Fun(?) with IP ranges

So, I had this interesting idea with Cloudflare WARP+ with Zero Trust… I usually use WARP to secure my Internet when I’m off my trusted networks, but sometimes I also want to use WARP to connect to internal resources.

In general, tunneling IP in WARP works in one of two ways, Exclude and Include, the names describe what they do pretty well.

In Exclude mode, when WARP routes everything except internal networks, the exclude list is a complete list of IP ranges that are not generally routed over the Internet, such as private IP range, DHCP stuff and the like. In Include mode, where WARP only routes the ranges in the list, the default include list basically just includes non-Internet IPs. All simple and clear.

But wait! I want both worlds.

At first, I experimented with using Exclude mode and then punching holes in the pre-defined list, but this made for a very long and unwieldly exclude list because I generally use about 20 to 25 private networks in total.

Then I had an idea. What if I use Include mode and just add the whole Internet as include entries? Not as in, but the actual Internet around the non-Internet ranges? Then, as I need to add routing to specified private networks, I can just add those to the list.

Ummm… dude, you okay?

At first, doing this may seem a bit of a daunting task, but it turned out simpler than I thought. I simply made a little text file and added all the entries from the default Exclude mode list to it and marked each one with a couple of asterisks at the start.

Next, I fired up my favourite CIDR calculator and just calculated what needs to go in the gaps and added those without the marker. The list was about 1/3 as long as punching all those holes in the default Exclude mode list would have been.

Just so you, my dear reader, don’t have to go through this process too, here’s the default (as at 18 October 2023) Cloudflare WARP Exclude mode list inverted into an Include mode list. The entries with asterisks at the start are the original Exclude mode entries and must not actually be used, three of these (,, and are where your private networks can go, the others are special and should generally not be messed with.

CIDR - Range end - -
*** - (RFC1918 private network) - - - - - - -
*** - (RFC6598 carrier-grade NAT) - - - - - - - - - - - - - -
*** - (DHCP Unspecified) - - -
*** - (RFC1918 private network) - - - - - - - - -
*** - (RFC1918 private network) - - - - - - - - - -
*** - (IP multicast) - - - -
*** - (reserved for future use)

I found it interesting that the default Cloudflare exclude list doesn’t have absolutely all the reserved IP space in it, but it probably doesn’t route stuff like loopback and test nets anyway.

Now I just have to type all that into a split tunnels list and then add entries for my private networks and I’m good to go.