Get started
Magic WAN allows you to achieve any-to-any connectivity across branch and retail sites and data centers, with Cloudflare connectivity cloud.
Before you begin
Section titled “Before you begin”Magic WAN is an Enterprise-only product. Contact Cloudflare ↗ to acquire Magic WAN. If you plan on using Magic WAN Connector to automatically onboard your locations to Cloudflare, you will need to purchase Magic WAN first.
Set up method
Section titled “Set up method”Magic WAN supports an automatic setup and a manual setup. The automatic setup through Magic WAN Connector is the preferred method.
Automatic set up
Section titled “Automatic set up”Setting up Magic WAN automatically is done through Magic WAN Connector, and is the preferred method. You can choose between the hardware version and the virtual version of the Magic WAN Connector. The virtual version can be installed on your own machines.
If you plan on using Magic WAN Connector, you can skip the prerequisites below, and refer to Configure with Connector for more information on how to continue.
Manual set up
Section titled “Manual set up”Setting up Magic WAN manually is done through a combination of third-party devices in your premises and the Cloudflare dashboard. To be successful, you need to:
- Read the Prerequisites below.
- Follow the steps in Manual configuration.
Prerequisites
Section titled “Prerequisites”Use compatible tunnel endpoint routers
Section titled “Use compatible tunnel endpoint routers”Magic WAN relies on GRE and IPsec tunnels to transmit packets ↗ from Cloudflare's global network to your origin network. To ensure compatibility with Magic WAN, the routers at your tunnel endpoints must:
- Allow configuration of at least one tunnel per Internet service provider (ISP).
- Support maximum segment size (MSS) clamping.
- Support the configuration parameters for IPsec mentioned in IPsec tunnels.
Set maximum segment size
Section titled “Set maximum segment size”Cloudflare Magic WAN uses tunnels to deliver packets ↗ from our global network to your data centers. Cloudflare encapsulates these packets adding new headers. You must account for the space consumed by these headers when configuring the maximum transmission unit (MTU) and maximum segment size (MSS) values for your network.
MSS clamping recommendations
Section titled “MSS clamping recommendations”GRE tunnels as off-ramp
Section titled “GRE tunnels as off-ramp”The MSS value depends on how your network is set up.
- On your Edge router: Apply the clamp to the GRE tunnel internal interface (meaning where the egress traffic will traverse). The MSS clamp should be 1,436 bytes. This may be done automatically once the tunnel is configured, but it depends on your devices.
IPsec tunnels
Section titled “IPsec tunnels”For IPsec tunnels, the value you need to specify depends on how your network is set up. The MSS clamping value will be lower than for GRE tunnels, however, since the physical interface will see IPsec-encrypted packets, not TCP packets, and MSS clamping will not apply to those.
- On your Edge router: Apply this on your Magic WAN IPsec tunnel internal interface (meaning where the Magic WAN egress traffic will traverse). This may be done automatically once the tunnel is configured but it depends on your devices. TCP MSS clamp should be 1,360 bytes maximum.
Refer to Maximum transmission unit and maximum segment size for more details.
Follow router vendor guidelines
Section titled “Follow router vendor guidelines”Instructions to adjust MSS by applying MSS clamps vary depending on the vendor of your router.
The following table lists several commonly used router vendors with links to MSS clamping instructions:
| Router device | URL |
|---|---|
| Cisco | TCP IP Adjust MSS ↗ |
| Juniper | TCP MSS - Edit System ↗ |
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark