There goes me and my co-founder's plan of disrupting the Mobile VPN market. Or may be, we still have a chance?
Anywho, congratulations Cloudflare! I long held an opinion that the VPN market was ripe for disruption when I looked at privacy policy of some of the top players. Having analysed the market, I find that its defragmented with no clear run-away winner. I hope you're able to make a headway with all the interesting innovations that you plan to offer on top of it.
Here are some ideas that I had in mind for a Mobile VPN:
1. Ability to run a dns-blacklist, tag-based blacklist, and a ip-firewall at cloudflare's end (not on the end devices). May be you could add that as an option to your wrap+ product?
2. Auto change exit IPs underneath the covers.
3. Take over the dialer and route calls over IP whenever possible.
4. Provide ability to analyze traffic on a PC.
5. Track and warn mode per app, where the traffic is analysed for a particular app to generate a report on what its doing and how much.
Basically, bring enterprise-grade security to the end consumer.
First, thank you for the first implementation when the app was just 1.1.1.1 Ive been using it for a while.
Not sure if you can answer this question, but are the performance benefits still there in conjunction with utilizing the VPN google uses to encrypt traffic with google fi? This announcement mentions they have 2x the latency in comparison to WARP, but did not mention specifically which google VPN technology (not sure if they have multiple) but I assume something mobile related since this is a mobile application.
If I use the WARP app in conjunction with google fi, am I layering this VPN on top of the 2x latency of google fi, thus slowing down WARP VPN to gain then the other performance benefits of optimized network switching of google fi?
Neither project is open source (that I know of) so it is hard to understand how the implementations overlap or not with one another. I also am not an expert in VPNs so maybe this is not a good question, but I find myself reading Cloudflare's blogs alot and couldn't help but ask.
I’m not sure, and I think you’re kind of off-topic for this particular sub-thread, but we’ll have a ton of performance data across a matrix of device, software, and network operators. And, when we do, we’ll definitely publish it.
My biggest concern with any VPN is: do I trust you? I’ve been reluctant to sign up with any of these VPN services that seem to be advertising everywhere nowadays because I don’t know what they’ll do with my internet traffic.
The CloudFlare VPN is interesting to me because they’re a large, established company with a good reputation, so I trust them more than TunnelBear or ExpressVPN or PIA or whoever’s sponsoring YouTube this week.
If there was a way you could offer a product or service that provided a compelling case for why you won’t (or better yet can’t) snoop on my internet traffic, I’m all ears. Everything else is just gravy on top.
We thought about the trust aspect of it (we have gone through numerous VPN related threads here on news.yc and r/privacy and this has been one of the top concerns). Here's how we plan to convince folks (in our own naive way) we mean business (do serveral or all among):
1. OpenSource vpn server and client, with ability to Cloud-SSH to the server and view what's running.
2. Hands-off, one-click, spin up VPN servers on a VPS of your choice under your control, Streistand/Algo style [0][1], but find a way to provide support (think AWS marketplace).
3. Make privacy-centric commitment legally binding as part of EULA/ToS (is this sufficient?).
4. Run client-side only VPN (like intra, blockada, netguard). The idea is you're still able to analyse traffic and add blacklists client-side, without having to pay for or run a VPN server.
Sounds a bit like what Google / Alphabet / Jigsaw are already doing with Outline, but I still think there’s major opportunity there for a transparent and decentralized one-click service. Especially when you add in #4.
For some reason, Outline is still mega-targeted at journalists and activists when it could be so much more — it’s been an absolute joy to use so far, and being powered by Shadowsocks certainly doesn’t hurt.
Thanks. Yes, you're right. Not just Jigsaw (who are excellent, and I've been recommending their DNS app, intra, on news.yc for as long as I can remember), there are multiple other companies in this space (SecureMix, TheGuardianApp, KeepSafe, CopperheadOS, Proton mail/VPN, AdGuard), but not everyone is quite doing what I have in mind related to fighting trackers and censorship with a focus on 'one click and you're done' kind of simplicity (?)
I hope to get something ready to show you guys here on news.yc in may be 3 to 6 months from now.
True. That's the part where we might need to think hard: A business plan. We haven't thought that far yet, tbh.
Our intention is to: Put the control of the mobile device back in the hands of the consumer and empower them with simple but powerful tools. Think keybase, Stripe, or pre-2014 WhatsApp in terms of UX.
Mobile VPN is key part of that vision, including building other apps around it.
A lot of things triggered this:
1. The prism/carrier-iq snafu from 7yrs back.
2. The uptick in government censorship prevelant in multiple nations (India, Turkey, Pakistan, Russia, etc).
3. Rise of app-economy and the relentless tracking behaviour that entails, esp from Facebook.
5. Not very many firms developing products like DuoSecurity did but for the end-consumer. There's a few I could find, like SecureMix (glasswire developer), Objective-See (LuLu Firewall), Jigsaw (primarily for journalists?), Purism, and KeepSafe.
Another way would be using some trusted computing technology [1] to do that. This would be a good use case for some kind of remote attestation. (Shameless pug: I did my Ph.D. thesis on this, so if you want to discuss this point, cloudflareatvernizzisdotit ;-) )
CF's reputation is terrible[1]. They are trying to MiTM the entire internet, and frustrate attempts to access some of the most important information online( including but ont limited to evidence of the holocaust, sexual health information and climate change ). They are practically a threat to humanity itself at this point - you shouldn't trust them worth anything.
The cynicism is fair and I can see where it comes from, but cloudflare CTO, jgrahamc, has replied elsewhere in this thread [0] why tor is a difficult scenario for cloudflare to handle. They did promise to make life easier for tor users but the abuse over tor is apparently relentless, according to them.
Yep, agree. Though, I thought it was an important factor for us when we are bootstrapping to consider if we are heading straight into a monopoly that we can't defeat.
Have you already started on this concept? Myself and our team are working on some of the ideas you listed for an upcoming app (https://itunes.apple.com/us/app/guardian-firewall/id13637963...). It would be great to chat further, if you have interest in working on this concept (e-mail is will.strafach@guardianapp.com).
Designing a reasonably secure and reliable mobile VPN has been a very difficult challenge to get right. If you look at existing mobile VPNs through a tool such as Charles Proxy or Burp, you will see that none of them really appear to be designed very well. There are many unsolved technical problems with managing and scaling such services, likely avoided by existing providers due to how easy the issues are to mask. That said, Cloudflare’s cautious approach with Warp gives me some confidenxe that they really are trying to do this right.
Nice. GuardianApp is very close to what I had in mind. Great landing page, btw!
> Have you already started on this concept?
Initial stages where we have looked at OSS projects to fork for a quick prototype, with our focus being exclusively on Android, and not just limited to VPN.
> Designing a reasonably secure and reliable mobile VPN has been a very difficult challenge to get right.
Thanks for the heads-up. From usability point-of-view, I've seen my share of VPNs mess up and sink hole all traffic. On one ocassion, an app simply refused to get past its loading-screen unless I turned off VPN.
> It would be great to chat further, if you have interest in working on this concept.
I don't think what we're offering instantly takes over the entire VPN market. VPNs mean different things to different people and I'd imagine you can find a valuable market that provides things that we don't.
I find amusing that ‘defragmented with no clear winner’ is what I want in most cases as a customer and what most startups see as an ‘opportunity for disruption’ (read “opportunity to dominate the market”).
While I am not a big fan of VPNs in general, I have to admit, that Wireguard performs exceptionally well. I tested it a week ago and the added latency is pretty much just the network latency and the bandwidth loss is minimal (so small I couldn't even measure it reliably). What I found most interesting, was that there were some use-cases when the network with Wireguard performed even better than without it (probably related to congestion control).
> So basically Cloudflare created an app with Cloudflare branding and set up a Wireguard server for everyone.
Not just one -- servers in 175 (and growing) locations spread around the world, and the app will always use the closest one to you. That's arguably a lot more important that what protocol it uses, and is not something you could easily DIY.
Color me curious. Where is that? And by what definition of near? There isn't even an AWS AZ near you? A t2.micro is literally free and is bigger than the one I'm running mine on (which I'm paying for, so maybe I should swap... though, I don't think AWS has AZs closer than my current $1/mo host).
maybe works better. But I used mine hosted in the US while I was traveling abroad in the UAE. Worked fine. I often saw better service with it turned on.
wouldn't be that difficult to write a script that checks geoip and launches a VPS in the region closest to your current devices public address. You could even create an iOS shortcut to allow you to do it from your iPhone
I mean, I guess. But not often. If you are flying around the world, then sure, this is probably better. But if you're like the vast majority of people, then you will be in the same city most of the year.
Even if you change residences, you'll typically be in the same state. Even if you change states, you can just set it up again in, what, super conservatively, under an hour (you've already done it once so fewer missteps).
I consider myself fairly competent, and I couldn’t understand the wireguard documentation enough to setup my own install without resorting to algo [0]. There’s real value in wrapping a system like WireGuard into a product, because it democratizes technology rather than making it available only to those knowledgable enough to understand how to set it up. I think Warp is great in that regard.
Mostly convenience, since it's a "getting started" guide. I'd prefer a better way than the config file to specify devices, but unfortunately there isn't one right now. Maybe I should write a WireGuard config manager tool.
you have to store them somewhere with appropriate access rights anyway. Since the config is mainly a private key and an ip address it makes sense to not complicate the setup with another file to manage
> I couldn’t understand the wireguard documentation enough to setup my own install without resorting to algo
Not sure what you mean. Algo has no relationship to WireGuard; it's basically a customized StrongSwan setup under the hood, which utilizes IKEv2 (not WireGuard) as the transport.
