[Cloudflare One] Add device-to-device replace VPN quick-start (#28803)

* [Cloudflare One] Draft: intent-based Get Started structure (PCX-20931)

Refactor the Get Started page from a flat generic setup page into an
intent-based router matching the CF1 dashboard onboarding UX.

- Convert setup.mdx to setup/index.mdx with universal prereqs + use-case cards
- Add Replace VPN decision page with 3 scenario cards
- Add full Device to Network quick-start (PCX-20915)
- Add skeleton pages for Network to Network (PCX-20917) and Device to Device (PCX-20916)
- Preserves /cloudflare-one/setup/ URL (directory index)

* chore: add agents/ to .gitignore

* [Cloudflare One] Add 'why replace your VPN' link to decision page

Bridge uncertain users to existing conceptual content without adding
positioning copy to the get-started flow.

* fix: replace HTML comments with MDX comments in skeleton pages

MDX parses <!-- --> as invalid JSX. Use {/* */} syntax instead.

* fix: correct 3 broken links in device-to-network next steps

- high-availability → configure-tunnels/tunnel-availability
- private-dns → private-net/cloudflared/private-dns
- gateway-inspection → http-policies/tls-decryption

* [Cloudflare One] Add dashboard Get Started reference to setup landing page

Bridge returning users from the Overview tab to the onboarding flows.

* [Cloudflare One] Point implementation guides 'Replace VPN' to new quick-start

Both sidebar entries now land users on the same decision page.
The quick-start page links to the full learning path for deeper content.

* [Cloudflare One] Rewrite device-to-network to match dashboard 6-step wizard (PCX-20915)

- Rewrote device-to-network.mdx to mirror the exact 6-step Get Started
  onboarding flow in the Cloudflare One dashboard
- Removed production-oriented steps (IdP config, Split Tunnels, Gateway
  proxy, access policies) that belong in the learning path, not the
  quick-start
- Updated setup landing page: moved dashboard reference from intro to
  card section, aligned heading with dashboard UX, removed production
  hardening language

* [Cloudflare One] Narrow PR scope to device-to-network only

- Remove skeleton pages for network-to-network and device-to-device
  (will be added in follow-up PRs)
- Remove corresponding cards and Details accordion from replace-vpn
  navigation page
- Keep setup landing page cards as-is (all link to existing content)

* [Cloudflare One] Style and content review fixes for device-to-network

- Align implementation guides card titles with get-started landing page
- Replace code block flow diagram with prose in How it works section
- Promote 'You need' list to standard Prerequisites heading
- Fix future tense to present tense throughout
- Break multi-page navigation into separate procedural steps
- Genericize tunnel token placeholder in install command example
- Replace AI-generated troubleshooting with links to canonical docs
- Use standard 'refer to' link pattern for recommended next steps
- Remove unused Details component import

* [Cloudflare One] Apply eli5 clarity pass to device-to-network

- Add value framing to intro (VPN security risks and performance)
- Explain why outbound-only tunnel matters (no inbound ports)
- Link WARP client on first mention
- Add context for IP range step and helper note for SMB users
- Define cloudflared as connector software
- Rewrite enrollment step to replace jargon with plain language
- Add context for team name (what it is, where it came from)
- Replace em dashes with colons throughout

* [Cloudflare One] Address reviewer feedback on replace-vpn quick-start

- Rewrite replace-vpn intro to use Cloudflare One branding and ZTNA framing
- Align card descriptions across replace-vpn and implementation-guides pages
- Expand How it works with network connector and device agent definitions
- Add team name Settings path for discoverability
- Add Windows system tray reference and manual deployment link in Step 5
- Rewrite next steps with why context instead of dashboard-suggests framing

* [Cloudflare One] Fix Step 3 to match dashboard deploy tunnel UI

- Add architecture selection (dashboard has OS + architecture dropdowns)
- Remove incorrect winget/package manager claims for Windows/Linux
- Accurately describe dashboard behavior: download link + install command
- Keep Windows Command Prompt and terminal window text matching dashboard verbatim
- Link to Downloads page for comprehensive reference

