Skip to content
Cloudflare Docs

Configure Virtual Connector

Virtual Connector is a virtual appliance alternative to the hardware based Magic WAN Connector. These two versions of Connector are identical otherwise.

Currently, you can set up Virtual Connector on VMWare ESXi and Proxmox Virtual Environment. Support for Proxmox is in beta.

In this page you will find instructions on how to configure Magic WAN Connector. This guide provides a step-by-step guide for Magic WAN Connector initial setup. You can either return here after setting up your Connector, or refer to the Maintenance section where you will find instructions on how to update your settings.

Prerequisites

Before you can install Virtual Connector, you need an Enterprise account with Magic WAN. Additionally, you need to have a VMware or Proxmox host with sufficient compute, memory, and storage to run the virtual machine with Virtual Connector. This includes:

  • Intel x86 CPU architecture
  • ESXi hypervisor 7.0U1 or higher
  • 4 virtual CPUs per virtual connector (We recommend deployment with a 1:1 virtual CPU to physical core allocation to avoid CPU over contention which will cause packet loss.)
  • 8 GB of RAM per virtual connector
  • 8 GB of disk per virtual connector
  • One vSwitch port group or VLAN with access to the Internet (for example, through a WAN)
  • One or more vSwitch port group or VLAN that will be the internal LAN

If you are installing Virtual Connector on ESXi, refer to VMware's documentation for more information on how to install ESXi and configure a virtual machine.

If you are installing Virtual Connector on Virtual Environment, refer to Proxmox documentation for more information on how to install Virtual environment and configure a virtual machine.


Before you begin

There are a couple of decisions you need to make when installing your Virtual Connector. Refer to the topics below for more information.

Determine the need for a high availability configuration

You can install up to two Virtual Connectors for redundancy at each of your sites. If one of your Virtual Connectors fails, traffic will fail over to the other Virtual Connector ensuring that you never lose connectivity to that site.

In this type of high availability (HA) configuration, you will choose a reliable LAN interface as the HA link which will be used to monitor the health of the peer connector. HA links can be dedicated links or can be shared with other LAN traffic.

You must decide the type of configuration you want for your site from the beginning: no redundancy or with redundancy. You cannot add redundancy after finishing the configuration of your dashboard settings. If, at a later stage, you decide to enable redundancy, you will need to delete your Virtual Connector on-ramp in the Cloudflare dashboard, and start again.

Decide on DHCP vs static IP connections

Virtual Connector uses a DHCP connection at first boot to download your settings and go through the activation process. However, if you need to use a static IP in your Virtual Connector, and this is a fresh install:

  1. Connect the machine with your Virtual Connector VM to a DHCP port with access to the Internet.
  2. Go through the setup flow below and activate your Connector.
  3. Refer to WAN with a static IP address.

Configure a virtual machine

Select the appropriate tab below to learn how to configure Virtual Connector on VMWare ESXi or Proxmox Virtual Environment.

1. Obtain the VMWare image

Contact your account team at Cloudflare to obtain the Virtual Connector OVA package and license keys. The OVA image includes the files required to install and configure the virtual machine (VM) for Virtual Connector with the appropriate settings. Refer to VMWare VMs documentation for more information on this topic.

This image can be deployed multiple times to create several instances of a Virtual Connector, in different locations or on the same ESXi host.

You will consume one license key for each instance created. For example, if you want to deploy 10 Virtual Connectors you should request 10 license keys, and your account team will create 10 Virtual Connector instances in your Cloudflare dashboard.

2. Deploy the Virtual Connector on VMware

The following instructions assume you already have VMware ESXi hypervisor installed with sufficient resources. Refer to Prerequisites for more information.

  1. When setting up your VMware ESXi, you need to create port groups for Virtual Connector. Go to Networking > Port groups, and prepare your vSwitch port groups and/or VLANs for your desired network topology. For example, a simple deployment typically has:
    • A WAN port group where the Virtual Connector will get an IP address (static or DHCP) that has access to the Internet.
    • A LAN port group, where the Virtual Connector will act as default router, and possibly DHCP server.
    • A null, or unused, port group for allocating unused virtual interfaces in the Virtual Connector. You can, for example, create a null port group with the name of Null port group, and a VLAN ID of 999.
  1. Extract the files in the OVA image provided by your Cloudflare account team. For example:
Terminal window
tar -xvf mconn-2024-1-3.ova

Take note of the folder where you are extracting the files to, as you will need to refer to that folder when creating the VM.

