
Warp – Mobile VPN - jgrahamc
https://blog.cloudflare.com/1111-warp-better-vpn/
======
ignoramous
There goes me and my co-founder's plan of disrupting the Mobile VPN market. Or
may be, we still have a chance?

Anywho, congratulations Cloudflare! I long held an opinion that the VPN market
was ripe for disruption when I looked at privacy policy of some of the top
players. Having analysed the market, I find that its defragmented with no
clear run-away winner. I hope you're able to make a headway with all the
interesting innovations that you plan to offer on top of it.

Here are some ideas that I had in mind for a Mobile VPN:

1\. Ability to run a dns-blacklist, tag-based blacklist, and a ip-firewall at
cloudflare's end (not on the end devices). May be you could add that as an
option to your wrap+ product?

2\. Auto change exit IPs underneath the covers.

3\. Take over the dialer and route calls over IP whenever possible.

4\. Provide ability to analyze traffic on a PC.

5\. Track and warn mode per app, where the traffic is analysed for a
particular app to generate a report on what its doing and how much.

Basically, bring enterprise-grade security to the end consumer.

~~~
eastdakota
Email me: matthewatcloudflaredotcom. Perhaps you and your cofounder can help
build your vision within Cloudflare? I'd love to chat.

~~~
stdcli
First, thank you for the first implementation when the app was just 1.1.1.1
Ive been using it for a while.

Not sure if you can answer this question, but are the performance benefits
still there in conjunction with utilizing the VPN google uses to encrypt
traffic with google fi? This announcement mentions they have 2x the latency in
comparison to WARP, but did not mention specifically which google VPN
technology (not sure if they have multiple) but I assume something mobile
related since this is a mobile application.

If I use the WARP app in conjunction with google fi, am I layering this VPN on
top of the 2x latency of google fi, thus slowing down WARP VPN to gain then
the other performance benefits of optimized network switching of google fi?

Neither project is open source (that I know of) so it is hard to understand
how the implementations overlap or not with one another. I also am not an
expert in VPNs so maybe this is not a good question, but I find myself reading
Cloudflare's blogs alot and couldn't help but ask.

~~~
eastdakota
I’m not sure, and I think you’re kind of off-topic for this particular sub-
thread, but we’ll have a ton of performance data across a matrix of device,
software, and network operators. And, when we do, we’ll definitely publish it.

------
arendtio
> We built Warp around WireGuard

So basically Cloudflare created an app with Cloudflare branding and set up a
Wireguard server for everyone. No bad, but just check out the original:

[https://www.wireguard.com](https://www.wireguard.com)

While I am not a big fan of VPNs in general, I have to admit, that Wireguard
performs exceptionally well. I tested it a week ago and the added latency is
pretty much just the network latency and the bandwidth loss is minimal (so
small I couldn't even measure it reliably). What I found most interesting, was
that there were some use-cases when the network with Wireguard performed even
better than without it (probably related to congestion control).

~~~
Shank
I consider myself fairly competent, and I couldn’t understand the wireguard
documentation enough to setup my own install without resorting to algo [0].
There’s real value in wrapping a system like WireGuard into a product, because
it democratizes technology rather than making it available only to those
knowledgable enough to understand how to set it up. I think Warp is great in
that regard.

[0]:
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
TimTheTinker
> I couldn’t understand the wireguard documentation enough to setup my own
> install without resorting to algo

Not sure what you mean. Algo has no relationship to WireGuard; it's basically
a customized StrongSwan setup under the hood, which utilizes IKEv2 (not
WireGuard) as the transport.

~~~
dguido
Algo does not have a relationship to Wireguard, but Trail of Bits does. We
made a substantial donation to them prior to including Wireguard support in
Algo. You can find us on their donation page here:
[https://www.wireguard.com/donations/](https://www.wireguard.com/donations/)

------
mwcampbell
It seems to me that in practice, Cloudflare's mission is not actually to build
a better Internet, but to offer an alternative, proprietary network (one could
call it the CloudflareNet), and convince content providers and consumers to
use that network. Because I don't want any single company to have too much
power, I'll stick with the standard Internet, which is not owned by any single
company.

However, I realize that the problems with mobile Internet performance and
reliability are real. So when HTTP/3 is stable, I'll do what I can to help it
spread.

~~~
jgrahamc
I disagree with this statement. We haven't pushed incompatible standards or
any other nonsense. We've literally pushed out the latest standards and
enabled more encryption (see Universal SSL making SSL free years before Let's
Encrypt; see enabling IPv6; enabling HTTP/2; etc. etc.).

As for HTTP/3... so will we. See: [https://blog.cloudflare.com/http-3-from-
root-to-tip/](https://blog.cloudflare.com/http-3-from-root-to-tip/),
[https://blog.cloudflare.com/the-road-to-
quic/](https://blog.cloudflare.com/the-road-to-quic/) and
[https://blog.cloudflare.com/head-start-with-
quic/](https://blog.cloudflare.com/head-start-with-quic/).

~~~
tw04
You've built a product (warp) based on Wireguard and refused to work with the
upstream project - so saying that you're pushing standards is far more nuanced
than you make it seem - at best.

[https://news.ycombinator.com/item?id=19500725](https://news.ycombinator.com/item?id=19500725)

~~~
floatingatoll
Forking an upstream project to implement decisions without upstream’s consent
is a tried and true open source software process, implemented by thousands of
projects over the years. Claiming that they don’t support standards, solely
because they don’t support another implementation of those standards, is
incorrect and inflammatory.

~~~
tw04
> Forking an upstream project to implement decisions without upstream’s
> consent is a tried and true open source software process, implemented by
> thousands of projects over the years. Claiming that they don’t support
> standards, solely because they don’t support another implementation of those
> standards, is incorrect and inflammatory.

If upstream is doing something you don't like and refusing to work with you,
sure.

When upstream actively petitions you to not fork, asks you politely to work
together, and you refuse to work with them, that is far, far from a "tried and
true open source software process". That creates a fissure in the community
and it generally ends up poorly for everyone involved.

My comment is far from inflammatory, it's a statement of fact, and something
cloudflare has refused to acknowledge or respond to. Which just further drives
the point home that they aren't acting in good faith.

~~~
StavrosK
Can/has anyone from CloudFlare commented? This refusal to work with WireGuard
has left a bitter taste in my mouth from a company that I otherwise like.

~~~
eastdakota
Here's what I posted to our blog when this question came up:

[https://blog.cloudflare.com/boringtun-userspace-wireguard-
ru...](https://blog.cloudflare.com/boringtun-userspace-wireguard-
rust/#comment-4401651800)

We communicated with Jason throughout the process and have a ton of respect
for him and the entire WireGuard community. In the short term, we need the
flexibility to quickly update BoringTun's code base to support the project we
built it for. That's harder when you need to coordinate with people outside
Cloudflare and when we need to move as fast as we plan to. However, we really
believe in Open Source and want the WireGuard community to thrive. We licensed
the code very openly (3-paragraph BSD) and WireGuard may choose to fork it. If
they do, we'll support it and plan to contribute any improvements in our own
fork back. Over the long term, I think we're very open to merging this back
into the upstream project.

~~~
tw04
I guess that doesn't make sense to me. If Jason offered you your own sub-
project to run with, why can't you "move fast"?

>I thought the invitation to put their engineers as the head of a WireGuard
subproject was a cool invitation, but alas.

[https://lists.zx2c4.com/pipermail/wireguard/2019-March/00404...](https://lists.zx2c4.com/pipermail/wireguard/2019-March/004048.html)

I mean no offense, but the response comes off as corporate approved PR. "We
need to move fast" when you haven't actually even tried engaging with the
parent project and have no idea whether or not it would prohibit "moving fast"
is disingenuous IMO.

~~~
eridius
Presumably there’s still overhead involved in being part of the WireGuard
organization, no? If there wasn’t, then the only difference between being in
it and not is branding.

More importantly, without having already tried it, it’s hard to predict how
much overhead there will be.

Since CloudFlare had a (self-imposed) deadline, working fast had to take
priority over optics. After all, the project can always be folded into the
WireGuard organization later.

------
neilv
VPNs are "trust me" security, and Cloudflare certainly has a better reputation
than many VPN services, so, in that regard, Cloudflare's entry is welcome,
but...

I've been using Tor as a privacy-friendly VPN, so Cloudflare getting into this
business will make it feel a bit different, every time I see an error Web page
that says Cloudflare is blocking a Tor exit node from viewing a page that
Cloudflare hosts.

Perhaps Cloudflare could figure out how to block competitor Tor less (even if
there's abuse coming in through Tor)? That might be difficult, but an
excellent show of good faith.

