Cloudflare Warp
1.1.1.1We use Cloudflare Warp at work. Honestly—and I say this as a Cloudflare fan in general—it doesn’t work well for me. I regularly have connection issues with it enabled. Video calls sometimes cut out for a couple seconds, and Tuple (which I use a lot) really struggles with it. It’s possible it’s my internet connection or something unrelated, but I don’t have any of these issues when Warp is disabled. YMMV and all that, so take this as the anecdote it is. For what it’s worth, some coworkers have similar issues, but others don’t, so maybe it’s region specific. (I live in Oregon.)
Warp is actually two products: their consumer VPN product, which is typically what's referred to as Warp, and their Zero Trust, which uses the VPN hooks to layer on Enterprise management features. Zero Trust allows companies to route particular IP ranges through various separate connections, unlike Warp which only routes through Cloudflare. It sounds like your company is routing more than internal IP traffic through Zero Trust, which may mean its going through your company connection. You can check your Split Tunnel preferences in the client to see for sure. I personally use various tools with Warp just fine.
However, it's also true that Warp / Zero Trust doesn't use the entire Cloudflare network for their termination points, only a subset of datacenter are used. So you may be getting unlucky through saturation or even just routing to the closest CF point that terminates traffic near you. You can check your "Colocation center" that's being used. In my case, despite living near Detroit and CF's datacenter there, I'm routed through Chicago, adding 40ms to any roundtrip time.
> In my case, despite living near Detroit and CF's datacenter there, I'm routed through Chicago, adding 40ms to any roundtrip time.
This shouldn’t be the case: want to email me (silverlock at cloudflare) the output of https://www.cloudflare.com/cdn-cgi/trace and your company’s accountId?
This is stuff we want to address — whether directly in our control and/or where we need to ensure others are peering with us locally to help their users.
I believe the issues with your video calls and Tuple are due to a specific issue we've recently identified. What video call software do you use? Also, Tuple has a troubleshooting screen to see packet loss etc. Would you be willing to share the data from that screen with us? If so, you can reach out to me using my HN username at cloudflare.
We use mostly Google Meet and Slack for calls. If/when I next experience issues, I’ll be sure to reach out!
Interesting, we've used Google Meet quite a lot without issue. But yes do let me know.
The main bit I'm interested in is definitely Tuple, specifically because it has a diagnostic screen (network insights?). When you have a bad experience, I'd love to know what that screen says
Tuple is what I've had the most amount of trouble with. I even contacted Tuple, thinking it was an issue on their end, but they looked at the logs and said it was most likely a VPN connectivity problem, and suggested I try it without Warp enabled, which so far has been seamless. The issues with Google Meet are pretty intermittent and uncommon—it just tends to cut out at rather inconvenient moments. :) The difficult thing about these types of tools is that the bar for what works "well" is really high; even very infrequent connectivity issues are enough to sour one's opinion of the tool.
I have the same sorts of issues on Android -- I frequently have to kill the 1.1.1.1 app because it no longer passes traffic, but it seems to work fine on other Linux systems that are not Android.
Alas not. We use it on our Linux machines with include mode and it's painful. Common domains fail to resolve at all, and can't even SSH to IP addresses on the local network. Every update seems to fix one edge case and add two more. At this point I'd rather just have a VPN and spend the buzzword budget on something else.
The Android issue is an issue, but a separate one. It seems to only happen on a few devices (including mine). What device do you use and on what version of Android?
I'm using it on a Pixel 6 with Android 13.
Same as me then. That's probably part of the issue. Thanks for confirming, I'll let the right team know.
I use it for work as well. I have issues occasionally with it, but overall it's pretty stable. I'm in Michigan.
I have a fun story about using Warp while on vacation (Bahamas). I was finding that my net traffic felt like it was slower/more variable than I'd expect with uneven speedups and slowdowns.
On a whim I installed and turned on Warp and suddenly my internet speed was both palpably faster and more consistent in its speed. I think it possible that one of the side effects of encrypting your traffic may be that it evades ISP traffic shaping.
