Here are some ideas that I had in mind for a Mobile VPN:
1. Ability to run a dns-blacklist, tag-based blacklist, and a ip-firewall at cloudflare's end (not on the end devices). May be you could add that as an option to your wrap+ product?
2. Auto change exit IPs underneath the covers.
3. Take over the dialer and route calls over IP whenever possible.
4. Provide ability to analyze traffic on a PC.
5. Track and warn mode per app, where the traffic is analysed for a particular app to generate a report on what its doing and how much.
Basically, bring enterprise-grade security to the end consumer.
Wow. Sure, thanks.
Not sure if you can answer this question, but are the performance benefits still there in conjunction with utilizing the VPN google uses to encrypt traffic with google fi? This announcement mentions they have 2x the latency in comparison to WARP, but did not mention specifically which google VPN technology (not sure if they have multiple) but I assume something mobile related since this is a mobile application.
If I use the WARP app in conjunction with google fi, am I layering this VPN on top of the 2x latency of google fi, thus slowing down WARP VPN to gain then the other performance benefits of optimized network switching of google fi?
Neither project is open source (that I know of) so it is hard to understand how the implementations overlap or not with one another. I also am not an expert in VPNs so maybe this is not a good question, but I find myself reading Cloudflare's blogs alot and couldn't help but ask.
The CloudFlare VPN is interesting to me because they’re a large, established company with a good reputation, so I trust them more than TunnelBear or ExpressVPN or PIA or whoever’s sponsoring YouTube this week.
If there was a way you could offer a product or service that provided a compelling case for why you won’t (or better yet can’t) snoop on my internet traffic, I’m all ears. Everything else is just gravy on top.
I'm not aware of any subpoenas directed at Cloudflare that was equally as useless.
1. OpenSource vpn server and client, with ability to Cloud-SSH to the server and view what's running.
2. Hands-off, one-click, spin up VPN servers on a VPS of your choice under your control, Streistand/Algo style , but find a way to provide support (think AWS marketplace).
3. Make privacy-centric commitment legally binding as part of EULA/ToS (is this sufficient?).
4. Run client-side only VPN (like intra, blockada, netguard). The idea is you're still able to analyse traffic and add blacklists client-side, without having to pay for or run a VPN server.
For some reason, Outline is still mega-targeted at journalists and activists when it could be so much more — it’s been an absolute joy to use so far, and being powered by Shadowsocks certainly doesn’t hurt.
I hope to get something ready to show you guys here on news.yc in may be 3 to 6 months from now.
Our intention is to: Put the control of the mobile device back in the hands of the consumer and empower them with simple but powerful tools. Think keybase, Stripe, or pre-2014 WhatsApp in terms of UX.
Mobile VPN is key part of that vision, including building other apps around it.
A lot of things triggered this:
1. The prism/carrier-iq snafu from 7yrs back.
2. The uptick in government censorship prevelant in multiple nations (India, Turkey, Pakistan, Russia, etc).
3. Rise of app-economy and the relentless tracking behaviour that entails, esp from Facebook.
4. pi-hole and it's elegant solution to shut out trackers. Though I first saw this solution impl by Sam Hocevar (one of the VLC devs) in 2002 (?): http://sam.zoy.org/writings/internet/doubleclick.html
5. Not very many firms developing products like DuoSecurity did but for the end-consumer. There's a few I could find, like SecureMix (glasswire developer), Objective-See (LuLu Firewall), Jigsaw (primarily for journalists?), Purism, and KeepSafe.
It could eliminate the client/server by activating the authentication and encryption with exchange of certificates by using a PKI.
It may provides a full p2p encryption in the network layer without logging your traffic somewhere or third parties. open-sourced would be awesome.
are you insane?
CF's reputation is terrible. They are trying to MiTM the entire internet, and frustrate attempts to access some of the most important information online( including but ont limited to evidence of the holocaust, sexual health information and climate change ). They are practically a threat to humanity itself at this point - you shouldn't trust them worth anything.
THAT'S HOW IT SHOULD BE!
That's how all of this should be.
Designing a reasonably secure and reliable mobile VPN has been a very difficult challenge to get right. If you look at existing mobile VPNs through a tool such as Charles Proxy or Burp, you will see that none of them really appear to be designed very well. There are many unsolved technical problems with managing and scaling such services, likely avoided by existing providers due to how easy the issues are to mask. That said, Cloudflare’s cautious approach with Warp gives me some confidenxe that they really are trying to do this right.
