MASQUE tunnel protocol in certain scenarios. Do not use the MASQUE tunnel protocol if: A Magic WAN integration is on the account and is not yet migrated to the warp_unified_flow. Please check migration status with your account team. Your account has Regional Services enabled.

macOS 2024.6.416.0 Version: macOS 2024.6.416.0 Date: 2024-06-28 Size: 76.9 MB Download Release notes This release includes some exciting new features. It also includes additional fixes and minor improvements. New features Admins can now elect to have ZT WARP clients connect using the MASQUE protocol; this setting is in Device Profiles. Note: before MASQUE can be used, the global setting for Override local interface IP must be enabled. For more detail, see https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#device-tunnel-protocol . This feature will be rolled out to customers in stages over approximately the next month.

. This feature will be rolled out to customers in stages over approximately the next month. The Device Posture client certificate check has been substantially enhanced. The primary enhancement is the ability to check for client certificates that have unique common names, made unique by the inclusion of the device serial number or host name (for example, CN = 123456.mycompany, where 123456 is the device serial number). Additional details can be found here: https://developers.cloudflare.com/cloudflare-one/identity/devices/warp-client-checks/client-certificate/ Additional changes and improvements Fixed a known issue where the certificate was not always properly left behind in /Library/Application Support/Cloudflare/installed_cert.pem .

. Fixed an issue where re-auth notifications were not cleared from the UI when the user switched configurations.

Fixed a macOS firewall rule that allowed all UDP traffic to go outside the tunnel. Relates to TunnelVision (CVE-2024-3661).

Fixed an issue that could cause the Cloudflare WARP menu bar application to disappear when switching configurations. Warning This is the last GA release that will be supporting older, deprecated warp-cli commands. There are two methods to identify these commands. One, when used in this release, the command will work but will also return a deprecation warning. And two, the deprecated commands do not appear in the output of warp-cli -h . Known issues If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the warp-cli registration delete command to clear the registration, and then re-register the client.

command to clear the registration, and then re-register the client. There are certain known limitations preventing the use of the MASQUE tunnel protocol in certain scenarios. Do not use the MASQUE tunnel protocol if: A Magic WAN integration is on the account and is not yet migrated to the warp_unified_flow. Please check migration status with your account team. Your account has Regional Services enabled.

Managed network detection will fail for TLS 1.2 endpoints with EMS (Extended Master Secret) disabled macOS 2024.3.444.0 Version: macOS 2024.3.444.0 Date: 2024-05-08 Size: 73.6 MB Download Release notes This is a macOS only hot fix from the 2024.3.407.0 release. Notable updates Fixed an issue by correcting the WARP client setting of macOS firewall rules. This relates to TunnelVision (CVE-2024-3661). Known issues No known issues. macOS 2024.3.407.0 Version: macOS 2024.3.407.0 Date: 2024-03-29 Size: 73.6 MB Download Release notes This release contains no new features and is focused exclusively on improvements. Notable updates macOS client downloads will now contain version numbers in the file name to allow easy identification.

Improved the re-connection logic to minimize impact to existing tunneled TCP sessions.

Increased the data collected by warp-diag to improve debugging capabilities.

Improved compatibility with multicast DNS (mDNS) systems. Known issues No known issues.

Linux

Package repository

OS version CentOS 8, RHEL 8, Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, Debian 10, Debian 11, Debian 12 Processor AMD64 / x86-64 or ARM64 / AArch64 HD space 75 MB Memory 35 MB Network interface type WIFI or LAN Minimum MTU 1360 bytes 1

WireGuard requires 1360 bytes for IPv6 and 1340 bytes for IPv4. MASQUE requires 1350 bytes for IPv6 and 1330 bytes for IPv4. ↩

Latest release Version: Linux 2025.1.861.0 Date: 2025-02-19 Download Release notes This release includes fixes and minor improvements. Changes and improvements Improved command line interface for Access for Infrastructure with added function for filtering and ordering.

Fixed client connectivity issues when switching between managed network profiles that use different WARP protocols.

Added support for WARP desktop to use additional DoH endpoints to help reduce NAT congestion.

Improved Wireguard connection stability on reconnections.

Added additional HTTP/3 QUIC connectivity test to warp-diag .

. Added support for collection of system health metrics for enhanced device Digital Experience Monitoring.

Automated the removal of active registrations for devices with multiple registrations with the same Zero Trust organization.

Previous version history (4) Linux 2024.12.554.0 Version: Linux 2024.12.554.0 Date: 2024-12-19 Download Release notes This release includes fixes and minor improvements. Changes and improvements Consumers can now set the tunnel protocol using warp-cli tunnel protocol set <protocol> .

. Extended diagnostics collection time in warp-diag to ensure logs are captured reliably.

to ensure logs are captured reliably. Improved captive portal support by disabling the firewall during captive portal login flows.

Improved reliability of connection establishment logic under degraded network conditions.

Improved reconnection speed when a Cloudflare server is in a degraded state.

Improved captive portal detection on certain public networks.

Reduced connectivity interruptions on WireGuard Split Tunnel Include mode configurations.

Fixed connectivity issues switching between managed network profiles with different configured protocols.