* [Cloudflare One] Polish device-to-network wording and formatting

- Use 'service' instead of 'software' for cloudflared description
- Move team name Settings path to note callout under Step 5
- Reorder Step 6 sentence for clarity

* [Cloudflare One] Add glossary tooltips, account prereq, and parent cross-link to device-to-network

- Add GlossaryTooltip for Cloudflare Tunnel and WARP client on first mention
- Change 'device agent' to 'app' for plain language consistency
- Break 4-sentence How it works paragraph into two 2-sentence paragraphs
- Add Cloudflare account prerequisite with link to parent setup page
- Add parent cross-link for other connection scenarios (scales to future flows)
- Replace 'device posture' with 'network attributes' in Gateway policies description
- Remove inaccurate 'multi-site deployments' from learning path references

* [Cloudflare One] Remove Cloudflare Tunnel GlossaryTooltip that broke page formatting

* [Cloudflare One] Add device-to-device replace VPN quick-start

* [Cloudflare One] Extract WARP setup partial, fix links and descriptions

* [Cloudflare One] Remove split tunnel reference from troubleshoot section

* [Cloudflare One] Apply clarity improvements to device-to-device page

- Add concrete use case and cross-link to device-to-network sibling page
- Replace technical jargon (TCP/UDP/ICMP, overlay network) with plain examples
- Add GlossaryTooltip components for WARP client and WARP CGNAT IP
- Add Cloudflare account prerequisite with link to parent setup page
- Clarify enrollment email purpose and add practical send suggestion
- Add anchor link from Step 3 back to Step 2 for second device setup
- Add post-setup guidance in Step 4 (where to find virtual IPs)
- Surface Windows Firewall issue in Troubleshoot section
- Replace undefined 'device mesh' jargon with 'connected devices'
- Break long paragraphs into 2-sentence chunks per style guide
- Remove inaccurate 'multi-site deployments' from index.mdx note

* [Cloudflare One] Use parent cross-link instead of sibling link in device-to-device intro

Replace direct link to device-to-network with link to parent Replace your VPN
index page. This pattern scales as more onboarding flows are added without
requiring updates to every sibling page.

* [Cloudflare One] Capitalize Tunnel as product name in Step 2 per review feedback

* [Cloudflare One] Address reviewer feedback on device-to-device page

- Add enrollment permissions concept to Step 1 intro
- Reframe Gateway policies as 'scan, filter, and log traffic' and add HTTP policies link
- Broaden Access application description to not limit scope to device-hosted services

* [Cloudflare One] Make Access application description more concrete

Specify 'on enrolled devices' to align with the more concrete pattern
used on device-to-network and network-to-network sibling pages.

* [Cloudflare One] Add Private networks tag to device-to-device page

Align with network-to-network sibling page tags added by Caley.

* [Cloudflare One] Revert tunnel capitalization to lowercase

Refers to the tunnel instance, not the Cloudflare Tunnel product name.
Reverts to match production.

* [Cloudflare One] Add Private networks tag to device-to-network page

Align with sibling pages. Matches the tagging pattern used across
the WARP Connector reference docs.

