We use Cloudflare Warp at work. Honestly—and I say this as a Cloudflare fan in general—it doesn’t work well for me. I regularly have connection issues with it enabled. Video calls sometimes cut out for a couple seconds, and Tuple (which I use a lot) really struggles with it. It’s possible it’s my internet connection or something unrelated, but I don’t have any of these issues when Warp is disabled. YMMV and all that, so take this as the anecdote it is. For what it’s worth, some coworkers have similar issues, but others don’t, so maybe it’s region specific. (I live in Oregon.)
Warp is actually two products: their consumer VPN product, which is typically what's referred to as Warp, and their Zero Trust, which uses the VPN hooks to layer on Enterprise management features. Zero Trust allows companies to route particular IP ranges through various separate connections, unlike Warp which only routes through Cloudflare. It sounds like your company is routing more than internal IP traffic through Zero Trust, which may mean its going through your company connection. You can check your Split Tunnel preferences in the client to see for sure. I personally use various tools with Warp just fine.
However, it's also true that Warp / Zero Trust doesn't use the entire Cloudflare network for their termination points, only a subset of datacenter are used. So you may be getting unlucky through saturation or even just routing to the closest CF point that terminates traffic near you. You can check your "Colocation center" that's being used. In my case, despite living near Detroit and CF's datacenter there, I'm routed through Chicago, adding 40ms to any roundtrip time.
I believe the issues with your video calls and Tuple are due to a specific issue we've recently identified. What video call software do you use?
Also, Tuple has a troubleshooting screen to see packet loss etc. Would you be willing to share the data from that screen with us? If so, you can reach out to me using my HN username at cloudflare.
I have the same sorts of issues on Android -- I frequently have to kill the 1.1.1.1 app because it no longer passes traffic, but it seems to work fine on other Linux systems that are not Android.
I have a fun story about using Warp while on vacation (Bahamas). I was finding that my net traffic felt like it was slower/more variable than I'd expect with uneven speedups and slowdowns.
On a whim I installed and turned on Warp and suddenly my internet speed was both palpably faster and more consistent in its speed. I think it possible that one of the side effects of encrypting your traffic may be that it evades ISP traffic shaping.
Back when I used Visible (North American MVNO) for my phone, you could get substantially faster speeds and less latency by enabling Warp because it bypassed their traffic shaping and limited egress points, for example if you viewed Netflix without Warp you were throttled to 480p but with Warp you could easily do 1080p.
Cloudflare recently hijacked the domain of one of their customers (RaidForums), then cloned the RaidForums login page, and ran a phishing campaign at the behest of the FBI for two weeks.
I understand that you have to comply with law enforcement, but actively attacking the users of one of your customer's websites is super rude.
We used it at a job I had and it made sense for business continuity reasons. But it is centralizing the internet and they are the gatekeepers. Not a good thing
"Your ISP looks at which websites your browsing, oh the horror! Instead trust us, as an internet behemoth bigger than any ISP in the world with that data!"
You have to click on one of the links to find out what this actually does in addition to Cloudflare’s 1^4 DNS server:
> Enter our own WireGuard implementation called BoringTun. The WARP application uses BoringTun to encrypt all the traffic from your device and send it directly to Cloudflare’s edge, ensuring that no one in between is snooping on what you're doing. If the site you are visiting is already a Cloudflare customer, the content is immediately sent down to your device. With WARP+ we use Argo Smart Routing to devise the shortest path through our global network of data centers to reach whomever you are talking to.
> Your Internet service provider can see every site and app you use—even if they’re encrypted. Some providers even sell this data, or use it to target you with ads.
> We believe privacy is a right. We won't sell your data, ever.
"We, the people who make up this company now, but not in the future, PROMISE."
I notice they didn't say "we don't keep the data."
According to the comments, this is just wireguard. I deployed my own on a webhost and I use that, probably to the same effect. I guess I have to trust the webhost not to go snooping in my private logs, but that's a whole lot more targeted and requires a lot more effort.
I’ve been a Warp+ user for some time now and I’m mostly happy.
My online privacy is important to me. I use ad blockers too in addition to cloudflare.
A couple of things I’ve noticed along the way…
1. Switching off my wi-fi network and then rejoining later used to be an issue but seems to have resolved some time ago (mobile)
2. It seems on macOS that almost every time I login I need to update the client.
3. Usually sites can’t resolve my IP and place me hundred of miles away which is fine by me. However occasionally I run across a site that has a pretty close to home read on my location. It seems sites that leverage cloudflare cdn might see a more accurate location because they are on the same network - I’m not sure how this works technically though.
I’ve never encountered a censorship situation or any website that was inaccessible. I have run into issues where steaming sites want you to turn off VPN but this isn’t consistent. I also run into issues occasionally when jumping on a hotel wi-fi or like a Lowes or Home Depot where they want you to agree to terms and likely want to snoop your traffic.
Biggest pain points with Warp for me are lately, due to all the abuse by scrapers and such, quite a few sites just throw a 403 when I try to connect to them through Warp including my bank-- consider yourself lucky that you haven't been affected yet. And, most of the time, if I try to use Google search, I just get,
"Our systems have detected unusual traffic from your computer network. This page checks to see if it's really you sending the requests, and not a robot."
And, then I am encouraged to enable js so google can provide me a series of captchas to solve.
It used to work better than a VPN terminating at my own VPS, but now Warp netblocks appear to have a worse reputation than even a colocrossing/low-end box vps.
Per Cloudflare's FAQ, sites behind cloudflare see your original IP, other sites do not yet:
Cloudflare Warp is not meant for anonymity. If you're using the free tier (and maybe the plus tier too?), websites behind Cloudflare are able to see your origin IP.
They've recently improved their geolocation capability while preserving privacy. In addition, they add an origin IP header to outgoing HTTP requests to help origins deal with geolocation, but not all origins parse it.
I love little things like this. It's fun to do something either by accident or with whimsy, thinking about the ridiculousness, and then find out something actually happens!
How would you candidly compare guarantees/expectations of Mullvad VPN vs your Cloudflare Warp VPN with respect to:
- privacy, but also
- performance.
As a side note, I really value using a certain popular torrent box VM service for $10/mo is that they provide SSH and OpenVPN. I’ve used that VPN a lot when I worked in GCC countries (Saudi Arabia, UAE, Bahrain) to help me get around national HTTP blocklists. Most every other VPN I tried was blocked, or would get blocked after a certain # of GB sent in a certain timespan. I think the torrent box servers were located in minor data centers which weren’t on their list of “high potential risk” so they bypassed the otherwise pretty thorough blocks.
The server I used was also located in the United States which helped a ton with proper localization and accessing my bank accounts/etc which were otherwise sometimes more difficult to use from other countries.
I use Cloudflare WARP for my home and smartphone and laptop. I really, really like the content policies I can configure. Getting the combo of VPN + DNS content filtering is really nice. I use it for blocking myself from accessing pornography and their security and deceptive website categories have been useful.
The interface for configuring the content policies is really easy to use too.
I also really like the browser isolation feature too - I use it to access links from emails I feel suspicious about.
IMHO, it comes down to the economic structure of peering in the US (as I understand it? And not sure globally?).
Tl;dr: You have negotiating power based on the number of end clients you connect to the network.
And connectivity is an extremely high capital, low margin, and predatory industry.
Consequently, "build useful services, that cause more people to connect through you, that then allows you to favorably peer and lower your costs" is Cloudflare's strategic business model.
So yes, they would very much like the entire Internet to run through them. Or more accurately, terminate to their customers.
Same reason as they offer free TLS termination. Someone is paying for all of that unencrypted and/or de-anonymized traffic across an increasingly
large portion of all internet activity.
Can anyone explain how Cloudflare got the 1.1.1.1 domain? I know they are an influential company that controls a large portion of the internet, but I'm still confused. Is it an IP or a name that gets matched to an IP?
"APNIC's research group held the IP addresses 1.1.1.1 and 1.0.0.1. While the addresses were valid, so many people had entered them into various random systems that they were continuously overwhelmed by a flood of garbage traffic. APNIC wanted to study this garbage traffic but any time they'd tried to announce the IPs, the flood would overwhelm any conventional network."
Most of the time the fastest way to any given site is to avoid unnecessary network hops.
Now maybe CF have a more efficient route here or there but really I can’t believe that for most people it’ll be faster.
As for security or privacy I can’t imagine they’re much safer than browsing most HTTPS sites directly. There’s nothing to say they’ll be able to resist a secret US government subpoena for records either.
You'd be surprised at the poor path that the average packet takes. Cloudflare has lots of PoPs that are very close to major cities so it is very conceivable that if that brings you to a higher quality backbone it would result in better performance overall. I don't know about the quality of Cloudflare's backbone but at Google you could definitely get noticeably better performance by quickly getting into the Google backbone and popping back onto the internet near your destination.