It could also be the result of sending traffic over a better route
Back when I used Visible (North American MVNO) for my phone, you could get substantially faster speeds and less latency by enabling Warp because it bypassed their traffic shaping and limited egress points, for example if you viewed Netflix without Warp you were throttled to 480p but with Warp you could easily do 1080p.
I had a similar experience. Higher resolution netflix on my T-Mobile prepaid data line with warp installed.
Additionally I did the bog standard TTL modification, installed warp and probably one or two other things I can't recall. For whatever reason those changes allowed me to tether unlimited 4G speed data rather than being throttled down to 3G after a few gigs. This was true for T-Mobile, US Mobile's "verizon" tower mvno service as well as US Mobile's "t-mobile" tower mvno service. Can't say I was upset about it.
I always use a VPN when on the hospital's wifi for the same reason. Everything works so much better.
Unfortunately this is my experience at home in Germany.
I don't know if Vodafone shapes their traffic but the the effect is the same when their network is having trouble for various reasons.
Kinda uneasy about how Cloudflare is positioning themselves to have insight into a huge chunk of the Internet's traffic (very much like Google has).
Even though there's no visible abuse right now, you know, Google's motto also used to be "don't be evil".
Cloudflare recently hijacked the domain of one of their customers (RaidForums), then cloned the RaidForums login page, and ran a phishing campaign at the behest of the FBI for two weeks.
I understand that you have to comply with law enforcement, but actively attacking the users of one of your customer's websites is super rude.
This is a pretty wild mischaracterization. "I can't believe they let the FBI tell them what to do" is an incredibly bad take.
It is a problem when you centralize the Internet like this though.
The more of the Internet you've got running through your service, the more appealing a target you are for not only domestic government pressure, but attempts from foreign state actors to compromise the service (through not only hacking, but espionage and blackmail as well).
It's not great.
I'm no fan of centralization but if you think that it makes any difference to the FBI, you're mistaken. The tiniest providers are obligated to do the exact same thing. This has nothing to do with domestic pressure.
When the FBI asked Apple to build tools to attack customers, Apple said no. Cloudflare could have just dropped RaidForums as a customer, but they went the extra mile and built tools to facilitate an attack of RF users.
I did a bit of reading on this, and it looks like the main admin was arrested weeks before the phishing campaign went up.
It seems therefore entirely plausable that the admin handed they keys to the castle to the FBI anyway, or at least gave Cloudflare the okay to go ahead.
I can't find a shred of evidence that Cloudflare were involved directly in making the phishing page or even complying with the FBI.
Please, where can I read about that? I need it to back my point why putting too much trust into CF is not good.
It's all this: https://www.bleepingcomputer.com/news/security/raidforums-ha...
Also I feel like Raid Forums is a bit mis-characterized in the article. It was largely a forum for people who collect OSINT about breached websites, not really a market place, and in the years that I spent there, I never saw people selling actually carding details, like they claim in the article. I used it regularly for my day job.
Thanks!
It’s not new either. https://news.ycombinator.com/item?id=21169798
We used it at a job I had and it made sense for business continuity reasons. But it is centralizing the internet and they are the gatekeepers. Not a good thing
"Your ISP looks at which websites your browsing, oh the horror! Instead trust us, as an internet behemoth bigger than any ISP in the world with that data!"
I also don‘t really get their argument here?
Your ISP can collect your traffic history AND trivially connect that history to your identity, and sell/provide data to brokers, TLAs, police etc.
Cloudflare can collect your traffic history, but can only connect that history to your originating IP + timestamp. Their official client may be able to collect more info though. But, warp is just wireguard, so you do not need to run their official client there are shell/python scripts floating around to get the keys / endpoint IPs setup for Warp to use with std. in-kernel wireguard.