Author: codyanthony850

src/content/docs/cloudflare-one/setup/replace-vpn/device-to-device.mdx

@@ -0,0 +1,96 @@
+---
+pcx_content_type: get-started
+title: "Device to device"
+sidebar:
+  order: 2
+  label: Device to device
+description: Create a secure peer-to-peer connection between two devices using the WARP client and Cloudflare's network.
+products:
+  - cloudflare-one
+tags:
+  - Private networks
+---
+
+import { GlossaryTooltip, Render } from "~/components";
+
+Create a secure connection between two devices so they can communicate directly through Cloudflare's network, without needing to be on the same physical network. This is useful when you need to remotely access a specific device, for example connecting to a home computer from a laptop at a coffee shop.
+
+To explore other connection scenarios, refer to [Replace your VPN](/cloudflare-one/setup/replace-vpn/).
+
+This guide follows the same steps as the **Get Started** onboarding wizard in the [Cloudflare One dashboard](https://one.dash.cloudflare.com).
+
+## How it works
+
+The <GlossaryTooltip term="WARP client">[WARP client](/cloudflare-one/team-and-resources/devices/warp/)</GlossaryTooltip> is an app that you install on each device you want to connect. When you sign in to your Cloudflare account through WARP (called "enrolling"), each device is assigned a <GlossaryTooltip term="WARP CGNAT IP">[virtual IP address](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp/)</GlossaryTooltip>.
+
+Devices use these virtual IPs to communicate with each other through Cloudflare's network. This works for most common types of network traffic, including web requests, remote desktop, file sharing, and ping.
+
+Only devices signed in to your Cloudflare account can reach these addresses, so they are not accessible to anyone outside your organization. No tunnel infrastructure or network configuration is required, and the connection does not disrupt existing traffic on your network.
+
+## Prerequisites
+
+- A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to [Get started](/cloudflare-one/setup/).
+- Two Linux, Windows, macOS, Android, or iOS devices you want to connect together.
+
+## Step 1: Enroll your first device
+
+Enrollment permissions control which users can connect devices to your account. In this step, you set an enrollment email and download the WARP client. The email you provide becomes the first allowed login for your organization, and anyone with that email address can enroll a device.
+
+1. In [Cloudflare One](https://one.dash.cloudflare.com), select the **Get Started** tab.
+2. For **Replace my client-based or site-to-site VPN**, select **Get started**.
+3. For **Device to device**, select **Continue**.
+4. On the **Create a device mesh on Cloudflare's network** screen, select **Continue**.
+5. Enter the email you want to use to enroll your first device.
+6. Select your device's operating system.
+7. Select **Download to continue** to download the WARP client, or copy the download link to send to a different device.
+8. Select **Continue**.
+
+:::note
+You can manage device enrollment permissions later in **Team & Resources** > **Devices**.
+:::
+
+## Step 2: Complete WARP setup
+
+<Render
+	file="warp/complete-warp-setup"
+	product="cloudflare-one"
+	params={{ device: "your first" }}
+/>
+
+## Step 3: Enroll and set up your second device
+
+Both devices must be enrolled in your Cloudflare account for the connection to work.
+
+1. Select the operating system of your second device.
+2. Copy the download link and send it to your second device (for example, by email or messaging app), or select **Download to continue** if you are on that device.
+3. On the second device, follow the same WARP installation and login steps from [Step 2](#step-2-complete-warp-setup).
+4. The WARP client should show as **Connected** on the second device.
+5. Select **Continue** in the dashboard.
+
+## Step 4: Verify your connection
+
+The dashboard confirms that your devices can securely communicate. Both devices are now connected through Cloudflare's network using their assigned virtual IPs.
+
+To view your device's assigned virtual IP:
+
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Team & Resources** > **Devices**.
+2. Select a device.
+3. Select **View details**.
+
+## Recommended next steps
+
+After verifying your connection, consider securing your connected devices with policies and access controls:
+
+- **Set up Gateway policies**: By default, all enrolled devices can reach each other over the virtual IP space. Gateway policies let you scan, filter, and log traffic between your devices. For more information, refer to [DNS policies](/cloudflare-one/traffic-policies/dns-policies/), [Network policies](/cloudflare-one/traffic-policies/network-policies/), and [HTTP policies](/cloudflare-one/traffic-policies/http-policies/).
+- **Create an Access application**: Restrict access to specific destinations on enrolled devices with identity-based rules. For more information, refer to [Secure a private IP or hostname](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/).
+- **Explore more with Zero Trust**: Review your policies and connected devices in the [Cloudflare One dashboard](https://one.dash.cloudflare.com).
+
+For in-depth guidance on policy design and device posture checks, refer to the [Replace your VPN learning path](/learning-paths/replace-vpn/concepts/).
+
+## Troubleshoot
+
+If you have issues connecting, try these steps:
+
+- **Windows users**: Windows Firewall blocks device-to-device traffic by default. You may need to add a firewall rule that allows incoming traffic from `100.96.0.0/12`. For details, refer to [Peer-to-peer connectivity](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp/#troubleshooting).
+- [Troubleshoot WARP](/cloudflare-one/team-and-resources/devices/warp/troubleshooting/): resolve WARP client connection and enrollment issues.
+- [Peer-to-peer connectivity](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp/): review WARP-to-WARP setup details and firewall requirements.

