cloudflare-warp in CentOS/RHEL 8 (x86_64) - Cloudflare Warp Client

This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues.

  WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025. Instructions to make this update are available at pkg.cloudflareclient.com.

  - The UI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues.
  - Fixed an issue where deleting a registration was erroneously reported as having failed. 
  - Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to our developer [documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery).

This release contains minor fixes and improvements including including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025. Instructions to make this update are available at pkg.cloudflareclient.com.

  This release contains enhancements to Proxy mode for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or all devices matching the profile will lose connectivity.

This release contains minor fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025. Instructions to make this update are available at pkg.cloudflareclient.com .

  - The MASQUE protocol is now the default protocol for all new WARP device profiles.
  - Improvement to limit idle connections in DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving.
  - Improvements to maintain Global WARP Override settings when switching between organization configurations. 
  - Improvements to maintain client connectivity during network changes.

This release contains minor fixes and improvements.

  - Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected.
  - Fix to prevent the firewall being re-enabled after user initiated client disconnection.
  - Improvement for faster client connectivity on high-latency captive portal networks.
  - Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues.

This release contains minor fixes and improvements.

  - WARP proxy mode now uses the operating system’s DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect.
  - Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected.

  Known issues
  - Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To learn more about configuring a fallback server, please reference the [Zero Trust documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/#route-traffic-to-fallback-server).

This release contains improvements and new exciting features, including  post-quantum cryptography. By tunnelling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems.

  - Fixed a device registration issue causing WARP connection failures when changing networks.
  - Captive portal improvements and fixes. Captive portal sign in notifications will now be sent through operating system notification services. Fix for firewall configuration issue affecting clients in DoH only mode.
  - Improved the connectivity status message in the client GUI.
  - The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.
  - Improvement to handle client configuration changes made by MDM during disconnection upon reconnection.
  - Fixed an issue affecting split tunnel include mode, where traffic outside the tunnel was blocked when switching between Wifi and ethernet networks.

Changes and improvements
  - Improved captive portal experience to make more public networks compatible and have faster detection.
  - WARP tunnel protocol details can now be viewed by `warp-cli tunnel stats` command
  - Fixed issue with device revocation and re-registration when switching configurations
  - Added a new Global WARP Override setting. This setting puts account admins in control of disabling and enabling WARP across all devices registered to an account from the dashboard. Global WARP Override is disabled by default.

Changes and improvements
  - Improved command line interface for Zero Trust Access for Infrastructure with added function for filtering and ordering.
  - Fixed client connectivity issues when switching between managed network profiles that use different WARP protocols.
  - Added support for WARP desktop to use additional DoH endpoints to help reduce NAT congestion.
  - Improved Wireguard connection stability on reconnections.
  - Added additional HTTP/3 QUIC connectivity test to warp-diag.
  - Added support for collection of system health metrics for enhanced device Digital Experience Monitoring.
  - Automated the removal of active registrations for devices with multiple registrations with the same Zero Trust organization.

Changes and improvements
  - Adds support for installing all available custom gateway certificates from an account to the system store.
  - Users can now get a list of installed certificates by running `warp-cli certs`.

Changes and improvements
  - Consumers can now set the tunnel protocol using "warp-cli tunnel protocol set <proto>".
  - Extended diagnostics collection time in warp-diag to ensure logs are captured reliably.
  - Improved captive portal support by disabling the firewall during captive portal login flows.
  - Improved reliability of connection establishment logic under degraded network conditions.
  - Improved reconnection speed when a Cloudflare server is in a degraded state.
  - Improved captive portal detection on certain public networks.
  - Fixed an issue where admin override displayed an incorrect override end time.
  - Reduced connectivity interruptions on WireGuard include split tunnel configurations.
  - Fixed connectivity issues switching between managed network profiles with different configured protocols
  - QLOGs are now disabled by default and can be enabled with `warp-cli debug qlog enable`. The qlog setting from previous releases will no longer be respected.

Changes and improvements
  - Fixed an issue where SSH sessions and other connections were dropped when using MASQUE and the device's network interface changed.
  - Improvement made so that device posture client certificate checks now support PKCS#1.
  - Fixed an issue to ensure the managed certificate is installed in the trust store if not already there.
  - Reduced unnecessary log messages when resolv.conf has no owner.
  - Fixed an issue with warp-diag printing benign TLS certificate errors.
  - Fixed an issue with the WARP client becoming unresponsive during startup.
  - Extended diagnostics collection time in warp-diag to ensure logs are captured reliably.
  - Fixed an issue that was preventing proper operation of DNS-over-TLS (DoT) for consumer users.