The only real advantage I see is that it could be useful in coffee shops and hiding your connections from your computer->isp->cloudflare. isp can't see your traffic and headers other than that the encrypted pipe has been created between you and cloudflare "vpn"
WARP was built on the philosophy that even people who don’t know what “VPN” stands for should be able to still easily get the protection a VPN offers. For those of us unfortunately very familiar with traditional corporate VPNs, something better was needed. Enter our own WireGuard implementation called BoringTun.
The WARP application uses BoringTun to encrypt all the traffic from your device and send it directly to Cloudflare’s edge, ensuring that no one in between is snooping on what you're doing.
It overlaps a VPN but it is not a traditional "hide-my-ass" one that hides your IP from the destination address, warp will send along your IP info in headers to the destination if it's someone who uses cloudflare services.
Cloudflare is shoving Warp down any open throat they see. It's really annoying. I recently did some sales calls with them and they really want everyone using Warp.
I'm sure that the traffic analysis it unlocks for them is incredibly valuable. But I'll never use this.
(I had this issue, not sure if its fixed now or I was doing something wrong)
I'm not sure if its related, but I had some DNS resolution when I switched on WARP. I know that 1.1.1.1 is DNS over SSL, some ISP don't like that? I don't remember which applications had issues(guessing it might be steam client, I could be wrong)
Also, never noticed a significant gain in network speed or reliability either. I don't use it anymore, but will give it a try again.
So, are they already blocking access to the parts of the Internet that they consider to be too dangerous for people to be allowed to visit? Or how long would it be till they start to?
Double clicking the background apparently toggles the dark mode. Because you know, people love toggling dark mode on and off and web sites must make it so much easier even at the cost of overriding default behaviors.
> We believe privacy is a right. We won't sell your data, ever.
There’s no reason to believe this. This is the same company that publicly stated their principled position relating to the culture of free speech and then flip-flopped not even 3 days later.
It’s not about that issue but rather that this company has lost credibility and should not be trusted with any promises. Keep at arms length.
Yeah I wondered about this myself. Who checks "terms of service" every week to make sure they haven't changed on every service they use? At least if you use a VPN you know you'd likely hear about it everywhere in tech news, and that VPN knows that it's a death blow.
warp seems to stabilize my connection and 3x the download speed since I have 8% packet loss typically. I'm somewhat of an edge case though since this level of packet loss isn't normal.
Probably. As far as I know, the Apple Relay only works in the browser. So your torrent clients and other apps can still bypass it and directly access their servers. Warp+ is a VPN.
They have no obligation, legally or otherwise, to host content they don't agree with. That isn't censoring. Are you censoring them for telling them what they can or can't do with their servers? You choose who you let in your house and if they say things which demean yourself, family, ie, associates, then like anyone I'm sure you might tell them you don't want to host them. If you're a store owner you have a right to tell someone to leave if they're denigrating other customers, ie, their desire, perhaps some might say right, to shop without harassment. I don't know why the obvious keeps having to be explained here.
RussianCow|3 years ago
jshier|3 years ago
However, it's also true that Warp / Zero Trust doesn't use the entire Cloudflare network for their termination points, only a subset of datacenter are used. So you may be getting unlucky through saturation or even just routing to the closest CF point that terminates traffic near you. You can check your "Colocation center" that's being used. In my case, despite living near Detroit and CF's datacenter there, I'm routed through Chicago, adding 40ms to any roundtrip time.
thibault-ml|3 years ago
rkeene2|3 years ago
organsnyder|3 years ago
aamargulies|3 years ago
On a whim I installed and turned on Warp and suddenly my internet speed was both palpably faster and more consistent in its speed. I think it possible that one of the side effects of encrypting your traffic may be that it evades ISP traffic shaping.
yjftsjthsd-h|3 years ago
Sylamore|3 years ago
piceas|3 years ago
I don't know if Vodafone shapes their traffic but the the effect is the same when their network is having trouble for various reasons.
marginalia_nu|3 years ago
Even though there's no visible abuse right now, you know, Google's motto also used to be "don't be evil".
px43|3 years ago
I understand that you have to comply with law enforcement, but actively attacking the users of one of your customer's websites is super rude.
avg_dev|3 years ago
We used it at a job I had and it made sense for business continuity reasons. But it is centralizing the internet and they are the gatekeepers. Not a good thing
Traubenfuchs|3 years ago
I also don‘t really get their argument here?
pieno|3 years ago
> Enter our own WireGuard implementation called BoringTun. The WARP application uses BoringTun to encrypt all the traffic from your device and send it directly to Cloudflare’s edge, ensuring that no one in between is snooping on what you're doing. If the site you are visiting is already a Cloudflare customer, the content is immediately sent down to your device. With WARP+ we use Argo Smart Routing to devise the shortest path through our global network of data centers to reach whomever you are talking to.