Further, all the telcos in the US are known to have colluded in illegal NSA spying on Americans. Cloudflare has not been caught at this yet. So, you can look at it as a choice of exposing your browsing history to an entity that may be not be lying and actually is not snooping vs. telcos that are known to have lied and definitely have and are likely still snooping.
> Your ISP can collect your traffic history AND trivially connect that history to your identity, and sell/provide data to brokers, TLAs, police etc.
That's exaggerating quite a bit. Maybe in 2005 they had that sort of insight, but with HTTPS everywhere things are different. Your ISP can only see which IPs you're connecting to, possibly which hosts you're looking up depending on your setup but DNS-over-TLS and the like will put a wet blanket on that.
Cloudflare (even without warp) has a much clearer picture of your browsing habits. Not only do they see which webpages you are requesting since they're situated as a MITM between you and a significant chunk of the servers online, they do quite a lot of browser fingerprinting and tracking for bot mitigation that could, theoretically, be used to identify humans as well.
SNI is majority clear-text today, so your ISP can collect the sites you are visiting and not just their IPs even with TLS. Hopefully that changes soon.
Your point about cloudflare having even more access to your browsing details than the list of sites you have visited that your ISP can collect is a good point. It is kinda crazy how so many companies are OK with a 3rd party terminating TLS for them. And, back on the first point, most sites that do support ESNI today are behind Cloudflare (makes your point even stronger).
But, still, Cloudflare would have to be snooping on content to correlate identity (at Cloudflare scale, that means they would have to already be targeting you), while your ISP already has it.
For me personally (stuck with Verizon which is known to snoop and sell data), I prefer "trusting" Cloudflare until they are shown to be a bad actor like Verizon too.
Wrong, even with HTTPS & secure DNS, your ISP can see every site you visit in plain text from SNI requests.
ESNI is a thing, which Cloudflare ironically supports.
Which is not supported by 99.99% of the websites.
Far more than 0.01% of websites use cloudflare.
Yes, but it's not implemented yet on any website. And there is no software support except beta versions of Chrome/Edge and you have to manually toggle flags in dev options.
My ISP has openly stated that they're selling my data for marketing purposes. If CF claims to not be doing that today, then they could at least be temporarily superior.
By using Warp you can skip the ISP middleman and give your data straight to FBI, much more efficient
You have to click on one of the links to find out what this actually does in addition to Cloudflare’s 1^4 DNS server:
> Enter our own WireGuard implementation called BoringTun. The WARP application uses BoringTun to encrypt all the traffic from your device and send it directly to Cloudflare’s edge, ensuring that no one in between is snooping on what you're doing. If the site you are visiting is already a Cloudflare customer, the content is immediately sent down to your device. With WARP+ we use Argo Smart Routing to devise the shortest path through our global network of data centers to reach whomever you are talking to.
> Your Internet service provider can see every site and app you use—even if they’re encrypted. Some providers even sell this data, or use it to target you with ads.
> We believe privacy is a right. We won't sell your data, ever.
"We, the people who make up this company now, but not in the future, PROMISE."
I notice they didn't say "we don't keep the data."
According to the comments, this is just wireguard. I deployed my own on a webhost and I use that, probably to the same effect. I guess I have to trust the webhost not to go snooping in my private logs, but that's a whole lot more targeted and requires a lot more effort.
Yup. A bit less catchy than “Don’t be evil” but it’s the same.
Cloudflare is what Google was 20 years ago.
The cycle can only break by decentralized protocols.
> The cycle can only break by decentralized protocols.
I disagree. The cycle can break by breaking up the monopolies so that one company doesn't control everything, and allow free market to expand.
Competition keeps people from being evil. Evil only happens when there's no reason for them to NOT do evil things.
Google was fine until they became the top dog and nobody could even compete.
Decentralized protocols are the competition you are looking for.
The only alternative is regulatory intervention, which is unlikely to happen, however much you may want it to happen.
> Competition keeps people from being evil. Evil only happens when there's no reason for them to NOT do evil things.