~~~
gpm
An interesting trick - if Cloudflare allows it - would be Device -> Tor ->
This -> Internet. Tor provides anonymity, this provides protection against
exit nodes maliciously modifying traffic (you can find a number of examples of
this just by searching).

~~~
mirimir
Yes!

Routing VPNs through Tor is a great way to avoid site discrimination against
Tor users. But there are two key problems. One is that you degrade Tor
anonymity, because Tor can't switch circuits (normally at ~10 minute
interval). And also because you typically must pay for VPN services.

The other problem is that Tor only routes TCP traffic. So when you use TCP-
based VPNs routed through Tor, and are using HTTPS or some other TCP flavor,
you get the TCP-in-TCP horrors. There's too much error correction.

So yes, Cloudflare would need to allow Warp via Tor. Or maybe even better,
Warp via Tor via Warp. And also it would need to protect Tor anonymity.

Cool idea, though :)

~~~
marshray
> Warp via Tor via Warp

Warp would see all your incoming packets and all your outgoing packets, so why
bother with Tor?

~~~
mirimir
Good point. I was getting carried away, there.

But still, if it were done right, that's not necessarily true. I mean, I can
have two accounts with some VPN service. I connect to server1.vpn.com using
one account. Then I connect to the Tor network via that VPN tunnel. And then I
connect to server2.vpn.com via Tor, using the other account. Even better, I
connect to server2.onion, using the other account.

Even then, Cloudflare could easily do traffic correlation. But as it is now,
the NSA can easily do traffic correlation. So hey.

------
catern
>TCP, the foundational protocol of the Internet, was never designed for a
mobile environment.

Amusingly, this is actually not true. TCP was originally developed to run on
an inter-network over two networks: the ARPANET which has the reliability
characteristics of a "traditional" network, and an extremely mobile network
with lots of packet loss: ship-to-ship packet radio.

TCP today seems very poorly suited for the mobile environment, but it was in
fact originally designed for mobile.

~~~
eridius
My interpretation of “not designed for mobile” is mobile devices, not mobile
network. In particular, TCP is not designed for a scenario where the device
keeps leaving old networks and joining new ones, or where a device routinely
has 2 network interfaces where one has better performance than the other but
which one is better changes frequently.

~~~
catern
Ships, as mobile devices, frequently entered and left packet radio range with
each other, or might have multiple other ships in range and have to select
which ship to send their packets to.

~~~
eridius
That would be equivalent to the server going offline and back online, as
opposed to the route constantly changing.

~~~
catern
We're talking about a packet-switched network. The other ships aren't your
destination - some server on land is your destination.

------
maltalex
I'd wager that the _Super Secret Plan_ is geared towards further centralizing
the Internet. Preferably on Cloud Flare's infrastructure.

This is one part of a tug-of-war that's going on in recent years between
Internet network operators and cloud providers, with the cloud providers
slowly but surely winning.

For better or worse, we are moving away from a distributed Internet composed
of many autonomous networks into a future in which the only job of the ISPs is
to connect homes and offices to the local POPs (Points Of Presence) of the
large cloud providers.

Why do you need connectivity to other networks when you can get Google (w/
Youtube & GCE) and Facebook from a local POP? Add to that all the sites and
services that reside on Amazon, Azure, Cloud Flare, Akamai, and maybe a few
more large clouds/CDNs, and you don't need a public Internet anymore. Imagine
the security and performance benefits of that!

~~~
Shank
I don’t think this would fly for a number of reasons, but CloudFlare isn’t
exactly a world leader or even a household name. They’re a newcomer in this
space and for once they’re actually open with their community (us). If
CloudFlare is the villain, then are CenturyLink & Comcast the heroes? By my
estimation, we’re more likely to see any kind of doomsday scenario like that
executed by cable companies and telcos — which already have a natural monopoly
in most localities. I don’t see CloudFlare as having anywhere close to that
reach.

~~~
maltalex
No one is the villain here, it's not that simple.

These are companies that respond to market pressures. Routing around the
network operators (both figuratively and literally) makes a lot of sense for
large cloud providers. Especially so if there are no network neutrality rules
in place to enforce free access to consumers (as opposed to consumer ISPs
demanding payment for pushing content to their subscribers).

Also, the content from Google, Facebook and a couple other cloud providers is
what consumers actually want. I've seen internal numbers from a European
mobile provider that show that >80% of consumer traffic is to/from either
Facebook or Youtube. So are the consumers villains?

~~~
jagtesh
> Also, the content from Google, Facebook and a couple other cloud providers
> is what consumers actually want.

What content from Google and Facebook? If you are referring to YouTube and
Instagram - that's one part of the total internet content consumed. Hard to
totally ignore the news sites, blogs and streaming services.

~~~
topranks
The vast majority of which are hosted in the public cloud (AWS, GCP, Azure) or
behind content delivery networks like Cloudflare or Akamai.

The centralization of the internet and death of the “end to end” ethos is very
real unfortunately.

------
mark_l_watson
I just signed up. cloudflare is on the short list of Internet companies that I
trust (with the usual small bit of doubt and skepticism!). With just a few
reservations, I also trust G Suite, Firefox, and a few hosting companies I do
business with.

I have been supporting FSF, ACLU, etc. for years, but the practical
considerations that prompted me to be a bit more trusting are Cloud Search in
GSuite, Cloudflare offering HTTPS to help get the web more secure, and a deep
appreciation for having Firefox available (containers are so easy to use and
make me feel more secure in my use of the web).

~~~
therealmarv
maybe you've forgot Cloudbleed
[https://en.wikipedia.org/wiki/Cloudbleed](https://en.wikipedia.org/wiki/Cloudbleed)
Thanks for downvoting.

~~~
gpm
I trust Cloudflare to do their best, generally respect privacy, and not act
maliciously.

I don't trust cloudflare to not make mistakes (like Cloudbleed). I don't trust
myself to not make mistakes. I don't think there is anyone I trust not to make
mistakes. It's just not a reasonable criteria.

------
ikeboy
There's a lot of dissing of competition (they drain your battery, "all suck",
slow down your internet) without a single datapoint.

Personally I find the performance of PIA fine. I just ran a test through
fast.com and got 42 mbps on 4g through PIA mobile VPN in NYC. (Weirdly, when I
turn off the VPN and test I'm only getting around 2 Mbps.) Latency is a bit
higher than direct, but not enough for me to agree with their blanket
statement that all VPNs suck.

~~~
JustSomeNobody
Fast.com is through Netflix, so your carrier is probably throttling. Try a
different speed test with no VPN to confirm.

~~~
ikeboy
Using the speed test app I get 65 direct and 58 using the NYC setting in PIA.
Ping is 31 ms for PIA vs 28 direct.

I look forward to testing with Warp once it's released, but I don't see how it
could be much better than the status quo. PIA has lots of servers all over the
place, cloudflare might have a bigger network but the delta should be
negligible.

I am a bit surprised that fast would get throttled though.

~~~
tracker1
It's been pretty common and a big part of why Netflix created the service
iirc. ISPs have been throttling netflix as a negotiating tactic when creating
peering agreements for upstream traffic or deploying more content servers. The
whole process has been really horrible imho. Some mobile providers do it to
force lower quality streams, that in fairness are probably more appropriate
for small/mobile devices. 1080p-4K are probably overkill on a 5-6" device.

~~~
ikeboy
Flagships from Apple, Samsung and Google are 1080p resolution or better. 4k is
overkill but 1080p absolutely is not.

~~~
tracker1
The question is, on a 5" screen will you _really_ notice the difference
between a 1080p stream and a 720p stream for video? Especially considering the
720p may be higher bits per pixel than the 1080p stream. I'd rather have a
720p stream at 3/4 the bitrate of a 1080p stream, which is often the case as
there are multiple levels for a given resolution.