QLogs are now disabled by default and can be enabled with warp-cli debug qlog enable . The QLog setting from previous releases will no longer be respected. Linux 2024.11.309.0 Version: Linux 2024.11.309.0 Date: 2024-11-18 Download Release notes This release contains reliability improvements and general bug fixes. Changes and improvements Fixed an issue where SSH sessions and other connections ould drop when a device that is using MASQUE changes its primary network interface.

Device posture client certificate checks now support PKCS#1.

Fixed an issue to ensure the Cloudflare root certificate (or custom certificate) is installed in the trust store if not already there.

Reduced unnecessary log messages when resolv.conf has no owner.

has no owner. Fixed an issue with warp-diag printing benign TLS certificate errors.

printing benign TLS certificate errors. Fixed an issue with the WARP client becoming unresponsive during startup.

Extended diagnostics collection time in warp-diag to ensure logs are captured reliably.

to ensure logs are captured reliably. Fixed an issue that was preventing proper operation of DNS-over-TLS (DoT) for consumer users. Linux 2024.9.346.0 Version: Linux 2024.9.346.0 Date: 2024-10-03 Download Release notes This release contains minor fixes and minor improvements. Notable updates Added target list to the warp-cli to enhance the user experience with the Access for Infrastructure SSH solution.

to the to enhance the user experience with the solution. Added the ability to customize PCAP options in the warp-cli .

. Added a list of installed applications in warp-diag .

. Added a tunnel reset mtu subcommand to the warp-cli .

subcommand to the . Added the ability for warp-cli to use the team name provided in the MDM file for initial registration.

to use the team name provided in the MDM file for initial registration. Added a JSON output option to the warp-cli .

. Added the ability to execute a PCAP on multiple interfaces with warp-cli .

. Added MASQUE tunnel protocol support for the consumer version of WARP ( 1.1.1.1 w/ WARP ).

). Improved the performance of firewall operations when enforcing split tunnel configuration.

Fixed an issue where device posture certificate checks were unexpectedly failing.

Fixed an issue where the Linux GUI fails to open the browser login window when registering a new Zero Trust organization.

Fixed an issue where clients using service tokens failed to retry after a network change.

Fixed an issue where the client, when switching between WireGuard and MASQUE protocols, sometimes required a manual tunnel key reset.

Fixed a known issue which required users to re-register when an older single configuration MDM file was deployed after deploying the newer, multiple configuration format.

Deprecated warp-cli commands have been removed. If you have any workflows that use the deprecated commands, update to the new commands where necessary. Known issues: Using MASQUE as the tunnel protocol may be incompatible if your organization has Regional Services is enabled. Linux 2024.6.497.0 Version: Linux 2024.6.497.0 Date: 2024-08-15 Download Release notes This release includes some exciting new features. It also includes additional fixes and minor improvements. New features The WARP client now supports operation on Ubuntu 24.04.

Admins can now elect to have ZT WARP clients connect using the MASQUE protocol; this setting is in Device Profiles. Note: before MASQUE can be used, the global setting for Override local interface IP must be enabled. For more detail, refer to Device tunnel protocol . This feature will be rolled out to customers in stages over approximately the next month.

. This feature will be rolled out to customers in stages over approximately the next month. The Device Posture client certificate check has been substantially enhanced. The primary enhancement is the ability to check for client certificates that have unique common names, made unique by the inclusion of the device serial number or host name (for example, CN = 123456.mycompany , where 123456 is the device serial number).

has been substantially enhanced. The primary enhancement is the ability to check for client certificates that have unique common names, made unique by the inclusion of the device serial number or host name (for example, CN = , where 123456 is the device serial number). TCP MSS clamping is now used where necessary to meet the MTU requirements of the tunnel interface. This will be especially helpful in Docker use cases. Warning Ubuntu 16.04 and 18.04 are not supported by this version of the client.

This is the last GA release that will be supporting older, deprecated warp-cli commands. There are two methods to identify these commands. One, when used in this release, the command will work but will also return a deprecation warning. And two, the deprecated commands do not appear in the output of warp-cli -h . Known issues There are certain known limitations preventing the use of the MASQUE tunnel protocol in certain scenarios. Do not use the MASQUE tunnel protocol if: A Magic WAN integration is on the account and does not have the latest packet flow path for WARP traffic. To check the migration status, contact your account team. Your account has Regional Services enabled.

The Linux client GUI does not yet support all GUI features found in the Windows and macOS clients. Future releases of the Linux client will be adding these GUI features.

The Zero Trust team name is not visible in the GUI if you upgraded from the previous GA release using an MDM tool.

Sometimes the WARP icon will remain gray (disconnected state) while in dark mode.

iOS

OS version iOS 11+

Download from the iOS App Store ↗ or search for "Cloudflare One Agent".

Android

OS version 5.0+

Download from the Google Play store ↗ or search for "Cloudflare One Agent".

ChromeOS

OS version Chromebooks manufactured after 2019

Chromebooks are supported by our Android app. All Chromebooks made after 2019 should fully support our Android app. If you have a Chromebook made before 2019, refer to this list ↗ to verify that your device is supported.