Algo does not have a relationship to Wireguard, but Trail of Bits does. We made a substantial donation to them prior to including Wireguard support in Algo. You can find us on their donation page here: https://www.wireguard.com/donations/
I am still trying to figure it out how to setup a Wireguard server on Kubernetes/GKE to personal use. Outline and OpenVPN clients have some problems that's why I want to try Wireguard.
Is that even possible? I thought Wireguard was essentially a kernel module... Which is basically the only thing you can't dockerize, as the kernel is shared between all containers?
> What I found most interesting, was that there were some use-cases when the network with Wireguard performed even better than without it (probably related to congestion control).
It could be the different routing.
Your ISP's routing might be sub-optimal to certain destinations. After all, it chooses routes based (at least in part) on cost, not performance.
There are commercial products that do this sort of tunneling (among other things) to lower routing latencies.
Possible but I am not exactly sure what caused the difference. I used fast.com for testing and when I increased the number of parallel connections the performance degradation was lower when using Wireguard. I assumed that it is related to congestion control as Wireguard uses UDP AFAIK and otherwise I would use TCP on the bottleneck part of the connection.
The ISP might be doing it knowing you're connecting to Netflix.
But if you do a VPN, they don't know those specific packets are going to Netflix, so they can't shape the packets.
They certainly can shape any traffic you cause to transit their network. What you mean is they can't selectively shape that traffic. But then why would they want to do that?
If they can degrade your traffic from 1080p to 720p without a customer complaining, then they don't need to expand their network to support more users which increases their profit margins.
This is precisely my setup, and I couldn't be happier. I have a lot of internal infrastructure including pi-hole, confluence and a number of self-hosted services. WireGuard lets me go anywhere on my laptop and its like I never left home, and I just keep two configurations for when I want to forward only internal IP addresses, or all my traffic.
Yep. A 3€ Hetzner server with Wireguard and pi-hole. Running several private services on my server that are just available in my private network. Like an extension to my phone that's always on and working perfectly.
The only thing I was never able to get working was the IPv6 support. Oh well...
It seems to me that in practice, Cloudflare's mission is not actually to build a better Internet, but to offer an alternative, proprietary network (one could call it the CloudflareNet), and convince content providers and consumers to use that network. Because I don't want any single company to have too much power, I'll stick with the standard Internet, which is not owned by any single company.
However, I realize that the problems with mobile Internet performance and reliability are real. So when HTTP/3 is stable, I'll do what I can to help it spread.
I disagree with this statement. We haven't pushed incompatible standards or any other nonsense. We've literally pushed out the latest standards and enabled more encryption (see Universal SSL making SSL free years before Let's Encrypt; see enabling IPv6; enabling HTTP/2; etc. etc.).
You've built a product (warp) based on Wireguard and refused to work with the upstream project - so saying that you're pushing standards is far more nuanced than you make it seem - at best.
Forking an upstream project to implement decisions without upstream’s consent is a tried and true open source software process, implemented by thousands of projects over the years. Claiming that they don’t support standards, solely because they don’t support another implementation of those standards, is incorrect and inflammatory.
> Forking an upstream project to implement decisions without upstream’s consent is a tried and true open source software process, implemented by thousands of projects over the years. Claiming that they don’t support standards, solely because they don’t support another implementation of those standards, is incorrect and inflammatory.
If upstream is doing something you don't like and refusing to work with you, sure.
When upstream actively petitions you to not fork, asks you politely to work together, and you refuse to work with them, that is far, far from a "tried and true open source software process". That creates a fissure in the community and it generally ends up poorly for everyone involved.
My comment is far from inflammatory, it's a statement of fact, and something cloudflare has refused to acknowledge or respond to. Which just further drives the point home that they aren't acting in good faith.
While the fissure you describe as a guaranteed outcome is certainly likely in many such scenarios, you're missing the point:
Implementing a standard without regard for the beliefs of other implementors is an action that supports a standard. Refusing to work with others does not implicitly harm a standard.
You assert that refusing to cooperate with another implementor is guaranteed to harm a standard. It is not guaranteed at all.
DJB has not destroyed DNS. BoringSSL has not destroyed TLS. A thousand reimplementations of standards in Rust have not destroyed a thousand standards.
You clearly believe that Cloudflare is acting in bad faith, and are constructing a worldview out of assumptions that you declare instead are facts. While I respect your right to hold those views, I do not respect your declaration of future outcomes as fact.
I was unable to parse this reply in the context of "do forks harm standards?" as we're discussing in this thread. What standard came to harm as a result of LibreOffice forking from OpenOffice?
Can/has anyone from CloudFlare commented? This refusal to work with WireGuard has left a bitter taste in my mouth from a company that I otherwise like.
We communicated with Jason throughout the process and have a ton of respect for him and the entire WireGuard community. In the short term, we need the flexibility to quickly update BoringTun's code base to support the project we built it for. That's harder when you need to coordinate with people outside Cloudflare and when we need to move as fast as we plan to. However, we really believe in Open Source and want the WireGuard community to thrive. We licensed the code very openly (3-paragraph BSD) and WireGuard may choose to fork it. If they do, we'll support it and plan to contribute any improvements in our own fork back. Over the long term, I think we're very open to merging this back into the upstream project.
I mean no offense, but the response comes off as corporate approved PR. "We need to move fast" when you haven't actually even tried engaging with the parent project and have no idea whether or not it would prohibit "moving fast" is disingenuous IMO.
Presumably there’s still overhead involved in being part of the WireGuard organization, no? If there wasn’t, then the only difference between being in it and not is branding.
More importantly, without having already tried it, it’s hard to predict how much overhead there will be.
Since CloudFlare had a (self-imposed) deadline, working fast had to take priority over optics. After all, the project can always be folded into the WireGuard organization later.
Fair point. I especially appreciate that even Workers is based on a W3C standard, when it could have been a proprietary API.
However, Cloudflare has also adopted and promoted at least one standard that adds complexity for dubious benefit, specifically DNSSEC, which tptacek has repeatedly criticized (e.g. [1]).
Moreover, Cloudflare is encouraging both providers and consumers to bypass the public Internet as much as possible in favor of Cloudflare's network and proprietary protocol(s). For providers, this is done through Argo and especially Argo Tunnel. And now for consumers, Warp is replacing the standard TCP with a proprietary protocol built on UDP.
Now that Cloudflare has proprietary replacements for the standard Internet on both sides, it can start taking advantage of network effects to make its proprietary network attractive to still more providers and consumers. As Cloudflare's power grows, it becomes harder to escape any future abuses of that power, as well as honest mistakes on Cloudflare's part.
I realize the standard Internet sucks in some ways, and Cloudflare is doing something about that. But I think the right answer is to improve the standards-based Internet, not offer a proprietary replacement. I suppose that's not compatible with running a VC-backed business, though.
DNSSEC is a standard. We literally adopted and promoted a standard. That is not about your original comment about us trying to take over the Internet or something. And we work hard on the standards-based Internet pushing HTTP/2, IPv6, QUIC, TLS 1.3, ...
Exactly what is this supposed to mean? It's a "standard"? So what? Lots of bad things have been standardized. You have to justify the work on the merits; you can't simply appeal to IETF standardization as intrinsically good. TLS Heartbeat was a standard, and it was not intrinsically good.
This thread was about Cloudflare becoming some proprietary network with its own protocols and doing evil stuff. I was pointing out that when OP said we'd implemented and promoted DNSSEC (and named you) that we were not implementing something we'd invented but a standard.
I don't think Cloud Flare is implementing a lot of scary proprietary stuff outside the IETF process, but the influence that it has on the IETF process is a legitimate question to ask.
I get where you are coming from but I think there's a significant headwind to us doing something weirdly proprietary. If we were to create some two-tier Internet then our clients (who have web/API servers) would start having part of their audience/consumers get poorer performance or security or something. So we'd be sticking a finger in the eye of the people who pay us.
Nothing wrong with some cynicism. And I totally understand the concern, but one thing people always miss with Cloudflare is... follow the money. We get paid by people with web servers and API servers. We have to do things that keep them happy.
> one thing people always miss with Cloudflare is... follow the money
I think that applies almost anywhere. One could say "don't trust Google or Facebook with personal data" merely based on the fact that almost all of their money comes from advertising.
FWIW, tptacek's argument in that thread seems to be premised on certificate pinning being widely deployed[1], which it's not, and it seems at this point like it never will be[2].
No. I like pinning (which is widespread outside of browser applications) and certainly it's better than DNSSEC, but my argument holds together just fine without it.
It hardly matters at this point, though. DNSSEC is a dead letter. It's over. Stick a fork in it. It'll be around indefinitely for performative nerds to performatively noodle with --- lots of dead IETF protocols are! --- but Cloud Flare is likely to be the largest company ever to use it (and they're the exception that proves the rule, since they sell DNSSEC services).
I too dislike amp, but I don't see this as cloudflare's fault. If anything they're offering a competitor to google who we typically criticize for creating and abusing amp.
I agree. And considering many of Google's competitors, like Microsoft, have had to support AMP as well, I recognize that AMP support is an unfortunate necessity in dealing in a world where it exists.
Hence the ;) face, it's meant as a friendly jab, not a critical accusation. jgrahamc is awesome.
Sure. What makes anyone use cloudflarenet if you're using different standards? You start by owning the market (which you're moving towards, and in a very good position to do), and then start making changes. All speculation, of course, but I agree with the gp that this is a very real possibility.
The problem is, this can still totally remind people of EEE (Embrace, extend, extinguish [1]). And appears to be not incompatible with it. And even if EEE is not your current strategy [2], the trouble is, it may become so in future, even against your best wishes today. COOs/CEOs change, as well as kings do. Today's Benevolent Dictator may get ousted by some sneaky hostile takeover in future, or even just take an unplanned sabbatical in Tibet for reinvigorating their mojo. And may get replaced with a less enlightened one. That's kinda why e.g. people from countries with a history of communist or other authoritarian/totalitarian rule are sometimes wary of creeping surveillance tech even when their country is fully democratic now. A switch to a new authoritarian regime can sometimes happen surprisingly easy even in an apparent democracy. Many countries in the world seem to have given policy mandate to populist-ish chiefs recently, who knows how this will work out further down the line. That's why people fear centralisation of control and of power over infrastructure.