I don’t agree. People generally don’t steal, but if they have no food, they will resort to theft to survive. Competition can prevent some ill effects of monopolistic tyranny, which I think is what you’re getting at here, but it breeds other evils.
Which isn't ever going to happen as the benefits of centralization are too great, as it has been empirically observed time and time again.
Even Adam Smith knew monopoly was a problem government needs to solve: https://economics-reloaded.com/1_classical_theory/Adam_Smith...
A decentralized economy has shown superior to a centralized economy over time.
And in time, Cloudflare will be what Google is now. Better stay away from them, so we don't end locked in, like we did with Google. They will start using their role as the internet proxy as a lever soon, prioritizing the sites they like and slowing down the sites they don't.
This is all running using decentralised protocols.
I guess he forgot “secure”, which neither TCP/IP DNS… are.
They're secure enough when layered appropriately (https, quic, dtls, etc)
> Cloudflare is what Google was 20 years ago.
Cloudflare is already much worse. It's relentlessly centralizing the whole Internet.
I’m confused by the first claim. Is it really true? I thought TLS prevented anyone from inspecting my traffic. Am I completely off base?
Well with TLS it stops (almost (1)) anyone from seeing which pages you access on a site (with exceptions(2)), but which site you visit is still accessable unless the server supports Encrypted server name indication (ESNI).
When using standard SNI (SNI is used so you can have multiple domains on the same IP address) your connection to the server is not encrypted until after the hostname of the server you are requesting is sent at which point the server knows which cert to use to encrypt the rest of the traffic. So you can pull the host header out of the pre-encrypted traffic and look at which site the user is connecting too.
1) When the webserver you are accessing uses services that terminate TLS before the origin server (Cloudflare and CloudFront to name two) then the operators of those TLS terminators might be able to see which pages on that site you visit
2) You might be able to determine which page someone is accessing via side channels, for example if example.com/naughtypage.html always returns a page of a certain size which is determinable you can presume they connected to example.com/naughtypage.html if the returning data matches that size.
They know what IPs you are connecting to and when, which is valuable. If Cloudflare serves the site you are connecting to (which is increasingly more common) they have access to all of the data you are transmitting.
Somehow I thought they meant more. I’m sure my ISP is after all of my data but I’d rather them than CF. Upon rereading their claim I suspect it is just about IPs and hostnames. I can live with that. Also my browser uses DoH.
Yes, even the router given by my ISP offers Parental Controls with keyword matching against host name, thanks to SNI.
https://en.wikipedia.org/wiki/Server_Name_Indication
> The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested.
SNI reveals which domains.
ECH (encrypted client hello) is going to become mainstream pretty soon. But if you're doing something dodgy, hostname vs. IP is unlikely to make a difference anyway.
Is “DOH”ttps needed to hide requests from ISP’s when using VPN? I’d imagine the DNS protocol also runs over VPN?
Well using DoH while using a VPN isn’t going hurt and VPN clients/OS’s have been known to leak DNS queries from time to time.
So think of it like other forms of protection where 2 is better than 1 just in case that one fails.
Is your web host also deployed within 40ms of every eyeball on earth?
No, but since it's just a VPN for myself, it only has to be close to my eyeballs.
Well, actually it doesn't, since ping time is not particularly important to me, but in theory.
My webhost would be a terrible replacement for Cloudfare's main product, which maybe you're talking about, as it needs a worldwide presence. This product is a VPN for your phone.
This is a weird criticism. No person can guarantee that some other person in the future will or will not do something.
Maybe I wasn't clear. My criticism is this: they're logging the data. That leaves the door open to bad actors in the future, whether it's the next CEO, whether it's a government, or whether it's criminals who steal the data.
Pointing out that the company will revolve is not a criticism.
I do think it's kinda funny they are trying to oust your ISP and insert themselves, as the keeper of traffic logs. Either way, I guess we're going to choose a big corporation to trust.