> Have you already started on this concept?
Initial stages where we have looked at OSS projects to fork for a quick prototype, with our focus being exclusively on Android, and not just limited to VPN.
> Designing a reasonably secure and reliable mobile VPN has been a very difficult challenge to get right.
Thanks for the heads-up. From usability point-of-view, I've seen my share of VPNs mess up and sink hole all traffic. On one ocassion, an app simply refused to get past its loading-screen unless I turned off VPN.
> It would be great to chat further, if you have interest in working on this concept.
Sure, thanks. I'd be sure to email you, Will.
This would be such a great feature. I hope someone makes such a VPN.
So basically Cloudflare created an app with Cloudflare branding and set up a Wireguard server for everyone. No bad, but just check out the original:
While I am not a big fan of VPNs in general, I have to admit, that Wireguard performs exceptionally well. I tested it a week ago and the added latency is pretty much just the network latency and the bandwidth loss is minimal (so small I couldn't even measure it reliably). What I found most interesting, was that there were some use-cases when the network with Wireguard performed even better than without it (probably related to congestion control).
Not just one -- servers in 175 (and growing) locations spread around the world, and the app will always use the closest one to you. That's arguably a lot more important that what protocol it uses, and is not something you could easily DIY.
I was lucky to find small paid VPN provider, that doesn't do marketing, pay for referral and stuff, and I'm sticking to it.
In this case, I agree that a single VPS is usually enough for most but never underestimate the market power of making things simpler and faster.
I'd say that even the known unknown that ips and networks change routinely should make it a headache to maintain.
Once you get your script to work, you’d have to wait minutes for the VPN to spin up in a new region.
Check out algo:
I think you could bake your configuration into a custom image, so it would be fast to get a VM started (about 30 secs on GCE, not sure about EC2).
If you use stopped instances, it's even faster.
(I work at GCP so know more about GCE than EC2)
(Not implying anything, just providing a discussion point.)
Even if you change residences, you'll typically be in the same state. Even if you change states, you can just set it up again in, what, super conservatively, under an hour (you've already done it once so fewer missteps).
I'd disagree. Many VPN protocols suck even if the gateway is in-house. I guess there's a reason they introduced that with Wireguard specifically.
It's actually very easy to set up, I don't know why the official docs make it seem super hard.
Might have to set this up again!
Not sure what you mean. Algo has no relationship to WireGuard; it's basically a customized StrongSwan setup under the hood, which utilizes IKEv2 (not WireGuard) as the transport.
Could be mistaken though .. not sure
1 - https://github.com/cloudflare/boringtun
It could be the different routing.
Your ISP's routing might be sub-optimal to certain destinations. After all, it chooses routes based (at least in part) on cost, not performance.
There are commercial products that do this sort of tunneling (among other things) to lower routing latencies.
In short, because they can and they're assholes.
Just search through HN for any discussion of net neutrality.
When coupled with an DNS based ad blocker Wireguard can actually make your internet faster than when not using it.
More so on Android than iOS and more so on mobile than fixed, but still feels so much smoother.
you can even only forward the DNS requests and not the rest of the data so your home upload speed won't become your bottleneck.
Confluence as in the Atlassian software? What do you use it for at home?
The only thing I was never able to get working was the IPv6 support. Oh well...
To make split tunneling work in WireGuard I changed AllowedIPs = 0.0.0.0/0 in the config file into:
AllowedIPs = 184.108.40.206/32 10.192.122.0/24
where 10.192.122.0/24 is the subnet of my tunnel, and 220.127.116.11/32 is the ip address of my home computer
this works on iOS and macos for me
Then you'd just need to use the iOS app, I hope?
Disclosure. It is my day job
You can go on the wait-list for WARP+ which sounds like it’ll route everything over the VPN.
However, I realize that the problems with mobile Internet performance and reliability are real. So when HTTP/3 is stable, I'll do what I can to help it spread.
As for HTTP/3... so will we. See: https://blog.cloudflare.com/http-3-from-root-to-tip/, https://blog.cloudflare.com/the-road-to-quic/ and https://blog.cloudflare.com/head-start-with-quic/.
If upstream is doing something you don't like and refusing to work with you, sure.
When upstream actively petitions you to not fork, asks you politely to work together, and you refuse to work with them, that is far, far from a "tried and true open source software process". That creates a fissure in the community and it generally ends up poorly for everyone involved.
My comment is far from inflammatory, it's a statement of fact, and something cloudflare has refused to acknowledge or respond to. Which just further drives the point home that they aren't acting in good faith.
Implementing a standard without regard for the beliefs of other implementors is an action that supports a standard. Refusing to work with others does not implicitly harm a standard.
You assert that refusing to cooperate with another implementor is guaranteed to harm a standard. It is not guaranteed at all.
DJB has not destroyed DNS. BoringSSL has not destroyed TLS. A thousand reimplementations of standards in Rust have not destroyed a thousand standards.
You clearly believe that Cloudflare is acting in bad faith, and are constructing a worldview out of assumptions that you declare instead are facts. While I respect your right to hold those views, I do not respect your declaration of future outcomes as fact.
DJB didn't fork Bind and then refuse to work with them.
>BoringSSL has not destroyed TLS
BoringSSL didn't fork OpenSSL and then refuse to work with them.
About the closest modern comparison would be OpenOffice vs. LibreOffice - which created a complete mess like I mentioned before.
Except even THAT is a bad comparison because LibreOffice only forked when they were FORCED to fork.
We communicated with Jason throughout the process and have a ton of respect for him and the entire WireGuard community. In the short term, we need the flexibility to quickly update BoringTun's code base to support the project we built it for. That's harder when you need to coordinate with people outside Cloudflare and when we need to move as fast as we plan to. However, we really believe in Open Source and want the WireGuard community to thrive. We licensed the code very openly (3-paragraph BSD) and WireGuard may choose to fork it. If they do, we'll support it and plan to contribute any improvements in our own fork back. Over the long term, I think we're very open to merging this back into the upstream project.
thought the invitation to put their engineers as the head of a
WireGuard subproject was a cool invitation, but alas.
I mean no offense, but the response comes off as corporate approved PR. "We need to move fast" when you haven't actually even tried engaging with the parent project and have no idea whether or not it would prohibit "moving fast" is disingenuous IMO.
More importantly, without having already tried it, it’s hard to predict how much overhead there will be.
Since CloudFlare had a (self-imposed) deadline, working fast had to take priority over optics. After all, the project can always be folded into the WireGuard organization later.
EDIT: eastdakota filled me in, thanks John.
WireGuard is written as Kernel Module in C, with a GPL licence; BoringTun is a user space program written in Rust with an MIT licence.
So it’s not really even a fork.
However, Cloudflare has also adopted and promoted at least one standard that adds complexity for dubious benefit, specifically DNSSEC, which tptacek has repeatedly criticized (e.g. ).
Moreover, Cloudflare is encouraging both providers and consumers to bypass the public Internet as much as possible in favor of Cloudflare's network and proprietary protocol(s). For providers, this is done through Argo and especially Argo Tunnel. And now for consumers, Warp is replacing the standard TCP with a proprietary protocol built on UDP.
Now that Cloudflare has proprietary replacements for the standard Internet on both sides, it can start taking advantage of network effects to make its proprietary network attractive to still more providers and consumers. As Cloudflare's power grows, it becomes harder to escape any future abuses of that power, as well as honest mistakes on Cloudflare's part.
I realize the standard Internet sucks in some ways, and Cloudflare is doing something about that. But I think the right answer is to improve the standards-based Internet, not offer a proprietary replacement. I suppose that's not compatible with running a VC-backed business, though.
I think that applies almost anywhere. One could say "don't trust Google or Facebook with personal data" merely based on the fact that almost all of their money comes from advertising.
And thanks for the interesting exchange!
FWIW, tptacek's argument in that thread seems to be premised on certificate pinning being widely deployed, which it's not, and it seems at this point like it never will be.
It hardly matters at this point, though. DNSSEC is a dead letter. It's over. Stick a fork in it. It'll be around indefinitely for performative nerds to performatively noodle with --- lots of dead IETF protocols are! --- but Cloud Flare is likely to be the largest company ever to use it (and they're the exception that proves the rule, since they sell DNSSEC services).
So one could argue you are both pushing the latest standards and the latest nonsense. ;)
Hence the ;) face, it's meant as a friendly jab, not a critical accusation. jgrahamc is awesome.
: But then, sorry how this sounds, but pessimists tend to think, EEE perpetrators wouldn't publicly admit to it either...
If they cannot then it is not the internet. It's more akin to a 'web' only service.
CGNAT means that the same is true of "mobile" connections in general, so it's not like Warp is changing anything for the worse here. Though the Tor network does allow you to host a .onion-linked service over such a connection, but that - while quite handy - seems more like a special case to me.
I like and use 18.104.22.168 though.
I obviously don't know how many Cloudflared sites I visit that don't pop up the nag. And Cloudflare's nag is certainly nicer than Google's more pervasive help-us-build-a-T-800 or Akamai's "just get lost". But that mode seemingly activates on light browsing just because it's coming from a slightly-less-trackable VPS address (non-shared), and that is a problem.
This might have changed but in the past it made using Tor for anything beyond onion sites extremely annoying.
Yes there's the argument that TOR provides protection for those in apressive states, but given the pros/cons of blocking TOR altogether I can at least understand the reasoning.
Pretty much most if not all of Cloudflare's services and work suggest the complete opposite to me.
Like other commenters, Cloudflare for me is probably one of the only companies I truly trust. I'm not saying that because I'm a big user of there services in fact 22.214.171.124 is the only service I actively use.
Mind you, I'm still skeptical. I probably won't use Warp on my phone, or Cloudflare on my personal site. But I should have been more careful about how I expressed that skepticism in public. None of us want a world where we all assume the worst in each other without strong evidence. So again, I'm sorry.
Having worked in an ISP, only one thing mattered to costumers, and only one thing: YouTube.
Yes. Agreed. But if not Cloudflare as a pushback alternative to those trying to own the internet, then who?
It seems to me the "standard internet" is getting smaller and smaller. What other options do we have?
If anything, I've kinda been hoping Cloudflare would realize self-hosting and decentralization is what they should be supporting and pushing, as it's when using their CDN makes the most sense. And obviously, Amazon and Google and Microsoft all have their own CDN capabilities, so the less people using their cloud services, the better for Cloudflare.
I've been using Tor as a privacy-friendly VPN, so Cloudflare getting into this business will make it feel a bit different, every time I see an error Web page that says Cloudflare is blocking a Tor exit node from viewing a page that Cloudflare hosts.
Perhaps Cloudflare could figure out how to block competitor Tor less (even if there's abuse coming in through Tor)? That might be difficult, but an excellent show of good faith.
Routing VPNs through Tor is a great way to avoid site discrimination against Tor users. But there are two key problems. One is that you degrade Tor anonymity, because Tor can't switch circuits (normally at ~10 minute interval). And also because you typically must pay for VPN services.
The other problem is that Tor only routes TCP traffic. So when you use TCP-based VPNs routed through Tor, and are using HTTPS or some other TCP flavor, you get the TCP-in-TCP horrors. There's too much error correction.
So yes, Cloudflare would need to allow Warp via Tor. Or maybe even better, Warp via Tor via Warp. And also it would need to protect Tor anonymity.
Cool idea, though :)
Warp would see all your incoming packets and all your outgoing packets, so why bother with Tor?
But still, if it were done right, that's not necessarily true. I mean, I can have two accounts with some VPN service. I connect to server1.vpn.com using one account. Then I connect to the Tor network via that VPN tunnel. And then I connect to server2.vpn.com via Tor, using the other account. Even better, I connect to server2.onion, using the other account.
Even then, Cloudflare could easily do traffic correlation. But as it is now, the NSA can easily do traffic correlation. So hey.
they are: https://blog.cloudflare.com/cloudflare-onion-service/
then setup a computer at various data centers/locations around the world that you can route your traffic through (its a VPN now)
and then either
1) run a Virtual Machine in that which connects through VPN
2) run a remote machine which connects to the outside through VPN
Amusingly, this is actually not true. TCP was originally developed to run on an inter-network over two networks: the ARPANET which has the reliability characteristics of a "traditional" network, and an extremely mobile network with lots of packet loss: ship-to-ship packet radio.
TCP today seems very poorly suited for the mobile environment, but it was in fact originally designed for mobile.
Which is to say, it still feels largely experimental.
I just mentioned it as it's a cool project and in time will help address some of the limitations you mention.
This is one part of a tug-of-war that's going on in recent years between Internet network operators and cloud providers, with the cloud providers slowly but surely winning.
For better or worse, we are moving away from a distributed Internet composed of many autonomous networks into a future in which the only job of the ISPs is to connect homes and offices to the local POPs (Points Of Presence) of the large cloud providers.
Why do you need connectivity to other networks when you can get Google (w/ Youtube & GCE) and Facebook from a local POP? Add to that all the sites and services that reside on Amazon, Azure, Cloud Flare, Akamai, and maybe a few more large clouds/CDNs, and you don't need a public Internet anymore. Imagine the security and performance benefits of that!
These are companies that respond to market pressures. Routing around the network operators (both figuratively and literally) makes a lot of sense for large cloud providers. Especially so if there are no network neutrality rules in place to enforce free access to consumers (as opposed to consumer ISPs demanding payment for pushing content to their subscribers).
Also, the content from Google, Facebook and a couple other cloud providers is what consumers actually want. I've seen internal numbers from a European mobile provider that show that >80% of consumer traffic is to/from either Facebook or Youtube. So are the consumers villains?
What content from Google and Facebook? If you are referring to YouTube and Instagram - that's one part of the total internet content consumed. Hard to totally ignore the news sites, blogs and streaming services.
The centralization of the internet and death of the “end to end” ethos is very real unfortunately.
If you measured that by doing a count() and group by on the domains of a traffic log, it would be easy to draw a conclusion that doesn't meaningfully reflect real user activity.
They aren't a villain, they're an illustration of market forces currently favoring centralization. Like CenturyLink and Comcast, for that matter.
You statement is the exact opposite of reality.
Centralization is far easier to manage. A single entity has the ability to control all routes and all the pieces of the network. The structure can become faster, mesh-networks are notoriously slow. By using a VPN + Argo cloudflare has control over how your data is routed, and can make sure it skips slow network segments, is peered well, etc.
Decentralization doesn't require trust if implemented correctly. This is it's biggest selling point IMO. If implemented correctly (which is hard to do) it can have better uptime, as we aren't relying on any single entity. But, with meshnetworks as an example, a specific route could be slower then the others, and there's often not much you can do about it. Decentralization if not implemented correctly is a nightmare on so many levels. There's nobody to appeal to if an issue occurs. If trust isn't implemented correctly (current state of ISPs) then we have multiple parties who can spy/modify your communications.
While not in itself neutral, it seems like it should help to preserve the competition that network neutrality is supposed to enable, since it's easy for small organizations to hook up with Cloudflare and they do encryption where they can.
I'm reminded of Galbraith's theory of countervailing power, which seems like a more realistic approach than always thinking in terms of centralization versus decentralization:
Also, consider how companies try to commoditize their complements, which having competition at different layers tends to do:
I have been supporting FSF, ACLU, etc. for years, but the practical considerations that prompted me to be a bit more trusting are Cloud Search in GSuite, Cloudflare offering HTTPS to help get the web more secure, and a deep appreciation for having Firefox available (containers are so easy to use and make me feel more secure in my use of the web).
I'm in a position where I do appreciate Google's software, Chrome/V8 and resulting node and electron as downstream projects. However, my trust of Google is waning in light of their incredibly divisive culture all around and a lot of their practices, cover ups and just poor form in the sun-setting of "don't be evil."
I don't trust cloudflare to not make mistakes (like Cloudbleed). I don't trust myself to not make mistakes. I don't think there is anyone I trust not to make mistakes. It's just not a reasonable criteria.
Personally I find the performance of PIA fine. I just ran a test through fast.com and got 42 mbps on 4g through PIA mobile VPN in NYC. (Weirdly, when I turn off the VPN and test I'm only getting around 2 Mbps.) Latency is a bit higher than direct, but not enough for me to agree with their blanket statement that all VPNs suck.
I look forward to testing with Warp once it's released, but I don't see how it could be much better than the status quo. PIA has lots of servers all over the place, cloudflare might have a bigger network but the delta should be negligible.
I am a bit surprised that fast would get throttled though.
Fast.com runs its tests against the actual servers that stream Netflix to you. It uses the same selection algorithms as actual Netflix. The whole point of it was so that you use Fast.com and then call your ISP and say you did a speed test and aren't getting anything close to the speed that they advertised.
On the back end they can't tell the difference between a Fast.com speed test and actually playing Netflix, and that was the point. So if they are going to throttle one they have to throttle both.
Then again, I don't always notice even on a larger screen from a better 720p stream and a poorer (relatively) 1080p stream. I often notice the difference from 1080p to 4K though, which is a slightly bigger bump on a much larger screen.