> If they cannot then it is not the internet. It's more akin to a 'web' only service.
CGNAT means that the same is true of "mobile" connections in general, so it's not like Warp is changing anything for the worse here. Though the Tor network does allow you to host a .onion-linked service over such a connection, but that - while quite handy - seems more like a special case to me.
Those "cloudflare loading" screens that come up when visiting some low-traffic sites. It's probably more common for people using privacy blockers and browser containers to block tracking. I see it at least a few times per day and I get captchas on almost any site that uses them (regardless of being behind cloudflare).
... or individual browsers taking small steps to preserve their privacy.
I obviously don't know how many Cloudflared sites I visit that don't pop up the nag. And Cloudflare's nag is certainly nicer than Google's more pervasive help-us-build-a-T-800 or Akamai's "just get lost". But that mode seemingly activates on light browsing just because it's coming from a slightly-less-trackable VPS address (non-shared), and that is a problem.
I'd just like to mention that this service saved me once. I have a small low-end box and one of the sites I hosted (that belonged to a YouTube personality) was DDOS'ed for a while, it kept taking the server down. A combination of crafty server configuration and enabling the "Under Attack" mode helped me deal with it.
I don't have the numbers, but from what I've heard the amount of legitimate traffic from TOR is rather small compared to the heaps of bots and abuse.
Yes there's the argument that TOR provides protection for those in apressive states, but given the pros/cons of blocking TOR altogether I can at least understand the reasoning.
I'd be interested to see your evidence for such a statement and better understand what exactly makes you think Cloudflare's mission is to build a proprietary network?
Pretty much most if not all of Cloudflare's services and work suggest the complete opposite to me.
Like other commenters, Cloudflare for me is probably one of the only companies I truly trust. I'm not saying that because I'm a big user of there services in fact 1.1.1.1 is the only service I actively use.
To any Cloudflare leadership or staff who are still watching this subthread, I'm sorry I publicly questioned your motives and integrity the way I did. I should have been skeptical without saying that I think your mission is something other than what you say it is. I wouldn't want some random person on the Internet to publicly say, or at least imply, that I'm a liar. So I shouldn't have done that to you. If I could give up the upvotes I got for that comment (and keep the downvotes), I would.
Mind you, I'm still skeptical. I probably won't use Warp on my phone, or Cloudflare on my personal site. But I should have been more careful about how I expressed that skepticism in public. None of us want a world where we all assume the worst in each other without strong evidence. So again, I'm sorry.
This pearl clutching is getting out of control. The existence of cloudflare is totally orthogonal to your ability to self-host content on the internet. They don't have any power, except over their customers and those customers customers. If you don't want to use them, then don't. No one is stopping you.
I would almost argue the contrary: Cloudflare makes self-hosting more possible, when you're going up against the large cloud hosting empires like Amazon and Google and Microsoft. You may not be hosting on one of those, but you can slap a little Cloudflare in front of yours to give your own server similar levels of robustness... and you can always turn it back off if they ever become a problem, since you aren't using proprietary APIs and services to power your server.
If anything, I've kinda been hoping Cloudflare would realize self-hosting and decentralization is what they should be supporting and pushing, as it's when using their CDN makes the most sense. And obviously, Amazon and Google and Microsoft all have their own CDN capabilities, so the less people using their cloud services, the better for Cloudflare.
VPNs are "trust me" security, and Cloudflare certainly has a better reputation than many VPN services, so, in that regard, Cloudflare's entry is welcome, but...
I've been using Tor as a privacy-friendly VPN, so Cloudflare getting into this business will make it feel a bit different, every time I see an error Web page that says Cloudflare is blocking a Tor exit node from viewing a page that Cloudflare hosts.
Perhaps Cloudflare could figure out how to block competitor Tor less (even if there's abuse coming in through Tor)? That might be difficult, but an excellent show of good faith.
An interesting trick - if Cloudflare allows it - would be Device -> Tor -> This -> Internet. Tor provides anonymity, this provides protection against exit nodes maliciously modifying traffic (you can find a number of examples of this just by searching).
Routing VPNs through Tor is a great way to avoid site discrimination against Tor users. But there are two key problems. One is that you degrade Tor anonymity, because Tor can't switch circuits (normally at ~10 minute interval). And also because you typically must pay for VPN services.
The other problem is that Tor only routes TCP traffic. So when you use TCP-based VPNs routed through Tor, and are using HTTPS or some other TCP flavor, you get the TCP-in-TCP horrors. There's too much error correction.
So yes, Cloudflare would need to allow Warp via Tor. Or maybe even better, Warp via Tor via Warp. And also it would need to protect Tor anonymity.
But still, if it were done right, that's not necessarily true. I mean, I can have two accounts with some VPN service. I connect to server1.vpn.com using one account. Then I connect to the Tor network via that VPN tunnel. And then I connect to server2.vpn.com via Tor, using the other account. Even better, I connect to server2.onion, using the other account.
Even then, Cloudflare could easily do traffic correlation. But as it is now, the NSA can easily do traffic correlation. So hey.
> Perhaps Cloudflare could figure out how to block competitor Tor less (even if there's abuse coming in through Tor)? That might be difficult, but an excellent show of good faith.
>TCP, the foundational protocol of the Internet, was never designed for a mobile environment.
Amusingly, this is actually not true. TCP was originally developed to run on an inter-network over two networks: the ARPANET which has the reliability characteristics of a "traditional" network, and an extremely mobile network with lots of packet loss: ship-to-ship packet radio.
TCP today seems very poorly suited for the mobile environment, but it was in fact originally designed for mobile.
In fact, I'd argue that it is a good fit even today. What wasn't designed for mobile is the Http protocol. HTTP2 solves most of the problems with mobile without changing out TCP. QUIC provides a few benefits, but by and large not many.
My interpretation of “not designed for mobile” is mobile devices, not mobile network. In particular, TCP is not designed for a scenario where the device keeps leaving old
networks and joining new ones, or where a device routinely has 2 network interfaces where one has better performance than the other but which one is better changes frequently.
Ships, as mobile devices, frequently entered and left packet radio range with each other, or might have multiple other ships in range and have to select which ship to send their packets to.
I may be wrong but isn't Multipath TCP pretty darn new and rarely used? At least on iOS you have to explicitly opt into it, either using the new Network framework for raw networking or a special configuration for URLSession, and also requires an entitlement to even do (no idea why). AFAIK the only Multipath TCP that my iPhone regularly actually uses is Siri.
Which is to say, it still feels largely experimental.
I'd wager that the Super Secret Plan is geared towards further centralizing the Internet. Preferably on Cloud Flare's infrastructure.
This is one part of a tug-of-war that's going on in recent years between Internet network operators and cloud providers, with the cloud providers slowly but surely winning.
For better or worse, we are moving away from a distributed Internet composed of many autonomous networks into a future in which the only job of the ISPs is to connect homes and offices to the local POPs (Points Of Presence) of the large cloud providers.
Why do you need connectivity to other networks when you can get Google (w/ Youtube & GCE) and Facebook from a local POP? Add to that all the sites and services that reside on Amazon, Azure, Cloud Flare, Akamai, and maybe a few more large clouds/CDNs, and you don't need a public Internet anymore. Imagine the security and performance benefits of that!
I don’t think this would fly for a number of reasons, but CloudFlare isn’t exactly a world leader or even a household name. They’re a newcomer in this space and for once they’re actually open with their community (us). If CloudFlare is the villain, then are CenturyLink & Comcast the heroes? By my estimation, we’re more likely to see any kind of doomsday scenario like that executed by cable companies and telcos — which already have a natural monopoly in most localities. I don’t see CloudFlare as having anywhere close to that reach.
These are companies that respond to market pressures. Routing around the network operators (both figuratively and literally) makes a lot of sense for large cloud providers. Especially so if there are no network neutrality rules in place to enforce free access to consumers (as opposed to consumer ISPs demanding payment for pushing content to their subscribers).
Also, the content from Google, Facebook and a couple other cloud providers is what consumers actually want. I've seen internal numbers from a European mobile provider that show that >80% of consumer traffic is to/from either Facebook or Youtube. So are the consumers villains?
> Also, the content from Google, Facebook and a couple other cloud providers is what consumers actually want.
What content from Google and Facebook? If you are referring to YouTube and Instagram - that's one part of the total internet content consumed. Hard to totally ignore the news sites, blogs and streaming services.
Is it still 80% if you filter out passive (streaming) and non-human (heartbeats, tracking, analytics) traffic?
If you measured that by doing a count() and group by on the domains of a traffic log, it would be easy to draw a conclusion that doesn't meaningfully reflect real user activity.
There is a big difference between traffic numbers of youtube and surfing the net. I may have a documentary open in the background while I read dozens of other websites.
CloudFlare is definitely large enough to raise concerns about centralization of the Internet. You don't have to be a household name for that (e.g. Akamai isn't either). Their site says that their infrastructure "powers nearly 10% of all Internet requests".
They aren't a villain, they're an illustration of market forces currently favoring centralization. Like CenturyLink and Comcast, for that matter.
That’s a very harsh dismissal and I don’t think it holds up well because it ignores the difficulty of switching. You can switch CDNs quickly, without needing any user actions, whereas it’s considerably more work to switch cloud providers and even harder to get users to switch their usage.
Here's the issue that everything fights when talking about Centralization vs Decentralization.
Centralization is far easier to manage. A single entity has the ability to control all routes and all the pieces of the network. The structure can become faster, mesh-networks are notoriously slow. By using a VPN + Argo cloudflare has control over how your data is routed, and can make sure it skips slow network segments, is peered well, etc.