Lastly, I don't think your point stands, when the quote says "we won't sell your data, EVER" (my emphasis)
Weird in general maybe, but I got the point: if they didn’t store the data, then future people couldn’t sell the data
The incentives encourage selling the data and there's no reason they can't just change their mind one day.
It's a weak promise and a valid criticism.
I’ve been a Warp+ user for some time now and I’m mostly happy.
My online privacy is important to me. I use ad blockers too in addition to cloudflare.
A couple of things I’ve noticed along the way…
1. Switching off my wi-fi network and then rejoining later used to be an issue but seems to have resolved some time ago (mobile) 2. It seems on macOS that almost every time I login I need to update the client. 3. Usually sites can’t resolve my IP and place me hundred of miles away which is fine by me. However occasionally I run across a site that has a pretty close to home read on my location. It seems sites that leverage cloudflare cdn might see a more accurate location because they are on the same network - I’m not sure how this works technically though.
I’ve never encountered a censorship situation or any website that was inaccessible. I have run into issues where steaming sites want you to turn off VPN but this isn’t consistent. I also run into issues occasionally when jumping on a hotel wi-fi or like a Lowes or Home Depot where they want you to agree to terms and likely want to snoop your traffic.
Biggest pain points with Warp for me are lately, due to all the abuse by scrapers and such, quite a few sites just throw a 403 when I try to connect to them through Warp including my bank-- consider yourself lucky that you haven't been affected yet. And, most of the time, if I try to use Google search, I just get,
"Our systems have detected unusual traffic from your computer network. This page checks to see if it's really you sending the requests, and not a robot."
And, then I am encouraged to enable js so google can provide me a series of captchas to solve.
It used to work better than a VPN terminating at my own VPS, but now Warp netblocks appear to have a worse reputation than even a colocrossing/low-end box vps.
Per Cloudflare's FAQ, sites behind cloudflare see your original IP, other sites do not yet:
https://developers.cloudflare.com/warp-client/known-issues-a...
Are you using free or paid Wrap ? Paid wrap hides your original IP (unlike the free) and generally the IPs have good reputation (no CAPTCHA).
> Are you using free or paid Wrap ?
free
I've seen this too but not in a while. I'm hoping they can combine their bot detection token attestation feature with Warp to guarantee my real traffic is separated from bot traffic before it leaves their network.
Cloudflare Warp is not meant for anonymity. If you're using the free tier (and maybe the plus tier too?), websites behind Cloudflare are able to see your origin IP.
Plus (paid) tier started giving anonymous IPs.
Thanks for confirming, that makes sense based on what I’ve seen in the wild.
They've recently improved their geolocation capability while preserving privacy. In addition, they add an origin IP header to outgoing HTTP requests to help origins deal with geolocation, but not all origins parse it.
https://blog.cloudflare.com/geoexit-improving-warp-user-expe...
Side note: double clicking on the background of this page changes between dark/light mode.
I love little things like this. It's fun to do something either by accident or with whimsy, thinking about the ridiculousness, and then find out something actually happens!
Warning: Warp exposes your IP to any site that is on CloudFlare. Do not mistake it for a general VPN. It does not protect you from trackers.
This has a surely intentional side effect of incentivizing sites that want to see the real client IP to be behind CloudFlare as well.
Source: https://developers.cloudflare.com/warp-client/known-issues-a...
‘eastdakota:
How would you candidly compare guarantees/expectations of Mullvad VPN vs your Cloudflare Warp VPN with respect to:
- privacy, but also
- performance.
As a side note, I really value using a certain popular torrent box VM service for $10/mo is that they provide SSH and OpenVPN. I’ve used that VPN a lot when I worked in GCC countries (Saudi Arabia, UAE, Bahrain) to help me get around national HTTP blocklists. Most every other VPN I tried was blocked, or would get blocked after a certain # of GB sent in a certain timespan. I think the torrent box servers were located in minor data centers which weren’t on their list of “high potential risk” so they bypassed the otherwise pretty thorough blocks.