  1. Go to Virtual Machines > Create/Register VM wizard to start deploying the Virtual Connector.

  2. Select Deploy a virtual machine from an OVF or OVA file > Next.

  3. Choose a descriptive name for your virtual machine.

  4. Upload the files you have extracted from the OVA image. These include mconn.ovf, mconn.nvram, and mconn.vmdk.

  5. Select where you want to save the files extracted from the OVA image > Next.

  6. In Networking mappings, select assignments for your desired topology according to the port groups you set up previously:

    1. For example, map eno1 port to VM Network to create your WAN, and eno2 to LAN0 to act as your LAN port.
    2. Allocate any unused ports to the null port group.
    3. Take note of your configuration. You will need this information to configure your network in the Cloudflare dashboard.
  7. In Disk provisioning, select Thin.

  8. Before completing the deployment wizard, disable Power on automatically. This is important so that you can configure the license key prior to boot.

  9. Configure the virtual machine with the license key your account team provided you:

    1. Select the Virtual Connector's VM > Settings.
    2. Go to VM Options > Advanced > Edit Configuration.
    3. Select Add parameter to add your license key. Scroll down to the last entry (this is where VMware adds the new parameter), and add the following two new entries:
      • Key: guestinfo.cloudflare.identity
      • Value <YOUR_LICENSE_KEY>
  1. Select Save to finish configuring your Virtual Connector.
  2. Continue setup in your Cloudflare dashboard.

Set up Cloudflare dashboard

Add a Connector on-ramp

You need to add your Virtual Connector to your Cloudflare dashboard and configure its settings before connecting it to the Internet.

To add a Virtual Connector:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Go to Magic WAN > Connector on-ramps (beta).
  3. Select Add.
  4. In Name, enter a descriptive name for your Connector. Optionally, you can also add a description for it.
  5. You need to decide if you want to turn on high availability for the Connector. Refer to About high availability configurations for more information.
  6. Select Create and continue.
  7. Select Add Connector. This will show you a list of Virtual Connector devices associated with your account. For a Virtual Connector to show up you need to:
    • VMWare: Have already obtained your OVA package and license keys if you are installing on VMWare.
    • Proxmox: Have already obtained your Virtual Connector Script and license keys if you are installing on Proxmox.
    For more information, refer to Configure a virtual machine and select the appropriate tab.
  8. If you have more than one Connector, choose the one that corresponds to the on-ramp you are creating. Connectors are identified by a serial number, also known as a service tag. Use this information to choose the right Connector. Select Select Connector when you are ready to proceed.
  9. The Connector will be added to your account with an Interrupt window defined. The interrupt window is the time period when the Virtual Connector software can update, which may result in interruption to existing connections. You can change this later. Refer to Interrupt window for more details on how to define when the Connector can update its systems.
  10. Select Continue to proceed to creating your WAN and LAN networks.

Create a WAN

When you have more than one anycast IP configured in your account (set up during your Magic WAN onboarding), Magic WAN Connector will automatically create at most two tunnels per WAN port. This improves reliability and performance, and requires no additional configuration on your part.

  1. In WAN configuration, select Create. You can create one or more wide area networks (WANs). Configuring multiple WANs will create multiple IPsec tunnels (one IPsec tunnel per WAN port). This allows Virtual Connector to load balance traffic over WANs of equal priority. It also allows Connector to failover between circuits according to their health. Refer to WAN settings for more details.
  2. In Interface name, enter a descriptive name for your WAN.
  3. Interface number needs to correspond to the virtual network interface on the Virtual Connector instance you have set up in VMware. Following our example from the previous steps, you need to choose port 1 since that is what corresponds to the eno1 port we set up in VMware.
  4. In VLAN ID, enter a number between 0 and 4094 to specify a VLAN ID.
  5. In Priority, choose the priority for your WAN. Lower numbers have higher priority. Refer to Traffic steering to learn more about how Cloudflare calculates priorities.
  6. In Health check rate configure the health check frequency for your site. Options are low, mid, and high. Refer to Update tunnel health checks frequency for more information.
  7. Addressing: Select DHCP. This is needed the first time you set up your Connector to successfully download all settings to the machine and activate it. If you need a static IP address in your network environment:
    1. Continue the set up flow below to activate your Connector.
    2. Refer to WAN with a static IP address. If you choose a static IP, you also need to specify the static IP and gateway addresses.
  8. Select Save when you are finished.

Create a LAN

  1. In LAN configuration, select Create.
  2. Enter a descriptive name for your LAN in Interface name.
  3. Interface number needs to correspond to the virtual LAN interface on the Virtual Connector instance you have set up in VMware. Following our example from the previous steps, you need to choose port 2 since that is what corresponds to the eno2 port we set up in VMware.
  4. In VLAN ID, specify a VLAN ID to create virtual LANs.
  5. In Static addressing > Static address give your Connector's LAN interface its IP address. You can also enable the following options if they suit your use case:
    • This is a DHCP server: If your Connector is a DHCP server.
    • This is a DHCP relay: If your Connector is a DHCP relay.
  6. (Optional) In Directly attached subnet > Static NAT prefix, enter a CIDR prefix to enable NAT (network address translation). The prefix you enter here should be the same size as the prefix entered in Static addressing. For example, both networks have a subnet mask of /24: 192.168.100.0/24 and 10.10.100.0/24.
  7. (Optional) If your LAN contains additional subnets behind a layer 3 router, select Add routed subnet under Routed subnets to add them:
    • Prefix: The CIDR prefix for the subnet behind the L3 router.
    • Next hop: The address of the L3 router to which the Connector should forward packets for this subnet.
    • Static NAT prefix: Optional setting. If you want to enable NAT for a routed subnet, supply an "external" prefix for the overlay-facing side of the NAT to use. It must be the same size as Prefix.
      Refer to Routed subnets for more information.
  8. Select Save.
  9. Select Done to finish your configuration. Tunnels and static routes will be automatically created for your Virtual Connector, once it boots up.

Network segmentation

After setting up your LANs, you can configure your Virtual Connector to enable communication between them without traffic leaving your premises. Refer to Network segmentation for more information.

DHCP options

Virtual Connector supports different types of DHCP configurations. Connector can:

  • Connect to a DHCP server or use a static IP address instead of connecting to a DHCP server.
  • Act as a DHCP server.
  • Use DHCP relay to connect to a DHCP server outside the location your Virtual Connector is in.
  • Reserve IP addresses for specific devices on your network.

Add your Connector to a site

After finishing your Virtual Connector configuration, you need to add it to a site.

Sites represent the local network of a data center, office, or other physical location, and combine all on-ramps available there. Sites also allow you to check, at a glance, the state of your on-ramps and set up health alert settings so that you get notified when there are issues with the site's on-ramps.

Refer to Set up a site for more information.

Activate Connector

Virtual Magic WAN Connector is deactivated after you install it, and will only establish a connection to the Cloudflare network when it is activated. Cloudflare recommends leaving it deactivated until you finish setting it up in the dashboard.

When the Virtual Connector is first activated, one of the ports must be connected to the Internet through a device that supports DHCP. This is required so that the Virtual Connector can reach the Cloudflare global network and download the required configurations that you set up.

When you are ready to connect your Virtual Connector to the Cloudflare network:

  1. In the Cloudflare dashboard, go to Magic WAN's Configuration page.

    Go to Configuration
  2. Go to Connectors.

  3. Find the Connector you want to activate, select the three dots next to it > Edit. Make sure you verify the serial number to choose the right connector you want to activate.

  4. In the new window, the Status dropdown will show as Deactivated. Select it to change the status to Activated.

  5. The Interrupt window is the time period when the Virtual Connector software can update, which may result in interruption to existing connections. Choose a time period to minimize disruption to your sites. Refer to Interrupt window for more details on how to define when the Connector can update its systems.