Decentralization doesn't require trust if implemented correctly. This is it's biggest selling point IMO. If implemented correctly (which is hard to do) it can have better uptime, as we aren't relying on any single entity. But, with meshnetworks as an example, a specific route could be slower then the others, and there's often not much you can do about it. Decentralization if not implemented correctly is a nightmare on so many levels. There's nobody to appeal to if an issue occurs. If trust isn't implemented correctly (current state of ISPs) then we have multiple parties who can spy/modify your communications.
Or put another way - decentralization may be able to offer greater resilience and reachability - but it will never result in better performance or stability.
Contemplating this makes me happy that HN (among other sites I frequent) doesn't use one of these big providers (though it used to use Cloudflare). May it always stay that way.
This is still better than only having competition at the ISP level since it's easy to switch VPN's. Building a network like Cloudflare is no easy task, but neither is building a mobile network or installing fiber.
While not in itself neutral, it seems like it should help to preserve the competition that network neutrality is supposed to enable, since it's easy for small organizations to hook up with Cloudflare and they do encryption where they can.
I'm reminded of Galbraith's theory of countervailing power, which seems like a more realistic approach than always thinking in terms of centralization versus decentralization:
I just signed up. cloudflare is on the short list of Internet companies that I trust (with the usual small bit of doubt and skepticism!). With just a few reservations, I also trust G Suite, Firefox, and a few hosting companies I do business with.
I have been supporting FSF, ACLU, etc. for years, but the practical considerations that prompted me to be a bit more trusting are Cloud Search in GSuite, Cloudflare offering HTTPS to help get the web more secure, and a deep appreciation for having Firefox available (containers are so easy to use and make me feel more secure in my use of the web).
I have to mostly agree... Cloudflare has actively participated with a lot of communities to bring better CDN options to open-source projects who otherwise would be overloaded. I'm not sure how much I actually trust GSuite, ironically preferring Office365 to it as there are huge, gaping holes in it's usefulness, specifically group email tethered to a horribly broken secondary interface (groups) and the fact that the product as a whole has languished a lot.
I'm in a position where I do appreciate Google's software, Chrome/V8 and resulting node and electron as downstream projects. However, my trust of Google is waning in light of their incredibly divisive culture all around and a lot of their practices, cover ups and just poor form in the sun-setting of "don't be evil."
I don’t disagree about Google. I really just use their paid services (GSuite, Music/no ad YouTube, purchase books and movies). I mostly switched to DuckDuckGo years ago, and I run all Google properties through a single Firefox container.
I trust Cloudflare to do their best, generally respect privacy, and not act maliciously.
I don't trust cloudflare to not make mistakes (like Cloudbleed). I don't trust myself to not make mistakes. I don't think there is anyone I trust not to make mistakes. It's just not a reasonable criteria.
Companies are made of people and people inevitably screw up. Cloudbleed made Cloudflare more trustworthy in my eyes simply because of how they handled their (very large, very unfortunate) mistake.
There's a lot of dissing of competition (they drain your battery, "all suck", slow down your internet) without a single datapoint.
Personally I find the performance of PIA fine. I just ran a test through fast.com and got 42 mbps on 4g through PIA mobile VPN in NYC. (Weirdly, when I turn off the VPN and test I'm only getting around 2 Mbps.) Latency is a bit higher than direct, but not enough for me to agree with their blanket statement that all VPNs suck.
Using the speed test app I get 65 direct and 58 using the NYC setting in PIA. Ping is 31 ms for PIA vs 28 direct.
I look forward to testing with Warp once it's released, but I don't see how it could be much better than the status quo. PIA has lots of servers all over the place, cloudflare might have a bigger network but the delta should be negligible.
I am a bit surprised that fast would get throttled though.
> I am a bit surprised that fast would get throttled though.
Fast.com runs its tests against the actual servers that stream Netflix to you. It uses the same selection algorithms as actual Netflix. The whole point of it was so that you use Fast.com and then call your ISP and say you did a speed test and aren't getting anything close to the speed that they advertised.
On the back end they can't tell the difference between a Fast.com speed test and actually playing Netflix, and that was the point. So if they are going to throttle one they have to throttle both.
It's been pretty common and a big part of why Netflix created the service iirc. ISPs have been throttling netflix as a negotiating tactic when creating peering agreements for upstream traffic or deploying more content servers. The whole process has been really horrible imho. Some mobile providers do it to force lower quality streams, that in fairness are probably more appropriate for small/mobile devices. 1080p-4K are probably overkill on a 5-6" device.
The question is, on a 5" screen will you really notice the difference between a 1080p stream and a 720p stream for video? Especially considering the 720p may be higher bits per pixel than the 1080p stream. I'd rather have a 720p stream at 3/4 the bitrate of a 1080p stream, which is often the case as there are multiple levels for a given resolution.
Then again, I don't always notice even on a larger screen from a better 720p stream and a poorer (relatively) 1080p stream. I often notice the difference from 1080p to 4K though, which is a slightly bigger bump on a much larger screen.
Netflix will never even try to show you 4K on a mobile device. The ISPs know this. They just want to throttle Netflix so that you'll prefer the ISPs streaming service to Netflix.
Anything that uses the Android built in IPsec VPN is going to be fine unless the app really goes out of it's way to be crappy. This uses Wireguard in userspace so is likely actually a battery drain. Less than OpenVPN at least.
While it might use more power I've been using Wireguard on my phone for 6 months or so now and the performance is way better than IPSec, especially on spotty connections such a mobile!
I wonder how the increase in performance might offset the difference in battery drain between both protocols. If wireguard uses a bit more battery to achieve a task quicker the extra idle time achieved might off-set any increase in power usage.
Where do you get the idea this is DNS over VPN only?
> Any unencrypted connections are encrypted automatically and by default.
> Unfortunately, a lot of the Internet is still unencrypted. For that, Warp automatically adds encryption from your device to the edge of Cloudflare’s network
It reads to me like all your traffic goes through your service, not just DNS.
Just as an aside, I thought that was an exceptionally well-written product announcement, or press release, or whatever you'd call it. It was long, but I didn't mind reading the whole thing. It answered all the basic questions about why I should use it, how they plan to make money, and with enough technical detail that I understood essentially how it works. It was very much the opposite of the marketing material you get from most big corporations. I'm saving the page as a PDF as a good example if and when I need to write a product announcement.
I had the same reaction. As I was reading the article, I started asking myself "Hold on, what's in it for you? You're still a private company. How are you going to make money?". I then reached the "Ok, Sure, But You’re Still a Profit-Seeking Company" section. It's as if the article was reading my mind.
Every free product comes with a catch. When this catch is not clearly explained by the company, I always feel it's because the reason is too "shady" to acknowledge publicly (like Gmail and Facebook gathering data for advertisers). I'm probably naive to believe the reason here is vastly different, but the tone and style of this article puts Cloudflare closer to Apple than to Google privacy-wise in my eyes.
The choice to omit any sort of sign-in or account feature for the app is also a very stark difference. Even most apps with the stated goal of improving your privacy requires some sort of account.
While it's true that if Cloudflare was evil, they could fairly likely identify you from metadata, that's a lot more complex and a lot more error-prone than having you sign in.
I am curious though if this will extend to their premium Warp+ offering though, as presumably they need to identify a paying customer. Perhaps if they're entirely built off of IAP on whatever platforms their clients are on, they can avoid this problem entirely?
We'll have to take payment for the paid feature, obviously, but plan to use the Apple and Google payment systems for that. I'm not an expert on the nitty gritty of that, but I don't think that gives us access to any of your personal details. We've always thought of personally identifiable information as a toxic asset and something we try to minimize collecting whenever we can.
One of the first (and most important) lessons I learned from @eastdakota when starting at Cloudflare ~4 years ago was how to write a product announcement.
Nobody does it quite like him, though @jgrahamc is great too, and I try to encourage my team to follow the lead here as much as possible.
Thank you. That's very nice of you to say. It was a team effort because we were working until the last minute to figure out exactly what we were going to be able to announce today. Glad it came across as clear.
Overall I'd agree, though they nearly lost me at the start:
> on “April Fools” a handful of elite tech companies decide to waste the time of literally billions of people with juvenile jokes that only they find funny.
I think a lot of the backlash the tech industry is facing is due to its unwillingness to grow up. So, yes, perhaps I'm a humbug in tech circles, but it's only because I've been outside of the Silicon Valley bubble and listened to how the tech industry is perceived. It's not good. And the April Fools foolishness is a very stark illustration of that.
> I think a lot of the backlash the tech industry is facing is due to its unwillingness to grow up.
I'd say the backlash is due to unaccountability, privacy erosion, and income inequality.
April Fools gimmicks are barely a blip on the radar compared to the above. At best they provide a target to focus the above ire on, but that's confusing the issue.
I've been fortunate enough to earn degrees in English (BA), Computer Science (minor), Law (JD), and Business (MBA). The one that serves me the most regularly in my role as CEO of Cloudflare is my English degree. Learning to communicate is so critical to success in your field, regardless of the field.
She did freelance work while getting her degree (mostly friends/family small business promos, article, press-releases) and received a ton of positive feedback that she was able to use.
An aside from the comment, but I don't appreciate the derisive tone of their first paragraph:
> a handful of elite tech companies decide to waste the time of literally billions of people with juvenile jokes that only they find funny.
I sort of agree, but it's not nice, and not necessary. It also isn't particularly classy to then go on to say "and we're so much better, because we do useful things".
(I do happen to find Cloudflare, as a company, so much better, and awesome things like 1.1.1.1 and warp make me really want to push my employer to use Cloudflare for all the things).
Absolutely, that part left a bitter taste in my mouth reading the rest of the article. Feels like they released this on April 1st just so they could make this claim, strange move.