The server I used was also located in the United States which helped a ton with proper localization and accessing my bank accounts/etc which were otherwise sometimes more difficult to use from other countries.
Why use openVPN anymore when you can easily use Wireguard instead?
Requires UDP, not all providers allow that, especially hotspots and places such as hotels that try to block gaming/video and such.
Potentially just ignorance, I’m aware of wirefuard and I use their client for my MacBooks but I haven’t taken time to investigate any of the differences, pros, or cons. Will do that now, thank you for prompting me!
Not sure what you mean - mullvad supports using wireguard?
Not sure what you mean - he never implied that mullvad didn't support wireguard. He was asking why the original commenter used OpenVPN over wireguard.
Ah, I missed that part skimming the gp post.
Warp makes no substantive privacy claims.
I use Cloudflare WARP for my home and smartphone and laptop. I really, really like the content policies I can configure. Getting the combo of VPN + DNS content filtering is really nice. I use it for blocking myself from accessing pornography and their security and deceptive website categories have been useful.
The interface for configuring the content policies is really easy to use too.
I also really like the browser isolation feature too - I use it to access links from emails I feel suspicious about.
Where is Cloudflare heading to? Do they want to „own“ the entire internet traffic?
Perhaps centralization is the fate of an internet where it costs $5 to boot a website off of it.
Well. I hear you. But, is it really centralization if we are adding one more ‘super node’ as we seem to be doing in this case?
I am all for even more big companies having even bigger networks. As long as they cannot stop new players from emerging and getting bigger, these centralization vs distributed trade offs are largely academic.
IMHO, it comes down to the economic structure of peering in the US (as I understand it? And not sure globally?).
Tl;dr: You have negotiating power based on the number of end clients you connect to the network.
And connectivity is an extremely high capital, low margin, and predatory industry.
Consequently, "build useful services, that cause more people to connect through you, that then allows you to favorably peer and lower your costs" is Cloudflare's strategic business model.
So yes, they would very much like the entire Internet to run through them. Or more accurately, terminate to their customers.
Why do they want to add all our traffic to their backbone?
Much easier to get a global view of Internet behaviour when there are only one or two DCs worth of ClickHouse clusters needing tapped
Related question: given this obviously generates logs, what are CloudFlare doing to protect log data in transit within its own network from similar attacks to the Google-NSA episode? ( https://www.washingtonpost.com/world/national-security/nsa-i... )
What was to stop the NSA funding, creating, acquiring, or controlling CloudFlare so as to be useful for MITM surveillance?
I suspect the 5 eye countries don't have to pay a dime and have complete access to traffic and records on it. Hence everyone pushing encryption to at least make it a bit harder for them.
Hint: bot detection is one of Cloudflare's products
Same reason as they offer free TLS termination. Someone is paying for all of that unencrypted and/or de-anonymized traffic across an increasingly large portion of all internet activity.
Any source for that disparaging claim?
PRISM and FISA/FAA. 15 years ago every telecom and internet company was providing backdoor access to communications. What makes you think that somehow that has changed? US laws sure haven't and the technology has only improved.
I don’t think it’s changed, but the claim was that people (“someone”) are paying Cloudflare for access to these logs.
Cloudflare Warp is an extremely unreliable and frustrating end user experience that’s not worth the trouble for the vast majority of people.
The client software implementations are poor and unreliable. Any possible performance gain will be wiped out by constantly needing to debug issues.
What's that saying? "'If you're not paying for the product, you are the product'?" It comes to mind here.
you can literally pay for the product (e.g., an ISP services) and still have meta data you generate bundled and sold.
the saying is overused and mostly misleading, unfortunately.
I believe it's simply a statement that you can't take the converse of. If something is free, then the company providing it must get some benefit from it. You can't flip that around in very many cases.
Can anyone explain how Cloudflare got the 1.1.1.1 domain? I know they are an influential company that controls a large portion of the internet, but I'm still confused. Is it an IP or a name that gets matched to an IP?