But this only sends DNS over the VPN so it won’t use much power at all. 99% of your traffic does not route via the VPN with this app.
> Any unencrypted connections are encrypted automatically and by default.
> Unfortunately, a lot of the Internet is still unencrypted. For that, Warp automatically adds encryption from your device to the edge of Cloudflare’s network
It reads to me like all your traffic goes through your service, not just DNS.
The blog led me to their "126.96.36.199 app", which I installed and found created a VPN on my iOS device that only tunneled DNS traffic.
This "warp" thing, which is not released you can only go on a waiting list for, will apparently tunnel all traffic.
My apologies for the error.
Every free product comes with a catch. When this catch is not clearly explained by the company, I always feel it's because the reason is too "shady" to acknowledge publicly (like Gmail and Facebook gathering data for advertisers). I'm probably naive to believe the reason here is vastly different, but the tone and style of this article puts Cloudflare closer to Apple than to Google privacy-wise in my eyes.
While it's true that if Cloudflare was evil, they could fairly likely identify you from metadata, that's a lot more complex and a lot more error-prone than having you sign in.
I am curious though if this will extend to their premium Warp+ offering though, as presumably they need to identify a paying customer. Perhaps if they're entirely built off of IAP on whatever platforms their clients are on, they can avoid this problem entirely?
Nobody does it quite like him, though @jgrahamc is great too, and I try to encourage my team to follow the lead here as much as possible.
> on “April Fools” a handful of elite tech companies decide to waste the time of literally billions of people with juvenile jokes that only they find funny.
Bah Humbug much?
I'd say the backlash is due to unaccountability, privacy erosion, and income inequality.
April Fools gimmicks are barely a blip on the radar compared to the above. At best they provide a target to focus the above ire on, but that's confusing the issue.
Yup... a rare beast these days. My niece is a gifted writer - one of less than a half dozen that I personally know.
She graduated recently and had her pick of several positions due to her portfolio of work.
Just curious, do you hire copywriters?
Aside from previous job experience, what sort of things are in a portfolio like this?
> a handful of elite tech companies decide to waste the time of literally billions of people with juvenile jokes that only they find funny.
I sort of agree, but it's not nice, and not necessary. It also isn't particularly classy to then go on to say "and we're so much better, because we do useful things".
(I do happen to find Cloudflare, as a company, so much better, and awesome things like 188.8.131.52 and warp make me really want to push my employer to use Cloudflare for all the things).
It's the fast path to replacing the decentralized internet with a few proprietary CDNs. I'm much more excited about those projects that actually try to fix the raised issues:
Unencrypted connections -> TLS / Letsencrypt
TCP sucks on mobile/roaming devices -> QUIC & HTTP/3
I'm not saying Cloudflare isn't doing good things for the Internet but it's a bit disingenuous to equate the 2 efforts.
Cloudflare could have done LetsEncrypt, but as a CDN that would make no business sense - which is why we need LetsEncrypt, so they can continue to do the things that don't make good business sense for Cloudflare.
I believe CF is working on LetsEncrypt certificates, at least based on letsencrypt.org being included in the 'automatic' CAA records.
Which, incidentally, allows you freer access to the open Internet.
Making it a plugin that you could plug another app into might be cool, though?
A good add on though might be a way for people to run their own service on a Cloudflare worker that gets hit with each request to 1^4, which would allow them to run their own ad blocker.
Alternatively, I have a Xperia XA1 running a June 5, 2017 security patch. It's been my intent for a long time now to figure out how to get root without unlocking the boot loader the sony approved way (which makes the camera less functional). Anyone have any pointers on easy to exploit privilege escalations that should exist on my phone?
Otherwise, you are out of luck. You cannot run the 184.108.40.206 app and run another VPN app like blockada, netguard, no-root-firewall side by side on Android (at least not supported till the latest release, Android 10).
Could also approach from usb/wifi/bluetooth/etc instead of local userspace.
The problem specifically is that unlocking the bootloader the official way deletes drm keys stored in a "TA" partition, and that makes the camera less functional. It would be sufficient to find a vulnerability that let me back up the DRM keys - but that seems unlikely without gaining root access and I'd have more confidence that I backed up the right thing with root access.
Unfortunately AFAIK all community run mods for Android require bootloader to be unlocked.
In all honesty it's pretty rare that I use anything not browser based that might have ads, but on principle I'd like to keep it around.