While this might improve user experience for some, I don't see the greater value in a VPN solution like this.
It's the fast path to replacing the decentralized internet with a few proprietary CDNs. I'm much more excited about those projects that actually try to fix the raised issues:
Unencrypted connections -> TLS / Letsencrypt
TCP sucks on mobile/roaming devices -> QUIC & HTTP/3
Cloudflare pushed out free TLS years before Let's Encrypt and we are actively working on and supporting QUIC and HTTP/3. But QUIC/HTTP/3 aren't here today, not everyone is using HTTPS and there are other worries in coffee shops etc. hence a VPN service makes sense.
There is a bit of a difference between LetsEncrypt and Cloudflare TLS termination though... one is TLS for everyone, the other is TLS for Cloudflare customers (paying or not). For instance can an Iranian website use Cloudflare TLS? I would wager not. (ironic as they probably need secure transport the most).
I'm not saying Cloudflare isn't doing good things for the Internet but it's a bit disingenuous to equate the 2 efforts.
Cloudflare could have done LetsEncrypt, but as a CDN that would make no business sense - which is why we need LetsEncrypt, so they can continue to do the things that don't make good business sense for Cloudflare.
CF is at the mercy of the CAs (DigiCert/Comodo), and at least based on LetsEncrypt's stance [0], they should be OK to issue .ir certificates as long as the customer is not a Gov't entity. The only issue is that these CA's are just playing it safe by not issuing any .ir domains, making CF also unable to issue .ir.
I believe CF is working on LetsEncrypt certificates, at least based on letsencrypt.org being included in the 'automatic' CAA records[1].
Should Cloudflare go evil in some way then I would guess other services would pick up the ball and would keep delivering the same level of service as this one.
Cloudflare, are there plans for ad blocking? Currently using AdGuard DNS and it works well. Router-level ad-blocking would be an attractive premium option.
I think he's asking because you can't easily combine DNS services. If you're using a service to block ads via dns then you aren't using 1.1.1.1. If you want to use 1.1.1.1 then you need to either host your own forwarding dns server or forego ad blocking.
That is not something which has factored into the conversation on our (Cloudflare's) end. The bigger issue is even as we make technical improvements, we very much don't want to create a separate Internet. The minute we begin adding, removing, or changing content when it comes through Warp those questions begin to be asked.
You also don't want to be in the business of determining which ads are "good" and which are "bad" and being tastemakers in any way, so probably a smart choice to stay out of the ad game.
A good add on though might be a way for people to run their own service on a Cloudflare worker that gets hit with each request to 1^4, which would allow them to run their own ad blocker.
Same concern here. I use the open source dns66 app with cloudflare dns so I get the best of ad blocking/content filtering and fast connections. I love the idea of improving my privacy and theoretically performance for the connections I want to make, but not at the expense of that functionality.
I currently use DNS66 for ad blocking on android without root. Is there a way to do something similar while using this app?
Alternatively, I have a Xperia XA1 running a June 5, 2017 security patch. It's been my intent for a long time now to figure out how to get root without unlocking the boot loader the sony approved way (which makes the camera less functional). Anyone have any pointers on easy to exploit privilege escalations that should exist on my phone?
Are you Android 9 or later? If so, set up private DNS to dns.adguard.com [0]
Otherwise, you are out of luck. You cannot run the 1.1.1.1 app and run another VPN app like blockada, netguard, no-root-firewall side by side on Android (at least not supported till the latest release, Android 10).
Could also approach from usb/wifi/bluetooth/etc instead of local userspace.
The problem specifically is that unlocking the bootloader the official way deletes drm keys stored in a "TA" partition, and that makes the camera less functional. It would be sufficient to find a vulnerability that let me back up the DRM keys - but that seems unlikely without gaining root access and I'd have more confidence that I backed up the right thing with root access.
Despite criticisms, I've been using the Brave browser on Android, which is pretty much Chrome with integrated AdBlock plus. Though there is some level of irksome override with some advertisers, it's been about the best overall experience for me. May actually switch my desktop browser at home when I build my new computer.
For browser I already use firefox, so I could easily add ublock origin (or, I suppose, adblock plus). Having a DNS level adblocker is just a nice to have for anything not browser based that decides ads are a good idea.
In all honesty it's pretty rare that I use anything not browser based that might have ads, but on principle I'd like to keep it around.
Currently I use PIA VPN when browsing. When I go to Cloudflare sites, I often get captchas because, in the past, I imagine someone was using PIA to abuse a Cloudflare site.
So what happens when people start using Warp to hide their IP so they can hack, scan, scrape, upload malware, etc? Is Cloudflare going to show captchas to Warp users and slow down their experience? What is the plan to mitigate abuse on a free VPN that doesn't log?
This is basically answered in a different thread [0]. They said they're passing on the original IP of the person using Warp, so it won't work in the same way as something like PIA in that way.
That is why Cloudflare wants you to use their VPN rather than an anonymized one. If they can track you, they can have more data about whether to block you.
Nope. We want you to use our VPN because we think it'll make your mobile Internet experience better (faster and more secure). That turns into an upsell opportunity to us and makes our core service (which people pay us for) more valuable.
Damn. Cloudflare's super nice customer-centric stance on this product is killing me. I quit my FAANG job just this past month to build something similar.
So if I end up at a Cloudflare customer over a Cloudflare VPN you will never tie the two records together? That is actually encouraging if you'd publicly commit to that.
Yes! We're working on desktop clients as well but they'll be available a bit later than the mobile launches, as the most performance benefit is available when you're on a cell network.
I wonder if when accessing a Cloudflare website if they'll be presenting the website owner with the original origin IP, or passing along the 1.1.1.1 endpoint IP addressed when staying within their network.
This is correct. It's significantly harder to inject the origin IP into a TCP stream. We have ways [1] of doing it, but it requires some coordination on both sides.
Have you considered enabling this out of band? For example as a network administrator I could verify a CIDR block and receive a real time stream of 5-tuples (err, 7-tuples with the proxy?) destined to my network.
Are Cloudflare going to be able to decrypt the TLS sessions running over their VPN between me and end-sites, so they can insert this additional HTTP header?
When most of those sites are hosted by Cloudflare, they already decrypt the TLS session at their load balancers before forwarding the request to the remote endpoint.
"Let's acknowledge that many corners of the consumer VPN industry are really awful so it's a reasonable question whether we have some ulterior motive. That many VPN companies pretend to keep your data private and then sell it to help target you with advertising is, in a word, disgusting. That is not Cloudflare's business model and it never will be."
Therefore Warp will be open-source and its distribution will be free from the control of commercial third parties via "app stores".
Those who do not wish to use an "app store" may compile Warp themselves or download binaries from their preferred repository for sideloading, e.g., F-Droid.
I'd imagine they'd test the performance with say 100 users, then another 900 to make it a round 1000, then if they see the 1000 users only use 1% CPU, they could just go up to 10000 to see if it uses 10% CPU or just 5%...
And after they figure out how many servers/how much bandwidth they need, they could just bring in e.g. 100K users online at once.
They also probably want to roll out in batches to reduce the impact of bugs, not just to measure resource usage. But absolutely agree that once they get comfortable bringing in 100k at once is perfectly possible.
This is awesome! I love CloudFlare's services and I'd trust them to provide a really secure, fast VPN (free to boot!)
1. Is there a public endpoint for boringtun/noise? For playing with
2. Any chance the client (desktop) will be open source? Would love to help if possible.
3. Any interest in a WebRTC (and webRequestBlocking) based chrome extension/client?
That would probably not need anything special installed on desktops and would be awesome
Is there significant differences from stock wireguard? Can I benefit from your work on my own server?
Also I wonder how do you work with censors? For example Russia censors internet and requires that all VPN services cooperate and censor internet for Russian customers as well (probably they will ban services that won't comply). Will you cooperate or will you accept that Russian users won't be able to reach your service? I guess, that some other countries use or will use similar techniques. For example I'm from Kazakhstan, there are many banned websites and they seem to ban popular VPN and proxy services as well (I'm using my own server with OpenVPN, but obviously I'm just a small fish to bother).
The benefits to Cloudflare is they will have more entry/exit nodes on their network(s). While running your own will go through your own server in/out and even then when travelling may only add more latency. Many on here are and have been doing just that all the same.
Can the service be used with another Wireguard client (hopefully bundled into Linux distros in the future) without installing Cloudflare’s client software?
Asked differently, do you plan on explicitly disallowing/banning it if people unofficially ran the reference implementation against Warp?
It would be nice to know the policy there. For those of us that do know what a VPN is, and are okay not having access to support, getting things to work without a desktop app would be nice.
I think my answer was pretty clear. We do not currently plan to allow stock WireGuard clients to use Warp. I say, currently, because things can always change.
It's important to appreciate that we have literally millions of users for the 1.1.1.1 App and we are rolling out a free VPN for them. That is a huge support and network burden that we have to deal with to make that experience work well. Yes, we use WireGuard under the hood (and have open sourced our Rust code), but the additional cost of supporting people connecting from their WireGuard clients means that we don't want to support that _today_. Please bear with us while we get through a massive roll out.
We're really happy to work with the WireGuard. We communicated with Jason throughout the process and have a ton of respect for him and the entire WireGuard community. In the short term, we need the flexibility to quickly update our code base to support the project we built it for. That's harder when you need to coordinate with people outside Cloudflare and when we need to move as fast as we plan to. However, we really believe in open source and want the WireGuard community to thrive. We licensed the code very openly (3-clause BSD) and WireGuard may choose to fork it. If they do, we'll support it and plan to contribute any improvements in our own fork back. Over the long term, we're very open to merging this back into the upstream project.