It's an IP, just like 1.0.0.1 (1.1): https://blog.cloudflare.com/announcing-1111/
"APNIC's research group held the IP addresses 1.1.1.1 and 1.0.0.1. While the addresses were valid, so many people had entered them into various random systems that they were continuously overwhelmed by a flood of garbage traffic. APNIC wanted to study this garbage traffic but any time they'd tried to announce the IPs, the flood would overwhelm any conventional network."
https://blog.cloudflare.com/dns-resolver-1-1-1-1/
https://labs.apnic.net/?p=1127
Interestingly, we are now 4 years into this 5 year experiment.
> Upon the expiration of the initial period, or at any time thereafter, APNIC shall consider a request by Cloudflare for a permanent allocation of these IPv4 addresses to Cloudflare. APNIC undertakes to refer any such request to the regional Address Policy Special Interest Group as a matter of a change to the current research use designation of these IPv4 addresses, and APNIC shall be bound to the outcomes of this policy group.
Looks like Cloudflare are about to make a sizable "donation" to APNIC.
So long as the ip or host name is in the TLS certificate CN or SAN, it doesn’t matter.
Its an IP address.
Does it work in countries like China to bypass their Great Firewall?
Edit: Out of curiosity I searched in some Chinese tech forums. Apparently it works, but it is so slow, not really useful for any serious use.
Most of the time the fastest way to any given site is to avoid unnecessary network hops.
Now maybe CF have a more efficient route here or there but really I can’t believe that for most people it’ll be faster.
As for security or privacy I can’t imagine they’re much safer than browsing most HTTPS sites directly. There’s nothing to say they’ll be able to resist a secret US government subpoena for records either.
You'd be surprised at the poor path that the average packet takes. Cloudflare has lots of PoPs that are very close to major cities so it is very conceivable that if that brings you to a higher quality backbone it would result in better performance overall. I don't know about the quality of Cloudflare's backbone but at Google you could definitely get noticeably better performance by quickly getting into the Google backbone and popping back onto the internet near your destination.
Do they even maintain something resembling a backbone? A lot of these CDNs just use public transit for outwards traffic
Yes, they maintain prioritized links between their datacenters, many of which are fully private. However, the Warp free plan simply bounces to the nearest CF datacenter which participates in Warp (not all of their centers do) and then back into the public internet, though it's through their massive pipe. Warp+ uses their Argo routing through their private backbone to get you as close to the origin as possible within the Warp network.
The only real advantage I see is that it could be useful in coffee shops and hiding your connections from your computer->isp->cloudflare. isp can't see your traffic and headers other than that the encrypted pipe has been created between you and cloudflare "vpn"
So... it's a VPN?
Yes, VPN via wireguard. Quote from their blog (https://blog.cloudflare.com/warp-for-desktop/):
WARP was built on the philosophy that even people who don’t know what “VPN” stands for should be able to still easily get the protection a VPN offers. For those of us unfortunately very familiar with traditional corporate VPNs, something better was needed. Enter our own WireGuard implementation called BoringTun.
The WARP application uses BoringTun to encrypt all the traffic from your device and send it directly to Cloudflare’s edge, ensuring that no one in between is snooping on what you're doing.
Wireguard VPN. But they disclose your real IP to websites served by Cloudflare, so it’s kind of unusual. I use it to circumvent my country censure.
From https://developers.cloudflare.com/warp-client/known-issues-a... :
> In a number of cases, if the origin site you are communicating with cannot determine who you are and where you are from, it cannot serve locale-relevant content to you (that is, anything related to a customized user experience, such as language or regional configurations). Sites inside Cloudflare’s network are able to see this information. If a site is showing you your IP address, chances are they are in our network. Most sites outside our network, however, are unable to see this information and instead see the nearest egress server to their server. We are working to see if in the future we can find a way to more easily share this information with a limited number of sites outside Cloudflare’s network, where it is relevant to both parties.