  6. Select Update.

Boot your Virtual Connector

  1. Boot up Virtual Connector's VM in your virtual machine.
  2. The Virtual Connector will make a request to Cloudflare. This is the step where Virtual Connector registers your provided license key and downloads the configuration you provided.
  3. The Virtual Connector will set up the LAN and WAN connections according to the configuration downloaded from the site you created on the Cloudflare dashboard. The Virtual Connector will also establish IPsec tunnels.
  4. If successful, the tunnel health checks will show as healthy.
  5. If you do not see a healthy heartbeat on the Cloudflare dashboard, reboot the Virtual Connector's VM in VMware.

Default password to access Virtual Connector

Your Virtual Connector's default password is the last seven characters of your license key, all uppercase, plus an ! (exclamation mark).

For example, if your license key is mconn-abcdefghijklmnopqrstuvwxyz, your default password will be TUVWXYZ!.


WAN with a static IP address

After activating your Virtual Connector, you can use it in a network configuration with the WAN interface set to a static IP address - that is, an Internet configuration that is not automatically set by DHCP. To use your Virtual Connector on a network configuration with a static IP, follow the steps below.

  1. Connect the machine where you installed the VM with Virtual Connector to a DHCP port with access to the Internet.
  2. Add a Connector on-ramp in the Cloudflare dashboard.
  3. Create a DHCP WAN.
  4. Activate and boot your Virtual Connector.
  5. Wait 60 seconds.
  6. Make changes to the WAN settings in the Cloudflare dashboard to a static IP set up.
  7. Wait 60 seconds again.
  8. Modify your Port Groups as needed to change the source from which the WAN port obtains its IP address.
  9. Reboot your virtual machine.

About high availability configurations

You need to install two Virtual Connectors before you can set up a site in high availability. When you set up a site in high availability, the WANs and LANs in your Virtual Connector have the same configuration but are replicated on two nodes. In case of failure of a Virtual Connector, the other Virtual Connector becomes the active node, taking over configuration of the LAN gateway IP and allowing traffic to continue without disruption.

Because Virtual Connectors in high availability configurations share a single site, you need to set up:

  • Static address: The IP for the primary node in your site.
  • Secondary static address: The IP for the secondary node in your site.
  • Virtual static address: The IP that the LAN south of the Virtual Connector will forward traffic to, which is the LAN's gateway IP.

Make sure all IPs are part of the same subnet.

For detailed information about the expected behavior of high availability configurations, refer to High availability configurations.

Create a high availability configuration

You cannot enable high availability for an existing site. To add high availability to an existing site in the Cloudflare dashboard, you need to delete the site and start again.

To set up a high availability configuration:

  1. Follow the steps in Add a Connector on-ramp up until step 4.
  2. After naming your site, select Turn on high availability.
  3. Select Create and continue.
  4. Select Add Connector.
  5. From the list, choose your first Connector > Add Connector.
  6. Back on the previous screen, select Add secondary Connector.
  7. From the list, choose your second Connector > Add Connector.
  8. Select Continue to Create a WAN. If you are configuring a static IP, configure the IP for the primary node as the static address, and the IP for the secondary node as the secondary static address.
  9. To create a LAN, follow the steps mentioned above in Create a LAN up until step 4.
  10. In Static address, enter the IP for the primary node in your site. For example, 192.168.10.1/24.
  11. In Secondary static address, enter the IP for the secondary node in your site. For example, 192.168.10.2/24.
  12. In Virtual static address, enter the IP that the LAN south of the Connector will forward traffic to. For example, 192.168.10.3/24.
  13. Select Save.
  14. From the High availability probing link drop-down menu, select the port that should be used to monitor the node's health. Cloudflare recommends you choose a reliable interface as the HA probing link. The primary and secondary node's probing link should be connected over a switch, and cannot be a direct connection.
  15. Follow the instructions in Activate Connector to finish setting up your Connectors.

IPsec tunnels and static routes

Virtual Connector automatically creates IPsec tunnels and static routes for you. You cannot configure these manually.

To check the IPsec tunnels and static routes created by your Virtual Connector:

  1. In the Cloudflare dashboard, go to the Sites page.

    Go to Sites
  2. Select the name of the site for which you want to check the Connector's IPsec tunnels and static routes, and select Edit.

  3. Select Tunnels to check IPsec tunnels, and Routes for the static routes.


Next steps