From what I understand, Jason was willing to make your guys head of a sub-project. I'm failing to see how this would hinder your development, considering you've probably got your own build and deployment systems anyway. The way you've done it feels like a 'chuck the code over the fence' style of interaction, which again - I can't see any rationale, from a project perspective (imho)
Thank you for clarifying. There is a big difference between supporting something, and stopping it from happening.
It's Cloudflare's service, and of course entirely Cloudflare's decision how it is permitted used. I just hope that, in the future, it will be allowed (but not necessarily *supported) to use stock clients rather than desktop apps (which many of us Linux people would dislike). :)
I don't think anyone on Linux setting up and tweaking WireGuard to integrate with CloudFlare's free network expects to be able to call up support and be like "hey, I need help debugging my custom client." :-) As far as network burden, you're just concerned that we'll be using too much traffic?
Could you elaborate why? Is it because you may not be able to field support requests and complaints from users who may have clients with issues or may have misconfigured it? Or are there other reasons too?
Would you ever make the code of the 1.1.1.1 app with Warp open source?
Exactly that: there would be a large support cost to making it work and so we'd need to think carefully about it. It's not a technical issue at all.
On the open source thing: maybe? It's hard to say. In general, we like to open source libraries and stand alone applications. And we think pretty carefully about the cost of supporting an open source community as well. Which is, I think, a thing people overlook.
It it just me or does it sound wrong to call wireguard, the kernel module, third party software in this context? That's literally the reference implementation.
It is wrong. Warp is the third-party implementation.
It would be amazing if it could be made to work from standard wireguard, but I suppose there's a chance that if desktop versions arrive, you'll be able to extract the keys.
The only thing stopping that would be if Cloudflare broke the protocol.
We can argue about the terminology but from the perspective of the company other WireGuard clients (including the official ones) are 'third-party' in the sense that we don't control them. That makes supporting users of those clients more expensive for us (e.g. we currently have a mobile app for Warp, someone calls our support asking for help with a Linux client...)
Not supporting a configuration is much different than actively prohibiting it.
It's okay to just say, "Hey, we are running a free VPN. We're making some privacy guarantees and are trying to log as little as possible. That exposes us to being abused, which means that we have to put some limits in-place on the client."
I know this is the last thing you are worried about right now, but could you at some point look into tasker integration. Its really easy to provide a tasker interface. I would love to be able to control when 1.1.1.1 connected.
That makes sense — I had seen it on my phone under that name and was then surprised when I pulled the link up to share it, although since I'm at 160,606 on the wait-list that hurry was probably unnecessary ;-)
How does that work with wireguard though? The Neuomob thing was pitched at us as some black box “magic” you integrate into your own app which we turned down since the library source isn’t available. Is it running on the mobile VPN app or is it running between the VPN server and whatever the exit POP is?
My work still cant reach 1.1.1.1, but can reach 1.0.0.1, seems 1.1.1.1 was used by our ISP TWTelecom for a stub network. We opened a ticket with TW, and they just keep kicking the ticket as wont fix. But 1.0.0.1 seems to work fine.
Almost thought this was an April fools joke (the app icon also makes it like more. While it's good to have option for non-technical people who needs to protect their network traffic and privacy, I'd stick to my own DIY WireGuard (now that we've got working client for iOS, Android and macOS, etc., also performs exceptionally well over IPsec - performance, simplicity), strongSwan based IPsec VPN as backup whenever network traffic encryption over untrusted network is required.
NOTE: I doubt this won't survive longer than 3 days in China mainland (inside GFW).
“2. We will never sell your browsing data or use it in any way to target you with advertising data;”
Does this mean they have the right to sell browsing data for other purposes than “to target you with advertising data”?
Even without any personal data, the data generated when using their DNS-service, such as statistics on domain names, can be of great value for e.g. Hedge Funds and SEO-companies wanting to know how big a domain name is based on DNS-request statistics.
My question is therefore: Do they have the right to sell non-personal DNS-request statistics to third parties?
In paragraph 2 Cloudflare says "We do not receive your phone number, device ID, IP address or any other information that could identify you when you install or use the Mobile Application."
But in paragraph 4 it says "These Service Providers may only process personal information pursuant to our instructions".
So which is it - do they collect personal info or not?
Would really be nice to see this on F-Droid or available as an apk somewhere. There are still a few of us (dozens!) that are holding onto the fantasy that Android isn't just a Google service.
How is Cloudflare handling IP allocation here? I might be mis-understanding how WireGuard works, but it doesn't look like there is an official method for IP dynamic assignment.
Maybe they are using one tunnel interface per single customer then always assign the same address to everybody and use policy routing to handle this (EDIT: just realized there might not be using the network stack at all for this and do something alike in their userspace implementation). This would not solve key exchange though. But maybe it is possible to accept any key (if the public key is transmitted this should be easy). Otherwise connecting probably requires requesting an IP address for your key prior to connecting via WireGuard to allow the endpoint to setup required configuration.
This is really something WireGuard did not quite expect to be needed apparently. It is also hard to do dynamic routing with WireGuard which could also possibly allow fully meshed networks directly on top of WireGuard but i have not tried really hard yet. It would also be very useful to me to be able to have a CA so i do not have to update configuration everywhere. Last but not least its not possible to bridge the WireGuard interface at all. I have an experimental setup where i would like to use WireGuard as a sole network interface for a virtual machine, somewhat like advertised for containers where it works beautifully. However, its not possible because its not an Ethernet interface in Linux. Instead i have setup a VLAN on my switch and route traffic through WireGuard using my gateway. I would like to terminate the tunnels at the hypervisor a lot more, but don't want to route traffic there.
I think all of this boils down to the usage of their cryptographic routing and trickery around it to make it work as intended. I would probably abandon WireGuard if a fork would allow my use cases as i am otherwise a really happy user.
He is most likely talking about the IP address inside the tunnel which in case of WireGuard is intervened with the exchange of cryptographic keys. You can not use a DHCP server as only unicast traffic is possible.
Can't wait to see Desktop version that works on Linux and maybe as extension on Firefox/Chrome - for those who just want to use this for browser and not other software. I've used 1.1.1.1 since day one and love it. Much faster then Google/OpenDNS for me. I actually use it on router.
Maybe next you can do a better security for our WiFi? But this might require releasing a better hardware not just software.
Update: It got sorted out for me and I got my waitlist number after trying again. Now the top banner just shows me my waitlist number.
Happened to me as well, and that’s why I came looking for the canonical post on this topic to see what’s happening. I switched networks and tried, but got no waitlist number. There’s just a message saying I’m on the waitlist and the button to join the waitlist is still visible and enabled.
Now that I see people from Cloudflare have responded, I’ll just wait and see.
Sorry about that, there's an issue we're currently dealing with which hits people who had a specific version of the old 1.1.1.1 app and just updated. It should be fixed shortly.
At least everyone should agree that using VPNs is mostly an awful experience on all devices, but many times more on mobile phones. I tried out 3-4 clients (Android) with different services/protocols and couldn't keep using it because of the resource usage, it literally halved the battery time and made the (new flagship) phone hot all the time. There has to be a better way.
> 1. We don't write user-identifiable log data to disk;
> 2. We will never sell your browsing data or use it in any way to target you with advertising data;
Is it just me or are these terms super-specific? They can easily be circumvented to achieve real logging, especially at Cloudflare's scale. While I trust Cloudflare as a company, I feel like they're being a bit disingenuous here.
Wow, so encouraging thousands of people to run all their mobile traffic through something doesn’t make it mission critical? How do you know what their missions are? (I don’t imagine CloudFlare would feel that way...at least I hope not.)
> 1. We don't write user-identifiable log data to disk;
That's great... but you do log user-identifiable info? How I read that is "we log things that can identify you but just keep it in memory for X amount of time".
Myself and other privacy-minded folks would like to know more details there, especially as this is a freemium service.
The short answer is we really don't want to have data. We store bits of it for aggregate analysis and debugging, but the goal is to not be able to map traffic to individual people as quickly as possible.
True. But that doesn't preclude you from offering the same amount of privacy. I suppose they want to catch abusers or find some other way of monetizing it, but that has nothing to do with the demographic they're chasing.
This is a wonderful announcement. I'm a bit torn since on the one hand I love Cloudflare and use them extensively for my domains/servers/websites but for personal secure browsing I've been using Mullvad + WireGuard Android (with 1.1.1.1 in the config file) for a long time and it's worked flawlessly.
I like both companies so maybe I'll just keep supporting Mullvad and recommend 1.1.1.1 to friends and family once Warp is in general availability (those "people who don't know what a VPN is").
Warp+ looks to be a solid business use case which I think fits well with Argo and their other offerings. Either way, it's good to have another proper VPN option outside of (self)hosted WireGuard.
Many thanks for democratizing this service, as is always the case with Cloudflare.
The claim that ordinary IPSec-based VPN clients (which typically use the OS kernel's IPSec facilities) "drain your battery" more than any other VPN implementation seems specious to me. Does CloudFlare have any data to support this claim?
From where does the user's traffic originate? Is it the closest location on that map to where they started? Is it always the same country? (I'm guessing not, as there are a lot of countries? ;P But maybe that's true for larger countries?)
I've been having tons of issues with 1.1.1.1 on my iPhone especially when jumping on and off wifi to 4G. I realise they would need to reconnect and so on, but it seems absurdly slow, so I stopped using it. I'll give warp a try though
There’s a lot of claims about how mobile internet sucks and this makes it not suck. But then it’s revealed it’s a WireGuard based VPN. What I don’t understand is how my internet will be so much faster than any other use of WireGuard?
1. When you use WireGuard as a VPN your device is connecting to wherever you happen to have hosted your server. Cloudflare's PoPs are located in 165 different Internet exchanges and ISPs, giving you a pretty good chance to be closer to you wherever you are in the world.
2. We (Cloudflare) have tech through our Mobile SDK product which can optimize the actual way the Internet TCP traffic is mapped into UDP.