Given that Cloudflare has recently announced that a site’s operators promoting doxxing is an acceptable use of that same Cloudflare network (their backtracking on grounds of imminent threats to human life in one situation does not make this any less their policy), I cannot in good conscience promote Warp to anyone.
It's a DNS service with an optional VPN feature.
It overlaps a VPN but it is not a traditional "hide-my-ass" one that hides your IP from the destination address, warp will send along your IP info in headers to the destination if it's someone who uses cloudflare services.
Cloudflare is shoving Warp down any open throat they see. It's really annoying. I recently did some sales calls with them and they really want everyone using Warp.
I'm sure that the traffic analysis it unlocks for them is incredibly valuable. But I'll never use this.
(I had this issue, not sure if its fixed now or I was doing something wrong)
I'm not sure if its related, but I had some DNS resolution when I switched on WARP. I know that 1.1.1.1 is DNS over SSL, some ISP don't like that? I don't remember which applications had issues(guessing it might be steam client, I could be wrong)
Also, never noticed a significant gain in network speed or reliability either. I don't use it anymore, but will give it a try again.
And what is Warp? DNS? Wireguard with a fancy name and a paintjob? How does it work? Not clear at all from the description ...
Perhaps we should just start calling it "the handful of nets" rather than "the internet"?
How does this compare to Private Relay? I’ve noticed most of the traffic goes through CF (where I live anyway)
Private relay only works with safari.
So, are they already blocking access to the parts of the Internet that they consider to be too dangerous for people to be allowed to visit? Or how long would it be till they start to?
I have 20-100Mbps LTE and Warp made it worse, so no, thanks
It killed my 5G broadband speed too.
Would be nice if we could override the DNS. Currently use a pihole that already uses 1.1.1.1 and loosing the adblocker is a deal breaker.
Pardon on my ignorance in this subject but is this more than an encrypted DNS? Is there any security issues using this?
Encrypted DNS doesn't encrypt SNI, your ISP can see all domains your visit in plain text.
The fun thing about 1.1.1.1 is that it's one of a tiny number of IP-address certs on the internet at large.
Can this be used in a container to do scraping of websites that might block your IP if you're not careful?
why tf does the whole screen change color when I try to highlight text?!
ughghg scroll jank nausea
forget ad blockers I need a css blocker
Double clicking the background apparently toggles the dark mode. Because you know, people love toggling dark mode on and off and web sites must make it so much easier even at the cost of overriding default behaviors.
> We believe privacy is a right. We won't sell your data, ever.
There’s no reason to believe this. This is the same company that publicly stated their principled position relating to the culture of free speech and then flip-flopped not even 3 days later.
It’s not about that issue but rather that this company has lost credibility and should not be trusted with any promises. Keep at arms length.
Yeah I wondered about this myself. Who checks "terms of service" every week to make sure they haven't changed on every service they use? At least if you use a VPN you know you'd likely hear about it everywhere in tech news, and that VPN knows that it's a death blow.
Indeed. I just remembered I was using their DNS service and disabled it because clearly they can't be trusted.
Not sure we should give Cloudflare even more ways to censor the internet.
warp seems to stabilize my connection and 3x the download speed since I have 8% packet loss typically. I'm somewhat of an edge case though since this level of packet loss isn't normal.
I don't quite understand this. Is this just a normal VPN?
Yes. Except that it uses Wireguard (more efficient and a modern protocol), and sites using Cloudflare can still see your IP.
You can't change the exit node (the server that web sites see), and is free, unlike most commercial VPN providers.
Is Warp just a VPN, or is that different?
The Play store page says "1.1.1.1: Faster & Safer Intern". Well, that is a new feature indeed!
CNN
If you use Apple relay service is this still relevant?
Probably. As far as I know, the Apple Relay only works in the browser. So your torrent clients and other apps can still bypass it and directly access their servers. Warp+ is a VPN.
Can’t wait for Warpbleed to happen.