Then again, I don't always notice even on a larger screen from a better 720p
stream and a poorer (relatively) 1080p stream. I often notice the difference
from 1080p to 4K though, which is a slightly bigger bump on a much larger
screen.

------
mysterypie
Just as an aside, I thought that was an exceptionally well-written product
announcement, or press release, or whatever you'd call it. It was long, but I
didn't mind reading the whole thing. It answered all the basic questions about
why I should use it, how they plan to make money, and with enough technical
detail that I understood essentially how it works. It was very much the
opposite of the marketing material you get from most big corporations. I'm
saving the page as a PDF as a good example if and when I need to write a
product announcement.

~~~
canada_dry
> exceptionally well-written product announcement

Yup... a rare beast these days. My niece is a gifted writer - one of less than
a half dozen that I personally know.

She graduated recently and had her pick of several positions due to her
portfolio of work.

~~~
eastdakota
I've been fortunate enough to earn degrees in English (BA), Computer Science
(minor), Law (JD), and Business (MBA). The one that serves me the most
regularly in my role as CEO of Cloudflare is my English degree. Learning to
communicate is so critical to success in your field, regardless of the field.

~~~
mkbkn
"Every business is a writing business." \- Ray Edwards

Just curious, do you hire copywriters?

~~~
mzatlyn
Yes, we do. We have roles open in Austin and SF right now:
[https://www.cloudflare.com/careers/departments/marketing/](https://www.cloudflare.com/careers/departments/marketing/)

------
rattray
An aside from the comment, but I don't appreciate the derisive tone of their
first paragraph:

> a handful of elite tech companies decide to waste the time of literally
> billions of people with juvenile jokes that only they find funny.

I sort of agree, but it's not nice, and not necessary. It also isn't
particularly classy to then go on to say "and we're so much better, because we
do useful things".

(I do happen to find Cloudflare, as a company, so much better, and awesome
things like 1.1.1.1 and warp make me really want to push my employer to use
Cloudflare for all the things).

~~~
roberttod
Absolutely, that part left a bitter taste in my mouth reading the rest of the
article. Feels like they released this on April 1st just so they could make
this claim, strange move.

~~~
oarsinsync
Or because (in American calendars), today is 4/1, and the IP address for their
DNS server is 1.1.1.1, or four ones.

------
moreentropy
While this might improve user experience for some, I don't see the greater
value in a VPN solution like this.

It's the fast path to replacing the decentralized internet with a few
proprietary CDNs. I'm much more excited about those projects that actually try
to fix the raised issues:

Unencrypted connections -> TLS / Letsencrypt

TCP sucks on mobile/roaming devices -> QUIC & HTTP/3

~~~
jgrahamc
Cloudflare pushed out free TLS years before Let's Encrypt and we are actively
working on and supporting QUIC and HTTP/3\. But QUIC/HTTP/3 aren't here today,
not everyone is using HTTPS and there are other worries in coffee shops etc.
hence a VPN service makes sense.

~~~
jpgvm
There is a bit of a difference between LetsEncrypt and Cloudflare TLS
termination though... one is TLS for everyone, the other is TLS for Cloudflare
customers (paying or not). For instance can an Iranian website use Cloudflare
TLS? I would wager not. (ironic as they probably need secure transport the
most).

I'm not saying Cloudflare isn't doing good things for the Internet but it's a
bit disingenuous to equate the 2 efforts. Cloudflare could have done
LetsEncrypt, but as a CDN that would make no business sense - which is why we
need LetsEncrypt, so they can continue to do the things that don't make good
business sense for Cloudflare.

~~~
judge2020
CF is at the mercy of the CAs (DigiCert/Comodo), and at least based on
LetsEncrypt's stance [0], they should be OK to issue .ir certificates as long
as the customer is not a Gov't entity. The only issue is that these CA's are
just playing it safe by not issuing any .ir domains, making CF also unable to
issue .ir.

I believe CF is working on LetsEncrypt certificates, at least based on
letsencrypt.org being included in the 'automatic' CAA records[1].

0: [https://community.letsencrypt.org/t/issuance-criteria-for-
ir...](https://community.letsencrypt.org/t/issuance-criteria-for-ir-
domains/81812/2)

1: [https://support.cloudflare.com/hc/en-
us/articles/11500031083...](https://support.cloudflare.com/hc/en-
us/articles/115000310832-Certification-Authority-Authorization-CAA-FAQ)

------
admiralpumpkin
Cloudflare, are there plans for ad blocking? Currently using AdGuard DNS and
it works well. Router-level ad-blocking would be an attractive premium option.

~~~
jerf
You should really _want_ those to be separate services. The incentives get
weirdly snarled if you expect your VPN to also block ads.

Making it a plugin that you could plug another app into might be cool, though?

~~~
penagwin
I think he's asking because you can't easily combine DNS services. If you're
using a service to block ads via dns then you aren't using 1.1.1.1. If you
want to use 1.1.1.1 then you need to either host your own forwarding dns
server or forego ad blocking.

------
gpm
I currently use DNS66 for ad blocking on android without root. Is there a way
to do something similar while using this app?

Alternatively, I have a Xperia XA1 running a June 5, _2017_ security patch.
It's been my intent for a long time now to figure out how to get root without
unlocking the boot loader the sony approved way (which makes the camera less
functional). Anyone have any pointers on easy to exploit privilege escalations
that should exist on my phone?

~~~
Abishek_Muthian
You are worried about unlocking bootloader (which you should) for rooting or
system less mod, but okay for an exploit operating from user space?

~~~
gpm
Yes, basically.

Could also approach from usb/wifi/bluetooth/etc instead of local userspace.

The problem specifically is that unlocking the bootloader the official way
deletes drm keys stored in a "TA" partition, and that makes the camera less
functional. It would be sufficient to find a vulnerability that let me back up
the DRM keys - but that seems unlikely without gaining root access and I'd
have more confidence that I backed up the right thing with root access.

~~~
Abishek_Muthian
Okay that makes more sense.

Unfortunately AFAIK all community run mods for Android require bootloader to
be unlocked.

------
redwards510
Currently I use PIA VPN when browsing. When I go to Cloudflare sites, I often
get captchas because, in the past, I imagine someone was using PIA to abuse a
Cloudflare site.

So what happens when people start using Warp to hide their IP so they can
hack, scan, scrape, upload malware, etc? Is Cloudflare going to show captchas
to Warp users and slow down their experience? What is the plan to mitigate
abuse on a free VPN that doesn't log?

~~~
dsl
That is why Cloudflare wants you to use their VPN rather than an anonymized
one. If they can track you, they can have more data about whether to block
you.

~~~
jgrahamc
Nope. We want you to use our VPN because we think it'll make your mobile
Internet experience better (faster and more secure). That turns into an upsell
opportunity to us and makes our core service (which people pay us for) more
valuable.

~~~
ignoramous
Damn. Cloudflare's super nice customer-centric stance on this product is
killing me. I quit my FAANG job just this past month to build something
similar.

~~~
vxNsr
OT: What's going on in your profile? is this some sorta custom way to follow
other user's posts?

~~~
ignoramous
Just a reminder to self that I should periodically check comments from those
accounts. Pretty much stole it from tptacek's profile.

~~~
vxNsr
Cool thanks! I'm gonna do it too :)

------
larrysalibra
Warp+ with Argo sounds like it has the potential to really improve the
internet experience on ISPs that have poor routes.

Will warp be available on desktop machines at some point?

~~~
zackbloom
Yes! We're working on desktop clients as well but they'll be available a bit
later than the mobile launches, as the most performance benefit is available
when you're on a cell network.

------
woofcat
I wonder if when accessing a Cloudflare website if they'll be presenting the
website owner with the original origin IP, or passing along the 1.1.1.1
endpoint IP addressed when staying within their network.

~~~
prdonahue
We'll be presenting the original IP.

If you wish to block or otherwise take action on, e.g., malicious traffic from
the IP being used to connect to Warp, you'll be able to do so.

~~~
dsl
Is this in X-Forwarded-For?

~~~
prdonahue
CF-Connecting-IP is what we recommend using.

See [https://support.cloudflare.com/hc/en-
us/articles/200170986-H...](https://support.cloudflare.com/hc/en-
us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-) for
details.

~~~
devicenull
Which presumably only works if your site is using Cloudflare? Since you
wouldn't be MITMing SSL in order to inject this header?

~~~
zackbloom
This is correct. It's significantly harder to inject the origin IP into a TCP
stream. We have ways [1] of doing it, but it requires some coordination on
both sides.

1- [https://blog.cloudflare.com/mmproxy-creative-way-of-
preservi...](https://blog.cloudflare.com/mmproxy-creative-way-of-preserving-
client-ips-in-spectrum/)

~~~
dsl
Have you considered enabling this out of band? For example as a network
administrator I could verify a CIDR block and receive a real time stream of
5-tuples (err, 7-tuples with the proxy?) destined to my network.

------
3xblah
"Let's acknowledge that many corners of the consumer VPN industry are really
awful so it's a reasonable question whether we have some ulterior motive. That
many VPN companies pretend to keep your data private and then sell it to help
target you with advertising is, in a word, disgusting. That is not
Cloudflare's business model and it never will be."

Therefore Warp will be open-source and its distribution will be free from the
control of commercial third parties via "app stores".

Those who do not wish to use an "app store" may compile Warp themselves or
download binaries from their preferred repository for sideloading, e.g.,
F-Droid.

April Fools

------
kennyadam
So, I'm apparently #161486 on the wait list. Not holding my breath...

Sounds interesting though!

~~~
fancy44
I'm trying to join the wait list but it just kicks me back to the join wait
list button page after a quick second of spinning wheel.

Just does it over and over.

~~~
jgrahamc
We are working to fix that. Sorry you are having trouble.

~~~
fancy44
It worked now. Thanks!!

------
Grynn
This is awesome! I love CloudFlare's services and I'd trust them to provide a
really secure, fast VPN (free to boot!)

    
    
      1. Is there a public endpoint for boringtun/noise? For playing with
      2. Any chance the client (desktop) will be open source? Would love to help if possible.  
      3. Any interest in a WebRTC (and webRequestBlocking) based chrome extension/client? 
      That would probably not need anything special installed on desktops and would be awesome

------
ilarum
It would be really interesting to learn more about the technical details of
the "UDP-based protocol" Warp uses

~~~
zackbloom
It's WireGuard [1] coupled with tech from our Mobile SDK [2] and (in the case
of Warp+) Argo [3]

1-
[https://github.com/cloudflare/boringtun](https://github.com/cloudflare/boringtun)

2- [https://blog.cloudflare.com/mobile-sdk-
acceleration/](https://blog.cloudflare.com/mobile-sdk-acceleration/)

3- [https://www.cloudflare.com/products/argo-smart-
routing/](https://www.cloudflare.com/products/argo-smart-routing/)

~~~
vbezhenar
Is there significant differences from stock wireguard? Can I benefit from your
work on my own server?

Also I wonder how do you work with censors? For example Russia censors
internet and requires that all VPN services cooperate and censor internet for
Russian customers as well (probably they will ban services that won't comply).
Will you cooperate or will you accept that Russian users won't be able to
reach your service? I guess, that some other countries use or will use similar
techniques. For example I'm from Kazakhstan, there are many banned websites
and they seem to ban popular VPN and proxy services as well (I'm using my own
server with OpenVPN, but obviously I'm just a small fish to bother).

~~~
tracker1
The benefits to Cloudflare is they will have more entry/exit nodes on their
network(s). While running your own will go through your own server in/out and
even then when travelling may only add more latency. Many on here are and have
been doing just that all the same.

------
NetBeck
APNIC acquires DNS data in exchange for 1.1.1.1 [1], are they also involved
with the VPN service?

[1] [https://blog.apnic.net/2018/04/02/apnic-labs-enters-into-
a-r...](https://blog.apnic.net/2018/04/02/apnic-labs-enters-into-a-research-
agreement-with-cloudflare/)

~~~
jgrahamc
No

------
tgtweak
Missed a huge opportunity to sell it for $1 per quarter ($1.$1.$1.$1/yr)

People willingly pay $5-10/mo for a VPN that is nowhere near this level.

~~~
eastdakota
That's clever. We haven't set the final pricing for Warp+ yet, so it's not too
late.

------
IronWolve
My work still cant reach 1.1.1.1, but can reach 1.0.0.1, seems 1.1.1.1 was
used by our ISP TWTelecom for a stub network. We opened a ticket with TW, and
they just keep kicking the ticket as wont fix. But 1.0.0.1 seems to work fine.

------
terrywang
Almost thought this was an April fools joke (the app icon also makes it like
more. While it's good to have option for non-technical people who needs to
protect their network traffic and privacy, I'd stick to my own DIY WireGuard
(now that we've got working client for iOS, Android and macOS, etc., also
performs exceptionally well over IPsec - performance, simplicity), strongSwan
based IPsec VPN as backup whenever network traffic encryption over untrusted
network is required.

NOTE: I doubt this won't survive longer than 3 days in China mainland (inside
GFW).

~~~
edwinyzh
I couldn't even download it from the AppStore from within China mainland...

------
JoelJacobson
From Cloudflare's privacy policy:

“2. We will never sell your browsing data or use it in any way to target you
with advertising data;”

Does this mean they have the right to sell browsing data for other purposes
than “to target you with advertising data”?

Even without any personal data, the data generated when using their DNS-
service, such as statistics on domain names, can be of great value for e.g.
Hedge Funds and SEO-companies wanting to know how big a domain name is based
on DNS-request statistics.

My question is therefore: Do they have the right to sell non-personal DNS-
request statistics to third parties?

------
justwonderin
I'm confused WRT privacy policy:

[https://www.cloudflare.com/public-resolver-mobile-
privacy/](https://www.cloudflare.com/public-resolver-mobile-privacy/)

In paragraph 2 Cloudflare says "We do not receive your phone number, device
ID, IP address or any other information that could identify you when you
install or use the Mobile Application."

But in paragraph 4 it says "These Service Providers may only process personal
information pursuant to our instructions".

So which is it - do they collect personal info or not?

------
CKN23-ARIN

        This Sounds Too Good To Be True
        That’s exactly what I thought when I read about the
        launch of Gmail exactly 15 years ago today.
    

Is this supposed to make me _less_ suspicious?

------
mikenew
Would really be nice to see this on F-Droid or available as an apk somewhere.
There are still a few of us (dozens!) that are holding onto the fantasy that
Android isn't just a Google service.

------
kdv
How is Cloudflare handling IP allocation here? I might be mis-understanding
how WireGuard works, but it doesn't look like there is an official method for
IP dynamic assignment.

~~~
YjSe2GMQ
From what I reckon this (and almost any other VPN, or even Tor) will give you
the outside appearance of the IP of the exit node. Think like NAT.

~~~
mercora
He is most likely talking about the IP address inside the tunnel which in case
of WireGuard is intervened with the exchange of cryptographic keys. You can
not use a DHCP server as only unicast traffic is possible.

------
x00x
Can't wait to see Desktop version that works on Linux and maybe as extension
on Firefox/Chrome - for those who just want to use this for browser and not
other software. I've used 1.1.1.1 since day one and love it. Much faster then
Google/OpenDNS for me. I actually use it on router.

Maybe next you can do a better security for our WiFi? But this might require
releasing a better hardware not just software.

------
tomschlick
Anyone else get a spinner when clicking "Join the waitlist" and the button to
join just reappears again? (iPhone XS, running latest update)

~~~
zackbloom
Sorry about that, there's an issue we're currently dealing with which hits
people who had a specific version of the old 1.1.1.1 app and just updated. It
should be fixed shortly.

~~~
tomschlick
Thanks. Just tried again and got on the list!

------
poisonborz
At least everyone should agree that using VPNs is mostly an awful experience
on all devices, but many times more on mobile phones. I tried out 3-4 clients
(Android) with different services/protocols and couldn't keep using it because
of the resource usage, it literally halved the battery time and made the (new
flagship) phone hot all the time. There has to be a better way.

------
xvector
> 1\. We don't write user-identifiable log data to disk;

> 2\. We will never sell your browsing data or use it in any way to target you
> with advertising data;

Is it just me or are these terms super-specific? They can easily be
circumvented to achieve real logging, especially at Cloudflare's scale. While
I trust Cloudflare as a company, I feel like they're being a bit disingenuous
here.

~~~
zackbloom
It's at least meant to be the opposite, specific such that you can trust we're
making real promises. You can read the full privacy policy here:
[https://www.cloudflare.com/public-resolver-mobile-
privacy/](https://www.cloudflare.com/public-resolver-mobile-privacy/)

------
TheCraiggers
> 1\. We don't write user-identifiable log data to disk;

That's great... but you do log user-identifiable info? How I read that is "we
log things that can identify you but just keep it in memory for X amount of
time".

Myself and other privacy-minded folks would like to know more details there,
especially as this is a freemium service.

~~~
bvda
>A VPN for People Who Don’t Know What V.P.N. Stands For

I don't think their target audience includes those people (privacy minded
folks.)

~~~
TheCraiggers
True. But that doesn't preclude you from offering the same amount of privacy.
I suppose they want to catch abusers or find some other way of monetizing it,
but that has nothing to do with the demographic they're chasing.

------
wrs
Congrats! Just a few days ago you said BoringTun is “not ready to be used in
mission critical tasks” [1] — has this changed?

[1] [https://blog.cloudflare.com/boringtun-userspace-wireguard-
ru...](https://blog.cloudflare.com/boringtun-userspace-wireguard-rust/)

~~~
maltalex
1\. This isn't mission critical. It's a free product that comes with no
guarantees.

2\. They're onboarding people slowly. You can't use it yet without an
invitation.

~~~
wrs
Wow, so encouraging thousands of people to run all their mobile traffic
through something doesn’t make it mission critical? How do you know what their
missions are? (I don’t imagine CloudFlare would feel that way...at least I
hope not.)

------
oedmarap
This is a wonderful announcement. I'm a bit torn since on the one hand I love
Cloudflare and use them extensively for my domains/servers/websites but for
personal secure browsing I've been using Mullvad + WireGuard Android (with
1.1.1.1 in the config file) for a long time and it's worked flawlessly.

I like both companies so maybe I'll just keep supporting Mullvad and recommend
1.1.1.1 to friends and family once Warp is in general availability (those
"people who don't know what a VPN is").

Warp+ looks to be a solid business use case which I think fits well with Argo
and their other offerings. Either way, it's good to have another proper VPN
option outside of (self)hosted WireGuard.

Many thanks for democratizing this service, as is always the case with
Cloudflare.

------
otterley
The claim that ordinary IPSec-based VPN clients (which typically use the OS
kernel's IPSec facilities) "drain your battery" more than any other VPN
implementation seems specious to me. Does CloudFlare have any data to support
this claim?

~~~
auslander
Have a link to the statement? I'm using native iOS IKEv2 client and it has not
a single issue.

------
saurik
From where does the user's traffic originate? Is it the closest location on
that map to where they started? Is it always the same country? (I'm guessing
not, as there are a lot of countries? ;P But maybe that's true for larger
countries?)

------
mikkelam
I've been having tons of issues with 1.1.1.1 on my iPhone especially when
jumping on and off wifi to 4G. I realise they would need to reconnect and so
on, but it seems absurdly slow, so I stopped using it. I'll give warp a try
though

------
noja
And HN said concentration of power is a bad thing - hey look at this free
altruistic VPN!

------
azinman2
There’s a lot of claims about how mobile internet sucks and this makes it not
suck. But then it’s revealed it’s a WireGuard based VPN. What I don’t
understand is how my internet will be so much faster than any other use of
WireGuard?

~~~
zackbloom
There are a few reasons:

1\. When you use WireGuard as a VPN your device is connecting to wherever you
happen to have hosted your server. Cloudflare's PoPs are located in 165
different Internet exchanges and ISPs, giving you a pretty good chance to be
closer to you wherever you are in the world.

2\. We (Cloudflare) have tech through our Mobile SDK product which can
optimize the actual way the Internet TCP traffic is mapped into UDP.

3\. We also have Argo, a technology for optimizing the routing of packets
through the Internet which will be released as Warp+.

~~~
azinman2
Can you go into more detail about #2? This is what I want to know more about —
especially how this is faster than without any VPN.

------
ChrisSD
Last time I used 1.1.1.1 DNS I sometimes had problems when visiting bbc.co.uk.
It seemed to be trying to look up the domain on cloudflare's service for some
reason. Was I the only one to have this problem? Would it be fixed now?

~~~
aroch
1.1.1.1 doesn't use eDNS and likely never will:
[https://developers.cloudflare.com/1.1.1.1/nitty-gritty-
detai...](https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/)

So geo-specific things will break... BBC.com should load though since its for
out-of-UK people

~~~
kentonv
Site should load just fine without eDNS -- even "geo-specific" ones. They will
just route you as if you came from your local Cloudflare PoP rather than your
home IP; usually not a big difference since Cloudflare is in so many
locations.

I'm not having any trouble with bbc.co.uk on 1.1.1.1, maybe it was a temporary
hiccup.

(Disclosure: I work for Cloudflare but not on this product.)

~~~
miyuru
> not a big difference

I am getting more than 300ms difference to google.com

[https://pastebin.com/raw/QnbWXU1a](https://pastebin.com/raw/QnbWXU1a)

~~~
kentonv
Ouch. Do you know which PoP (point of presence) you're hitting? To find out,
Look at the last three letters in the CF-Ray header on any response from a
Cloudflare site, e.g.

    
    
        curl -v cloudflare.com 2>&1 | grep -i CF-Ray
    

The letters should correspond to an airport code nearby the CF server you
landed on. Let me know what it says.

~~~
miyuru

       CF-RAY: 4c0c98839feb5ff3-MRS
    

Its hitting the Marseille, France POP.

I posted the issue (bad route) on the community forum a few months ago.

[https://community.cloudflare.com/t/high-ping-sri-
lanka/15276...](https://community.cloudflare.com/t/high-ping-sri-
lanka/15276/5)

~~~
kentonv
OK, so it seems like Cloudflare in general is not serving your ISP very well
for some reason. :( Hopefully our network team will be able to look into it.

------
cmurf
Very interesting. I've got environments where I have no control over how DNS
is assigned, so I've wanted to set my phone to point to 1.1.1.1 but that also
means I must have a static IP (it's DHCP or static, I can't only change DNS),
but when I use static I run into a significant battery drain.[1] Using an app
to work around that is a bit of a heavy hammer, but I'm gonna give it a shot.

[https://issuetracker.google.com/issues/112927337#comment45](https://issuetracker.google.com/issues/112927337#comment45)

------
auslander
Another free service, now with a CF app on your device.

    
    
      Service      Scope                    User Data
      DNS          1.1.1.1 users            Browsing history
      CDN/Proxy    CF protected websites    SSL decrypted user forms, passwords, emails
      Warp VPN     Warp users               Device data, browsing history, apps traffic

Most sensitive is raw, SSL decrypted web traffic, and users using two or more
services at the same time. CF promise they don't use data, but legalese have
loopholes, like do they store/use aggregated (not raw) data?

------
whitepoplar
Will it be possible to whitelist network devices and/or SSIDs?

Use case: I want to be able to say, "only use VPN when on WiFi networks (not
cellular), and if so, only activate on public WiFi networks (not my home
WiFi).

~~~
ksoderstrom
It’s currently possible to whitelist SSIDs, and disable for cellular, for the
1.1.1.1 DNS VPN profile on iOS, so I’m assuming it will work the same way for
Warp.

------
Tim55
Its good but there are still many great Mobile VPN services like PIA, PureVPN
and ExpressVPN. Also They are compatible with routers so you can easily use
them on it instead of using the VPN on mobile directly.

[https://www.purevpn.com/download/router-
vpn](https://www.purevpn.com/download/router-vpn)
[https://www.expressvpn.com/vpn-software/vpn-
router](https://www.expressvpn.com/vpn-software/vpn-router)

------
peterwwillis
_" Hokey as it sounds, the primary reason we built Warp is that our mission is
to help build a better Internet — and the mobile Internet wasn’t as fast or
secure as it could be and VPNs all suck. Time and time again we've watched
people sit around and talk about how the Internet could be better if someone
would just act. We're in a position to act, and we've acted."_

By doing the least work possible: creating a proxy. They haven't actually
fixed the internet at all, they just made a new middle box.

------
reneberlin
I further correct my post: what or who will be behind cf? It's naive at it's
best. "Freedom of surveilance for free" And you just slurp it. Think. Again.
Think.

------
magicbuzz
I stepped thru getting some Ubuntu systems using 1.1.1.1 for DNS but retaining
DHCP otherwise. Looks like this is tricky to do but some new features came in
with a netplan package update that allows this to be done easily in 19.04:

[https://askubuntu.com/questions/1001241/can-netplan-
configur...](https://askubuntu.com/questions/1001241/can-netplan-configured-
nameservers-supersede-not-merge-with-the-dhcp-nameserve)

------
tyingq
Is there any notable potential for people to use this for abuse? You guys tend
to put up captchas for inbound Tor traffic, I assume for similar reasons.

~~~
jgrahamc
Tor is different. We don't put up CAPTCHAs by default for Tor. We totally
changed how we handle Tor years ago. But, because Tor provides anonymity,
there is _a lot_ of abuse through it. A lot.

~~~
tyingq
I read the privacy sections in your blog post, and it feels like WARP offers
anonymity, maybe not from CF, but perhaps from everyone else.

~~~
jgrahamc
Note that the blog post does not say "anonymity" or any similar word. We
aren't trying to hide you completely from everyone (use Tor for that). We are
securing and accelerating the connection between your device and Cloudflare.
This is meant to deal with the reliability, performance and security
challenges of using mobile Internet around the world. And we have strong
privacy guarantees.

~~~
tyingq
Yes, I got that. But, because CF offerings are very popular, you're going to
end up with a lot of people coming from a relatively small number of IP
addresses, right?

It's worth thinking about...we had this situation before with AOL. That is, a
pretty large number of people in diverse geographic areas, all coming from a
small number of IP addresses.

People do use that "relative" anonymity for lots of things, not all of them
good. Also, it may create some issues for things like geolocation, regional
content restrictions, credit card fraud detection, SMTP blacklisting, rate
limiting, and so forth. Because your offering is free, and CF is well known,
I'm guessing it will grow fast. Not suggesting anything change about it, just
that it may create something that site owners need to react to.

------
skybrian
I wonder what happens if you're already using Android or Chrome Data Saver?
Should you turn them off?

Interesting to see competition heat up at the VPN level.

------
auslander
Would Warp have an option to use _native_ (iOS/Android) VPN clients, instead
of installing their app? Like, providing warp.mobileconfig configuration
profile?

I'm using native iOS/MacOS IKEv2 client with selected few VPN providers, and
pretty happy with not having 3rd party app on my mobiles/desktops.

OK. TFA says "We built Warp around WireGuard". That kills native client
support.

------
gok
This sounds super cool. Any chance more of the client will be open sourced? (I
presume this uses the recently-released Rust WireGuard core?)

~~~
jgrahamc
Not right now. The burden of supporting that as open source would be too high.

~~~
martingxx
Why not release anyway (for transparency) but with explicitly no support?

~~~
gok
If you don't trust them with a binary, you shouldn't trust them just because
they posted source code somewhere. If they don't have the bandwidth to manage
this as an open source project this is the right call.

~~~
martingxx
There are plenty of companies who have released their source code but don't
support it in the same way a typical community driven project like other open
source projects do.

This is especially true for certain privacy and security focused applications.
For example, Signal release their code, have quite a lot of users, and don't
report an unmanageable overhead due to having released their source code.

It's not just a matter of trusting their intentions, it's a matter of knowing
that their code matches their intentions. I trust OpenSSL (mostly, these days)
and I always trusted the intentions of the developers, but if their code was
not open it would not be half as secure today.

------
fc_barnes
One thing about using VPNs on the phone is that a lot of mobile/public
networks only allow port 80, which prevents the VPN from connecting. If CF
makes a version of wireguard that can do port 80, that would be great.

As far as their bottom line, I guess this helps them sell services by having a
documented number of people suckling the internet straight from the CF teat?

~~~
F147H34D
wg uses UDP. Can be configured to run on any port. If connection is restricted
to TCP only, then use udptunnel.

------
tuxone
> That many VPN companies pretend to keep your data private and then sell it
> to help target you with advertising is, in a word, disgusting. That is not
> Cloudflare’s business model and it never will be.

When I read something like that I feel protected and cared about. Now, can
someone explain me why this should be in any form different from the WhatsApp
case?

~~~
almostbasic
Let's not forget how Cloudflare got started...

The Department of Homeland Security offered to buy the data from Project
Honeypot (run by Matthew Prince and Lee Holloway), and they sold it to them
for $20,000. Michele Zatlyn (a classmate of Prince) said "if they'll pay for
it, other people will pay for it."

"And so the idea for Cloudflare was born, with Ms Zatlyn as its third co-
founder." [with Prince and Holloway]

Source:
[https://www.bbc.com/news/business-37348016](https://www.bbc.com/news/business-37348016)

~~~
jgrahamc
And let's not forget who Cloudflare's customers are today: companies that pay
us to make their web servers and API servers faster, more reliable and more
secure.

------
totaldude87
Cloudflare is one of the companies I trust and use . But in every company's
life cycle, there will be a time when some other company (Google, Facebook and
other usual evils) comes forward to buy this company out, will they hold off?
or will they go public? What happens next is a store for another time!

~~~
ocdtrekkie
Always continually evaluate your assumptions of who you trust, and always
ensure you aren't up a creek if you have to switch providers because of an
acquisition. That's why products built on open standards are great: They mean
there are already alternatives readily available if you need to switch.

------
knowuh
I have enjoyed the elitist jokes that were on the internet

and which you were probably saving for April 1ˢᵗ

Forgive me they were delicious so sweet and

IRONIC

------
EastSmith
Awesome!

I started using 1.1.1.1 last April from the start. Later I decided I want a
firewall on my Android phone as well and installed NetGuard. Unfortunately
both apps can not run at the same time, because they are both "VPN".

Really hope there are plans for a firewall built into 1.1.1.1 in the future.

------
Tor3
I'm scratching my head at this one.. I installed it, it claims that VPN is on,
there's the little key in the status line as when e.g. OpenVPN is running, but
pointing a browser at whatismyip.org still shows the same old IP address. So,
no VPN after all?

~~~
Tor3
Replying to myself - I hadn't got that you have to apply for a spot in the
waiting list, through the app. So it just does DNS through 1.1.1.1, still.
Fair enough, although my routers generally do that by themselves already.
However, I wish the 1.1.1.1 app didn't show that key in the status line as
long as it isn't a VPN application.

------
mleonhard
This is attractive because I trust Cloudflare more than all of my local mobile
providers.

------
brunoqc
Some Android app doesn't work well with VPNs. It might those set to only sync
on wifi. I wonder if it will improve.

Google photos didn't want to sync when using the CloudFlare 1.1.1.1 app. I
think I had problems with podcast apps in the past too.

------
jerf
I've downloaded 1.1.1.1 fresh from Google Play just now, but I don't see any
"get in line" option. Buried somewhere, or Google still staggering out the
latest version of the app?

~~~
jgrahamc
It's coming. We have released but there's some latency in the various app
stores around the world.

~~~
jerf
Got it now. Thank you.

------
spurgu
This is so awesome from the general safety, convenience (super simple to use!)
and speed perspective. I would gladly pay to have the option to be able to
choose which datacenter I connect to.

------
Zenst
Given the size of the queue to join (request via their 1.1.1.1 app), I'd say
get it, got a slot and by the time that comes up any issues or concerns would
of been well debated.

But looking good so far.

------
gaia
@eastdakota, I have 1.1.1.1 at router level but when I installed the app it
told me I wasn't using 1.1.1.1.

Is this by design or there is possibly something wrong with my router's DNS
setup?

~~~
justusthane
It's a whole different thing. If you install the 1.1.1.1 app, it's sending all
your DNS lookups from your phone directly to 1.1.1.1. It doesn't care what's
happening at the router level - which is kind of the point, I think.

Even moreso once this Warp VPN functionality is live.

------
repolfx
I guess the big question I have is why Cloudfare is a more trustable exit
point than my mobile carrier is. They're both large corporations with similar
privacy policies.

------
ksec
193 Comments and No one has asked yet.

How do they make money?

So, the price plan and extras from Business, Professional and Enterprise CDN
is enough to cover all the cost of running the network + free tier CDN +
Domain Registration Operation + DNS + Free tier VPN?

There is a reason why I am using Apple. Their interest is in me using iPhone
or Apple devices with a very decent profits margin, and hopefully up sell me
into any convenience services like iCloud and in the future Apple Cards. They
are simple and easy to understand Business Model. Even iWork, Map, and all
other Services are deducted from each Apple devices sold and now accounted
into Services.

So how do Cloudflare make money with free VPN?

~~~
jgrahamc
In the article see the section "Ok, Sure, But You’re Still a Profit-Seeking
Company"

~~~
gist
It would make sense if in reply you could summarize an answer to the question
and also say 'more at OK Sure," [1] For example maybe I as a user want to know
but don't feel like getting stuck reading more or distracted.

[1] Since you are all about speed!

------
hartator
Wonder if we would have a desktop version as well.

Tried VPNs at some point. It was a slower and more error prone Internet
experience. For doubtful privacy gains.

It would awesome to have static IPs as well.

~~~
jgrahamc
Yes. As it says at the end of the post. Desktop clients will be coming soon.

~~~
hartator
Awesome missed that!

------
tcd
Honestly, Jason is hopefully going to be thrilled Wireguard is going to be
deployed to an absolutely _massive_ scale, not even OpenVPN has been offered
as a 'free VPN' like this.

I'm really hoping it works out, and Cloudflare can continue to contribute
their expertise working with WG. At the end of the day, this benefits everyone
since OpenVPN whilst it's reliable in my experience, is just too burdensome.

I also am intrigued by the price, and features that will differ between
free/pro. I suspect many VPN services over the next few years will feel the
effects of this (is that why they're all rushing to add 3 year plans?)

~~~
jgrahamc
We'll keep our open source Rust WireGuard code up to date with our internal
version. We hope to work with the WireGuard project later once the dust has
settled.

Warp+ will use Argo (our "Waze" of the Internet) to improve routing. It
significantly improves reliability and performance. Pricing for Warp+ will
vary by region/country to ensure it's appropriately affordable everywhere.

~~~
mino
Can you talk about the details of Argo, in a blogpost or elsewhere?

I'm referring to the routing logic and optimisation algos.

Asked already several times in the past. I'm very curious as I've worked a lot
on those specific issues. Thanks.

------
seanwilson
Is there a better summary of what's being offered here?

~~~
ilarum
Cloudflare already has an app on mobile devices - but so far it only served
your DNS queries. Now the app behaves as a VPN for all your mobile traffic -
all data is routed within Cloudflare's network from the moment it leaves your
device, which is faster than going through the public internet.

~~~
mercora
I think it is important to notice that the traffic is first routed to
Cloudflare over the public internet, so technically it is not the moment it
leaves your device when it starts to get routed inside CloudFlares network and
the public internet again soon after in most cases. Being faster crucially
relies on having nearby access to their network from your device and from
their network to the destination. Otherwise you ultimately just add some
additional hops in between, making it likely to be slower in terms of latency
instead. I also would not expect much of a difference performance wise if you
access services already using CloudFlare as the endpoints network is likely
the same there. However, this is only relevant for your argument of it
supposedly being faster. Of course the packets leaving your device are
encapsulated and unreadable to third party observers. After being decapsulated
its not about routing your VPN traffic anymore but the packets inside which is
probably what you were referring to on its own.

------
lelf
[https://one.one.one.one](https://one.one.one.one)

[https://1.1.1.1](https://1.1.1.1)

~~~
mmastrac
Are there any other legitimate certs issued with IP address altnames?

~~~
lelf
dns.google 8888.google 8.8.8.8 8.8.4.4

~~~
mmastrac
Oddly [https://8.8.8.8](https://8.8.8.8) doesn't have a legit cert though
(even though the cert for 8888.google _does_ have an IP address alt)

~~~
lelf
It does I think

    
    
      - Certificate[1] info:
       - subject `CN=Google Internet Authority G3,O=Google Trust Services,C=US', issuer `CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2', serial 0x01e3a9301cfc7206383f9a531d, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-06-15 00:00:42 UTC', expires `2021-12-15 00:00:42 UTC', pin-sha256="f8NnEFZxQ4ExFOhSN7EiFWtiudZQVD2oY60uauV/n78="
      - Status: The certificate is trusted.

~~~
maltalex
> Firefox does not trust this site because it uses a certificate that is not
> valid for 8.8.8.8. The certificate is only valid for the following names:
> _.c.docs.google.com,_.a1.googlevideo.com,
> _.c.2mdn.net,_.c.audiobooks.play.google.com,
> _.c.bigcache.googleapis.com,_.c.chat.google.com,
> _.c.doc-0-0-sj.sj.googleusercontent.com,_.c.drive.google.com,
> _.c.googlesyndication.com,_.c.googlevideo.com,
> _.c.inbox.google.com,_.c.lh3-da.googleusercontent.com,
> _.c.lh3-da.photos0.sandbox.google.com,_.c.lh3-db.googleusercontent.com,
> _.c.lh3-db.photos1.sandbox.google.com,_.c.lh3-dc.googleusercontent.com,
> _.c.lh3-dc.photos2.sandbox.google.com,_.c.lh3-dd.googleusercontent.com,
> _.c.lh3-dd.photos3.sandbox.google.com,_.c.lh3-de.googleusercontent.com,
> _.c.lh3-de.photos4.sandbox.google.com,_.c.lh3-df.googleusercontent.com,
> _.c.lh3-df.photos5.sandbox.google.com,_.c.lh3-dg.googleusercontent.com,
> _.c.lh3-dg.photos6.sandbox.google.com,_.c.lh3-dz.googleusercontent.com,
> _.c.lh3-dz.photos-autopush.sandbox.google.com,_.c.lh3.googleusercontent.com,
> _.c.lh3.photos.google.com,_.c.mail.google.com,
> _.c.offline.maps.google.com,_.c.pack.google.com,
> _.c.play.google.com,_.c.video.google.com,
> _.c.youtube.com,_.cache1.c.docs.google.com,
> _.cache1.c.play.google.com,_.cache1.c.video.google.com,
> _.cache1.c.youtube.com,_.cache2.c.docs.google.com,
> _.cache2.c.play.google.com,_.cache2.c.video.google.com,
> _.cache2.c.youtube.com,_.cache3.c.docs.google.com,
> _.cache3.c.play.google.com,_.cache3.c.video.google.com,
> _.cache3.c.youtube.com,_.cache4.c.docs.google.com,
> _.cache4.c.play.google.com,_.cache4.c.video.google.com,
> _.cache4.c.youtube.com,_.cache5.c.docs.google.com,
> _.cache5.c.play.google.com,_.cache5.c.video.google.com,
> _.cache5.c.youtube.com,_.cache6.c.docs.google.com,
> _.cache6.c.play.google.com,_.cache6.c.video.google.com,
> _.cache6.c.youtube.com,_.cache7.c.docs.google.com,
> _.cache7.c.play.google.com,_.cache7.c.video.google.com,
> _.cache7.c.youtube.com,_.cache8.c.docs.google.com,
> _.cache8.c.play.google.com,_.cache8.c.video.google.com,
> _.cache8.c.youtube.com,_.dai.googlevideo.com,
> _.googlevideo.com,_.googlezip.net, _.gvt1.com,_.offline-maps.gvt1.com,
> _.snap.gvt1.com,_.xn--ngstr-lra8j.com, xn--ngstr-lra8j.com

~~~
mmastrac
Thanks! That's what I meant - 8.8.8.8 has a real cert, just not a valid one
for its IP address (which does appear on other domains, oddly enough).

------
hultner
I can't find the wait list option in the app, checked App Store and I'm on the
latest version. I'm using iOS 12, 1.1.1.1 user since the launch.

------
throw0101a
I wonder what the OS/2 folks think about the name. :)

------
trpc
That's awesome. Is it possible to just exchange the public keys via
Cloudflare's website and start using it on whatever client/platform

------
chdaniel
I trust and like Cloudflare a lot — a bit sad to have just bought 3 years of
Nord VPN a month ago but hey, looking forward to the next renewal

------
Thaxll
I'm curious how they're going to manage the legal side of that project. It's
free many people are going to abuse the system.

------
bubblethink
How does this play with various arbitrary geoip blocks that various video on
demand sites deploy ? Cloudflare being a large enough player has enough clout
to affect some of these regressive practices (which I consider to be a
violation of net-neutrality; a form of ip discrimination if you will). Yet, I
feel that it will have the opposite effect, in that cloudflare will get
whitelisted somehow much to the disadvantage of other vpn providers.

------
dfgert
No matter how much they try to sell it as a good will gesture towards mobile
users, I will not buy it. There are good examples where company starts off
with good intent but later turns into a typical selfish corporation. Lets face
it, every single corporation has to continuously grow, as demanded by market,
which means at some point they will break their promises to implement new
means of making money.

------
kamal_k
Man, I hate April Fool's Day. You can't ever be sure if what you hear is real
or not.