3. We also have Argo, a technology for optimizing the routing of packets through the Internet which will be released as Warp+.
Last time I used 1.1.1.1 DNS I sometimes had problems when visiting bbc.co.uk. It seemed to be trying to look up the domain on cloudflare's service for some reason. Was I the only one to have this problem? Would it be fixed now?
Site should load just fine without eDNS -- even "geo-specific" ones. They will just route you as if you came from your local Cloudflare PoP rather than your home IP; usually not a big difference since Cloudflare is in so many locations.
I'm not having any trouble with bbc.co.uk on 1.1.1.1, maybe it was a temporary hiccup.
(Disclosure: I work for Cloudflare but not on this product.)
Ouch. Do you know which PoP (point of presence) you're hitting? To find out, Look at the last three letters in the CF-Ray header on any response from a Cloudflare site, e.g.
curl -v cloudflare.com 2>&1 | grep -i CF-Ray
The letters should correspond to an airport code nearby the CF server you landed on. Let me know what it says.
OK, so it seems like Cloudflare in general is not serving your ISP very well for some reason. :( Hopefully our network team will be able to look into it.
It was intermittent. Sometimes it worked, sometimes it didn't. The error message given suggested it was trying and failing to find a cloudflare hosted site (which to my knowledge the BBC isn't). Unfortunately I can't remember exactly what the error said.
I'll try it again for awhile and see if I have any issues now.
Not ideal for performance too, sites/APIs with regional endpoints could then be slower. Understand the privacy impact, could CloudFlare client “anonymize” edns subnet by region-ing the request based on large cloud regions? (rather than actual client subnet)
Very interesting. I've got environments where I have no control over how DNS is assigned, so I've wanted to set my phone to point to 1.1.1.1 but that also means I must have a static IP (it's DHCP or static, I can't only change DNS), but when I use static I run into a significant battery drain.[1] Using an app to work around that is a bit of a heavy hammer, but I'm gonna give it a shot.
Will it be possible to whitelist network devices and/or SSIDs?
Use case: I want to be able to say, "only use VPN when on WiFi networks (not cellular), and if so, only activate on public WiFi networks (not my home WiFi).
It’s currently possible to whitelist SSIDs, and disable for cellular, for the 1.1.1.1 DNS VPN profile on iOS, so I’m assuming it will work the same way for Warp.
Its good but there are still many great Mobile VPN services like PIA, PureVPN and ExpressVPN. Also They are compatible with routers so you can easily use them on it instead of using the VPN on mobile directly.
"Hokey as it sounds, the primary reason we built Warp is that our mission is to help build a better Internet — and the mobile Internet wasn’t as fast or secure as it could be and VPNs all suck. Time and time again we've watched people sit around and talk about how the Internet could be better if someone would just act. We're in a position to act, and we've acted."
By doing the least work possible: creating a proxy. They haven't actually fixed the internet at all, they just made a new middle box.
I further correct my post: what or who will be behind cf?
It's naive at it's best.
"Freedom of surveilance for free"
And you just slurp it.
Think.
Again.
Think.
I stepped thru getting some Ubuntu systems using 1.1.1.1 for DNS but retaining DHCP otherwise. Looks like this is tricky to do but some new features came in with a netplan package update that allows this to be done easily in 19.04:
Is there any notable potential for people to use this for abuse? You guys tend to put up captchas for inbound Tor traffic, I assume for similar reasons.
Tor is different. We don't put up CAPTCHAs by default for Tor. We totally changed how we handle Tor years ago. But, because Tor provides anonymity, there is _a lot_ of abuse through it. A lot.
Tone note: I'm posting technically, not value-judging.
I would say "anonymity" is a fairly strong term for what's being offered here. It's going to hide your source IP, and if you don't mind CF seeing your unencrypted content (and the fact it's unencrypted kinda means that from a technical perspective, you already don't care), it may improve the amount of the connection to unencrypted content that is encrypted (and thereby block the "coffee shop" attack fairly well), but that's all. They're not going to actively strip the bajillions of other active tracking techniques being used nowadays. Your phone will still track location. Facebook will still track you on your phone every bit as much as they did before. etc.
This is part of a complicated set of measures you may be able to take to attain anonymity, but not even remotely the full package.
Again, this is a technical posting to ensure that people understand what this is and is not. This is not a criticism of the service for not being something it isn't or anything like that.
Less technically and more value-judgy (though still not much), note the title: "Introducing Warp: Fixing Mobile Internet Performance and Security" Performance was highlighted first, security second. This seems to me to be a reasonable and accurate reflection of the nature of the service.
Note that the blog post does not say "anonymity" or any similar word. We aren't trying to hide you completely from everyone (use Tor for that). We are securing and accelerating the connection between your device and Cloudflare. This is meant to deal with the reliability, performance and security challenges of using mobile Internet around the world. And we have strong privacy guarantees.
Yes, I got that. But, because CF offerings are very popular, you're going to end up with a lot of people coming from a relatively small number of IP addresses, right?
It's worth thinking about...we had this situation before with AOL. That is, a pretty large number of people in diverse geographic areas, all coming from a small number of IP addresses.
People do use that "relative" anonymity for lots of things, not all of them good. Also, it may create some issues for things like geolocation, regional content restrictions, credit card fraud detection, SMTP blacklisting, rate limiting, and so forth. Because your offering is free, and CF is well known, I'm guessing it will grow fast. Not suggesting anything change about it, just that it may create something that site owners need to react to.
If you don't trust them with a binary, you shouldn't trust them just because they posted source code somewhere. If they don't have the bandwidth to manage this as an open source project this is the right call.
There are plenty of companies who have released their source code but don't support it in the same way a typical community driven project like other open source projects do.
This is especially true for certain privacy and security focused applications. For example, Signal release their code, have quite a lot of users, and don't report an unmanageable overhead due to having released their source code.
It's not just a matter of trusting their intentions, it's a matter of knowing that their code matches their intentions. I trust OpenSSL (mostly, these days) and I always trusted the intentions of the developers, but if their code was not open it would not be half as secure today.
Because that doesn't really work. We put the code out there and people start working on it. You think we're going to be able to _not_ look at what's people are doing?
One thing about using VPNs on the phone is that a lot of mobile/public networks only allow port 80, which prevents the VPN from connecting. If CF makes a version of wireguard that can do port 80, that would be great.
As far as their bottom line, I guess this helps them sell services by having a documented number of people suckling the internet straight from the CF teat?
> That many VPN companies pretend to keep your data private and then sell it to help target you with advertising is, in a word, disgusting. That is not Cloudflare’s business model and it never will be.
When I read something like that I feel protected and cared about. Now, can someone explain me why this should be in any form different from the WhatsApp case?
The Department of Homeland Security offered to buy the data from Project Honeypot (run by Matthew Prince and Lee Holloway), and they sold it to them for $20,000. Michele Zatlyn (a classmate of Prince) said "if they'll pay for it, other people will pay for it."
"And so the idea for Cloudflare was born, with Ms Zatlyn as its third co-founder." [with Prince and Holloway]
And let's not forget who Cloudflare's customers are today: companies that pay us to make their web servers and API servers faster, more reliable and more secure.
Well, one of the big differences is the fact that you don't have to provide any information to use 1.1.1.1 or Warp, just download the app. That means that at worst, the only personally-identifiable information they get is your IP and usage patterns.
If CloudFlare is bought by Comcast and they start doing Bad Guy Things™, then your exposed surface area is rather low.
Cloudflare is one of the companies I trust and use . But in every company's life cycle, there will be a time when some other company (Google, Facebook and other usual evils) comes forward to buy this company out, will they hold off? or will they go public? What happens next is a store for another time!
Always continually evaluate your assumptions of who you trust, and always ensure you aren't up a creek if you have to switch providers because of an acquisition. That's why products built on open standards are great: They mean there are already alternatives readily available if you need to switch.
I started using 1.1.1.1 last April from the start. Later I decided I want a firewall on my Android phone as well and installed NetGuard. Unfortunately both apps can not run at the same time, because they are both "VPN".
Really hope there are plans for a firewall built into 1.1.1.1 in the future.
I'm scratching my head at this one.. I installed it, it claims that VPN is on, there's the little key in the status line as when e.g. OpenVPN is running, but pointing a browser at whatismyip.org still shows the same old IP address. So, no VPN after all?
Replying to myself - I hadn't got that you have to apply for a spot in the waiting list, through the app. So it just does DNS through 1.1.1.1, still. Fair enough, although my routers generally do that by themselves already.
However, I wish the 1.1.1.1 app didn't show that key in the status line as long as it isn't a VPN application.
I've downloaded 1.1.1.1 fresh from Google Play just now, but I don't see any "get in line" option. Buried somewhere, or Google still staggering out the latest version of the app?
I did the same and it was at the top of the screen with the big button to enable DNS. It was not labeled "Warp" or "VPN" (in keeping with the "A VPN for People Who Don’t Know What V.P.N. Stands For" theme I suppose).
This is so awesome from the general safety, convenience (super simple to use!) and speed perspective. I would gladly pay to have the option to be able to choose which datacenter I connect to.
Given the size of the queue to join (request via their 1.1.1.1 app), I'd say get it, got a slot and by the time that comes up any issues or concerns would of been well debated.
It's a whole different thing. If you install the 1.1.1.1 app, it's sending all your DNS lookups from your phone directly to 1.1.1.1. It doesn't care what's happening at the router level - which is kind of the point, I think.
Even moreso once this Warp VPN functionality is live.
I guess the big question I have is why Cloudfare is a more trustable exit point than my mobile carrier is. They're both large corporations with similar privacy policies.
So, the price plan and extras from Business, Professional and Enterprise CDN is enough to cover all the cost of running the network + free tier CDN + Domain Registration Operation + DNS + Free tier VPN?