src/content/docs/cloudflare-one/setup/replace-vpn/device-to-network.mdx

@@ -7,9 +7,11 @@ sidebar:
 description: Connect a remote device to a private network using Cloudflare Tunnel and the WARP client.
 products:
   - cloudflare-one
+tags:
+  - Private networks
 ---
 
-import { GlossaryTooltip } from "~/components";
+import { GlossaryTooltip, Render } from "~/components";
 
 Connect a remote device to a private network so your users can securely access internal applications and services from anywhere, without the security risks and performance bottlenecks of a traditional VPN.
 
@@ -84,19 +86,11 @@ You can manage device enrollment permissions later in **Team & Resources** > **D
 
 ## Step 5: Complete WARP setup
 
-On your device, complete the client installation wizard. Then connect the client to your Zero Trust organization. For comprehensive OS-specific instructions, refer to [Manual deployment](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/).
-
-1. Open the Cloudflare One client. On macOS, select the Cloudflare icon in your status bar. On Windows, select the Cloudflare icon in your system tray.
-2.  On the **What would you like to use WARP for?** screen, select **Zero Trust security**.
-3. Enter your team name when prompted. Your team name is the unique identifier for your Zero Trust organization and was set when the organization was created. The dashboard displays your team name on this screen for easy reference.
-
-   :::note
-   To find or change your team name, go to **Settings** > **Team name** and select **Edit**.
-   :::
-
-4. Complete the authentication steps.
-5. The client should show as **Connected**.
-6. Select **Continue** in the dashboard.
+<Render
+	file="warp/complete-warp-setup"
+	product="cloudflare-one"
+	params={{ device: "your" }}
+/>
 
 ## Step 6: Verify your connection
 

src/content/docs/cloudflare-one/setup/replace-vpn/index.mdx

@@ -23,6 +23,15 @@ How you set this up depends on what needs to connect to what. Choose the scenari
 	connection. Best for remote access to private networks.
 </LinkTitleCard>
 
+<LinkTitleCard
+	title="Device to device"
+	href="/cloudflare-one/setup/replace-vpn/device-to-device/"
+	icon="laptop"
+>
+	Create secure, peer-to-peer connections between two or more devices through
+	Cloudflare's network. Best for direct device communication.
+</LinkTitleCard>
+
 <LinkTitleCard
 	title="Network to network"
 	href="/cloudflare-one/setup/replace-vpn/network-to-network/"

src/content/partials/cloudflare-one/warp/complete-warp-setup.mdx

@@ -0,0 +1,18 @@
+---
+params:
+  - device
+---
+
+On {props.device} device, complete the WARP installation wizard. Then connect WARP to your Zero Trust organization. For comprehensive OS-specific instructions, refer to [Manual deployment](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/).
+
+1. Open the WARP client. On macOS, select the Cloudflare icon in your status bar. On Windows, select the Cloudflare icon in your system tray.
+2. Go to **Preferences** > **Account** > **Login to Cloudflare Zero Trust**.
+3. Enter your team name when prompted. Your team name is the unique identifier for your Zero Trust organization and was set when the organization was created. The dashboard displays your team name on this screen for easy reference.
+
+   :::note
+   To find or change your team name, go to **Settings** > **Team name** and select **Edit**.
+   :::
+
+4. Complete the authentication steps.
+5. The WARP client should show as **Connected**.
+6. Select **Continue** in the dashboard.