~~~
kukabynd
It’s the same when it’s not April Fool’s day, isn’t it?

------
durability
Anyone know how roughly how quick this is rolling out? Signed up last night
and am #200kish.

------
crooked-v
I wonder if this will be available on desktop at some point, or even for DD-
WRT or the like.

------
t0astbread
Since when does Cloudflare have such a good reputation for privacy? Have I
missed something?

------
fakename
Is this worth a permanent notification? Is there really no way to turn that
off?

------
jaimex2
As a content filter for schools should we be blocking 1.1.1.1 going forward?

------
rubyfan
Wish I would have seen this earlier wait list position is over 200K :(

------
ForFreedom
Is this working or I have to wait my turn at #28182982?

------
fulafel
What are the tradeoffs vs using the kernel ipsec stack?

------
sudhirj
TLDR Cloudflare released a privacy focused DNS resolver at 1.1.1.1, then an
app for iOS and Android that set up VPN profiles to use those DNS revolvers.

Now the apps will be upgraded with Warp, an option to set up a full data VPN
over WireGuard, terminating at any worldwide PoP.

This should give you super low latency to your VPN server, and also open up
the possibility of local caching smarts on the device.

Basic service is free, premium service coming that’ll put you on the CF
backbone for all your traffic, should take you off the public internet and
speed things up.

Desktop versions coming as well.

------
reneberlin
Think about it: who is behind cloudflare?

~~~
kim0
NSA ? lol

------
Mindwipe
This is very vague about where the endpoints will be.

Will Cloudflare push all of the users in a given country to an exit point in
their country? Can they realistically do that? Will it guarantee that, or will
it vary with load? Will they detect VPNs coming into the service, or will it
be a good way of laundering the VPN? Will it do anything at all as an anti
censorship service?

Tl:dr, I'd expect an awful lot of sites that currently block VPNs entirely
(and that practice is increasing) to keep doing it here.

------
amingilani
They've glossed over a few details that I'm curious about:

1\. What will the exit IPs be? Will I get to stay with-in my region and access
region specific content, or can I bypass censors, both government (porn,
"glory of Islam", etc), and private (Netflix region-specific content, GDPR
non-compliant websites that accidentally block my region).

2\. Can I select my own exit region?

3\. How do they handle abuse? Can I spam and get their IP blacklisted? (I'm
curious, not actually nefarious)

~~~
zackbloom
1\. It will exit close to you, unless you have Warp+ in which case we might
route it to a different PoP closer to your destination if that makes it
faster. It is not designed to bypass censors.

2\. No

3\. Exactly what an actually nefarious person WOULD say!

~~~
amingilani
Thank you for your answers!

> Exactly what an actually nefarious person WOULD say!

It's hard to distinguish between curious and nefarious people after a point, I
suppose ;) but that's still not an answer :)

------
qertoip
A honeypot.

------
moneywoes
Would this work in China?

------
terrycody
people reviewed its not working in China lol

------
rsync
I don't trust this, or these people.

No matter what words they use, _the model_ is a dangerous one and we should be
just as wary of it coming from cloudflare as we would if it were coming from
google.

~~~
jgrahamc
Why?

~~~
zzzcpan
US startups are not exactly trustworthy by default and VC backing seems to
often force them to abuse any power and control they have over users for VCs
benefits. And security and privacy these days more often than not is just a
cover to do something bad, from simple anti-competitive practices to outright
evil causes that help killing people.

------
fxfan
jgrahamc can you please stop using google slave labor? You guys are smart
enough and capable enough to have your own captcha system.

------
dispat0r
Support for Linux would be nice.

~~~
onychomys
Are there any linux phones? I thought everybody was either on OS or some
flavor of Android (....plus some WindowsPhone holdouts, I suppose). Android is
vaguely based on the linux kernal, but nobody would really count that.

~~~
newaccoutnas
A wireguard (proper) android client has been on my phone for months.
Cloudflare seemed to have talked very little to the upstream at all here.
Jason commented on this here:
[https://lists.zx2c4.com/pipermail/wireguard/2019-March/00404...](https://lists.zx2c4.com/pipermail/wireguard/2019-March/004048.html)

It'd be interesting to see a response from Cloudflare (unless there is one an
I've missed it)

~~~
jgrahamc
See
[https://news.ycombinator.com/item?id=19544819](https://news.ycombinator.com/item?id=19544819)

------
ratling
If they're going for the no-logs gimmick I'll probably just preemptively block
their ASNs and save myself a lot of trouble.

Did the same with Nord and a dozen other vpn-of-the-week services. no-logs
means no-accountability which means malicious traffic which means you don't
get to talk to our stuff.

------
paulcarroty
I'm impressed how good is Cloudflare from tech side. Without CL Google can
track 99% of internet with their shitty AMP sooner or later.

------
Abishek_Muthian
It's good have another VPN from a player with huge network infrastructure like
Cloudflare, but the article seems to digress frequently.

>TCP, the foundational protocol of the Internet, was never designed for a
mobile environment.

Packet loss due this is mentioned, but I don't see a relevance to the new VPN
service; especially when the next section talks about wrap using UDP.

> We’ve built Warp around a UDP-based protocol

Other VPN providers do offer an option of choosing TCP/UDP as per usage i.e.
better reliability vs faster speed.

I'm glad that it uses Wireguard, but it's likely other major VPN providers are
working on a Wireguard version for their clients & so in the end it would come
down to speed/price/privacy which hopefully cloudflare can compete with.

~~~
CloudNetworking
> Other VPN providers do offer an option of choosing TCP/UDP as per usage i.e.
> better reliability vs faster speed.

I don't think TCP-based VPNs are offered for increased reliability. They might
be offered so you can run your VPN traffic in restricted scenarios, e.g. I run
a VPN-ish service that uses TCP/443 by default and all connections are only
outbound, so you can still use your VPN in restrictive scenarios.

Outside that, encapsulating TCP inside TCP is nothing short of a headache as
you have two congestion control algorithms kicking in and one doesn't know
about the other.

------
PopeDotNinja
I wonder how well this works when using using wifi on and accessing a
corporate intranet. I discovered [https://myhrportal](https://myhrportal)
didn't work when I pinned my DNS to 8.8.8.8.

~~~
TheCraiggers
What made you think your corporate HR portal's DNS entry would be global?
You're going to at least need a TLD there, buddy.

~~~
PopeDotNinja
I didn't think it would work. From my own experiences...

One day when away from the office, I pinned my wifi DNS settings to 8.8.8.8
just to try it out & compare it to the DNS I normally use at home, but then I
forgot to undo it. When I got back to the office, the office Intranet was
unsurprisingly inaccessible, and I removed the pinned DNS settings. I knew how
to solve the problem, but less savvy folks trying out the Cloudflare product
might not, which could create some confusion for IT helpdesks.

Cloudflare is concerned with the user experience of people who don't know what
a VPN is, and that's why I mentioned it. Normally I would have just tried it &
reported the edge case I it exists, but the app isn't usable yet, so I posed
the question instead. Judging by the downvotes, I should have mentioned that
in my comment above :)