There is a reason why I am using Apple. Their interest is in me using iPhone or Apple devices with a very decent profits margin, and hopefully up sell me into any convenience services like iCloud and in the future Apple Cards. They are simple and easy to understand Business Model. Even iWork, Map, and all other Services are deducted from each Apple devices sold and now accounted into Services.
It would make sense if in reply you could summarize an answer to the question and also say 'more at OK Sure," [1] For example maybe I as a user want to know but don't feel like getting stuck reading more or distracted.
They don't make money, they just want to gain market leverage. This will make their network more interesting because of crowd effect. Akin to fb letting people create profiles/chat, google giving free search results/emails/file hosting, etc. Just finished reading a book about this, see [1] for a review.
Yes, Cross Subsidisation assumes you have one market segment or product where you have heavy leverage / control and margin to subsidise another. Example Intel could afford the billions of R&D on 4G Modem and losses on Mobile SoC when they have 90% of Server Market and Mobile PC Market. None of those CDN Price Plan I mentioned in the original comment works in those margin, and has little lock in ecosystem.
Facebook's business modem is simple, Ads. And its business model only works once you reach a certain level of user and usage.
Yes I read it, I am just not convinced it is financially feasible, or sustainable. Freemium models works in Gaming when 1% of players are paying in millions, a factor of 100s of thousands more than lowest paying member. And I don't understand why their model would work.
Honestly, Jason is hopefully going to be thrilled Wireguard is going to be deployed to an absolutely massive scale, not even OpenVPN has been offered as a 'free VPN' like this.
I'm really hoping it works out, and Cloudflare can continue to contribute their expertise working with WG. At the end of the day, this benefits everyone since OpenVPN whilst it's reliable in my experience, is just too burdensome.
I also am intrigued by the price, and features that will differ between free/pro. I suspect many VPN services over the next few years will feel the effects of this (is that why they're all rushing to add 3 year plans?)
We'll keep our open source Rust WireGuard code up to date with our internal version. We hope to work with the WireGuard project later once the dust has settled.
Warp+ will use Argo (our "Waze" of the Internet) to improve routing. It significantly improves reliability and performance. Pricing for Warp+ will vary by region/country to ensure it's appropriately affordable everywhere.
Cloudflare already has an app on mobile devices - but so far it only served your DNS queries. Now the app behaves as a VPN for all your mobile traffic - all data is routed within Cloudflare's network from the moment it leaves your device, which is faster than going through the public internet.
I think it is important to notice that the traffic is first routed to Cloudflare over the public internet, so technically it is not the moment it leaves your device when it starts to get routed inside CloudFlares network and the public internet again soon after in most cases. Being faster crucially relies on having nearby access to their network from your device and from their network to the destination. Otherwise you ultimately just add some additional hops in between, making it likely to be slower in terms of latency instead. I also would not expect much of a difference performance wise if you access services already using CloudFlare as the endpoints network is likely the same there. However, this is only relevant for your argument of it supposedly being faster. Of course the packets leaving your device are encapsulated and unreadable to third party observers. After being decapsulated its not about routing your VPN traffic anymore but the packets inside which is probably what you were referring to on its own.
How does this play with various arbitrary geoip blocks that various video on demand sites deploy ? Cloudflare being a large enough player has enough clout to affect some of these regressive practices (which I consider to be a violation of net-neutrality; a form of ip discrimination if you will). Yet, I feel that it will have the opposite effect, in that cloudflare will get whitelisted somehow much to the disadvantage of other vpn providers.
No matter how much they try to sell it as a good will gesture towards mobile users, I will not buy it. There are good examples where company starts off with good intent but later turns into a typical selfish corporation. Lets face it, every single corporation has to continuously grow, as demanded by market, which means at some point they will break their promises to implement new means of making money.
TLDR Cloudflare released a privacy focused DNS resolver at 1.1.1.1, then an app for iOS and Android that set up VPN profiles to use those DNS revolvers.
Now the apps will be upgraded with Warp, an option to set up a full data VPN over WireGuard, terminating at any worldwide PoP.
This should give you super low latency to your VPN server, and also open up the possibility of local caching smarts on the device.
Basic service is free, premium service coming that’ll put you on the CF backbone for all your traffic, should take you off the public internet and speed things up.
This is very vague about where the endpoints will be.
Will Cloudflare push all of the users in a given country to an exit point in their country? Can they realistically do that? Will it guarantee that, or will it vary with load? Will they detect VPNs coming into the service, or will it be a good way of laundering the VPN? Will it do anything at all as an anti censorship service?
Tl:dr, I'd expect an awful lot of sites that currently block VPNs entirely (and that practice is increasing) to keep doing it here.
They've glossed over a few details that I'm curious about:
1. What will the exit IPs be? Will I get to stay with-in my region and access region specific content, or can I bypass censors, both government (porn, "glory of Islam", etc), and private (Netflix region-specific content, GDPR non-compliant websites that accidentally block my region).
2. Can I select my own exit region?
3. How do they handle abuse? Can I spam and get their IP blacklisted? (I'm curious, not actually nefarious)
1. It will exit close to you, unless you have Warp+ in which case we might route it to a different PoP closer to your destination if that makes it faster. It is not designed to bypass censors.
2. No
3. Exactly what an actually nefarious person WOULD say!
No matter what words they use, the model is a dangerous one and we should be just as wary of it coming from cloudflare as we would if it were coming from google.
US startups are not exactly trustworthy by default and VC backing seems to often force them to abuse any power and control they have over users for VCs benefits. And security and privacy these days more often than not is just a cover to do something bad, from simple anti-competitive practices to outright evil causes that help killing people.
Another free service, now with a CF app on your device.
Service Scope User Data
DNS 1.1.1.1 users Browsing history
CDN/Proxy CF protected websites SSL decrypted user forms, passwords, emails
Warp VPN Warp users Device data, browsing history, apps traffic
Most sensitive is raw, SSL decrypted web traffic, and users using two or more services at the same time. CF promise they don't use data, but legalese have loopholes, like do they store/use aggregated (not raw) data?
Would Warp have an option to use native (iOS/Android) VPN clients, instead of installing their app? Like, providing warp.mobileconfig configuration profile?
I'm using native iOS/MacOS IKEv2 client with selected few VPN providers, and pretty happy with not having 3rd party app on my mobiles/desktops.
OK. TFA says "We built Warp around WireGuard". That kills native client support.
Are there any linux phones? I thought everybody was either on OS or some flavor of Android (....plus some WindowsPhone holdouts, I suppose). Android is vaguely based on the linux kernal, but nobody would really count that.
Well, there's at least two coming out this year. I can understand them wanting to handle the 99% of use cases first, but as I understand it they won't allow normal Wiregaurd clients to connect which is sad but entirely their call.
If they're going for the no-logs gimmick I'll probably just preemptively block their ASNs and save myself a lot of trouble.
Did the same with Nord and a dozen other vpn-of-the-week services. no-logs means no-accountability which means malicious traffic which means you don't get to talk to our stuff.
It's good have another VPN from a player with huge network infrastructure like Cloudflare, but the article seems to digress frequently.
>TCP, the foundational protocol of the Internet, was never designed for a mobile environment.
Packet loss due this is mentioned, but I don't see a relevance to the new VPN service; especially when the next section talks about wrap using UDP.
> We’ve built Warp around a UDP-based protocol
Other VPN providers do offer an option of choosing TCP/UDP as per usage i.e. better reliability vs faster speed.
I'm glad that it uses Wireguard, but it's likely other major VPN providers are working on a Wireguard version for their clients & so in the end it would come down to speed/price/privacy which hopefully cloudflare can compete with.
> Other VPN providers do offer an option of choosing TCP/UDP as per usage i.e. better reliability vs faster speed.
I don't think TCP-based VPNs are offered for increased reliability. They might be offered so you can run your VPN traffic in restricted scenarios, e.g. I run a VPN-ish service that uses TCP/443 by default and all connections are only outbound, so you can still use your VPN in restrictive scenarios.
Outside that, encapsulating TCP inside TCP is nothing short of a headache as you have two congestion control algorithms kicking in and one doesn't know about the other.
I wonder how well this works when using using wifi on and accessing a corporate intranet. I discovered https://myhrportal didn't work when I pinned my DNS to 8.8.8.8.
I didn't think it would work. From my own experiences...
One day when away from the office, I pinned my wifi DNS settings to 8.8.8.8 just to try it out & compare it to the DNS I normally use at home, but then I forgot to undo it. When I got back to the office, the office Intranet was unsurprisingly inaccessible, and I removed the pinned DNS settings. I knew how to solve the problem, but less savvy folks trying out the Cloudflare product might not, which could create some confusion for IT helpdesks.
Cloudflare is concerned with the user experience of people who don't know what a VPN is, and that's why I mentioned it. Normally I would have just tried it & reported the edge case I it exists, but the app isn't usable yet, so I posed the question instead. Judging by the downvotes, I should have mentioned that in my comment above :)
Anywho, congratulations Cloudflare! I long held an opinion that the VPN market was ripe for disruption when I looked at privacy policy of some of the top players. Having analysed the market, I find that its defragmented with no clear run-away winner. I hope you're able to make a headway with all the interesting innovations that you plan to offer on top of it.
Here are some ideas that I had in mind for a Mobile VPN:
1. Ability to run a dns-blacklist, tag-based blacklist, and a ip-firewall at cloudflare's end (not on the end devices). May be you could add that as an option to your wrap+ product?
2. Auto change exit IPs underneath the covers.
3. Take over the dialer and route calls over IP whenever possible.
4. Provide ability to analyze traffic on a PC.
5. Track and warn mode per app, where the traffic is analysed for a particular app to generate a report on what its doing and how much.
Basically, bring enterprise-grade security to the end consumer.