[0] https://blog.cloudflare.com/warp-for-desktop/
sejje|3 years ago
> We believe privacy is a right. We won't sell your data, ever.
"We, the people who make up this company now, but not in the future, PROMISE."
I notice they didn't say "we don't keep the data."
According to the comments, this is just wireguard. I deployed my own on a webhost and I use that, probably to the same effect. I guess I have to trust the webhost not to go snooping in my private logs, but that's a whole lot more targeted and requires a lot more effort.
noncoml|3 years ago
Cloudflare is what Google was 20 years ago.
The cycle can only break by decentralized protocols.
avg_dev|3 years ago
joshenders|3 years ago
rco8786|3 years ago
unknown|3 years ago
[deleted]
rubyfan|3 years ago
My online privacy is important to me. I use ad blockers too in addition to cloudflare.
A couple of things I’ve noticed along the way…
1. Switching off my wi-fi network and then rejoining later used to be an issue but seems to have resolved some time ago (mobile) 2. It seems on macOS that almost every time I login I need to update the client. 3. Usually sites can’t resolve my IP and place me hundred of miles away which is fine by me. However occasionally I run across a site that has a pretty close to home read on my location. It seems sites that leverage cloudflare cdn might see a more accurate location because they are on the same network - I’m not sure how this works technically though.
I’ve never encountered a censorship situation or any website that was inaccessible. I have run into issues where steaming sites want you to turn off VPN but this isn’t consistent. I also run into issues occasionally when jumping on a hotel wi-fi or like a Lowes or Home Depot where they want you to agree to terms and likely want to snoop your traffic.
sillystuff|3 years ago
"Our systems have detected unusual traffic from your computer network. This page checks to see if it's really you sending the requests, and not a robot."
And, then I am encouraged to enable js so google can provide me a series of captchas to solve.
It used to work better than a VPN terminating at my own VPS, but now Warp netblocks appear to have a worse reputation than even a colocrossing/low-end box vps.
Per Cloudflare's FAQ, sites behind cloudflare see your original IP, other sites do not yet:
https://developers.cloudflare.com/warp-client/known-issues-a...
TechBro8615|3 years ago
unknown|3 years ago
[deleted]
jshier|3 years ago
https://blog.cloudflare.com/geoexit-improving-warp-user-expe...
_odey|3 years ago
toastedwedge|3 years ago
eis|3 years ago
This has a surely intentional side effect of incentivizing sites that want to see the real client IP to be behind CloudFlare as well.
Source: https://developers.cloudflare.com/warp-client/known-issues-a...
runnerup|3 years ago
How would you candidly compare guarantees/expectations of Mullvad VPN vs your Cloudflare Warp VPN with respect to:
- privacy, but also
- performance.
As a side note, I really value using a certain popular torrent box VM service for $10/mo is that they provide SSH and OpenVPN. I’ve used that VPN a lot when I worked in GCC countries (Saudi Arabia, UAE, Bahrain) to help me get around national HTTP blocklists. Most every other VPN I tried was blocked, or would get blocked after a certain # of GB sent in a certain timespan. I think the torrent box servers were located in minor data centers which weren’t on their list of “high potential risk” so they bypassed the otherwise pretty thorough blocks.
The server I used was also located in the United States which helped a ton with proper localization and accessing my bank accounts/etc which were otherwise sometimes more difficult to use from other countries.
robcohen|3 years ago
xvector|3 years ago
Ixiaus|3 years ago
The interface for configuring the content policies is really easy to use too.
I also really like the browser isolation feature too - I use it to access links from emails I feel suspicious about.
blumomo|3 years ago
hombre_fatal|3 years ago
ethbr0|3 years ago
Tl;dr: You have negotiating power based on the number of end clients you connect to the network.
And connectivity is an extremely high capital, low margin, and predatory industry.
Consequently, "build useful services, that cause more people to connect through you, that then allows you to favorably peer and lower your costs" is Cloudflare's strategic business model.
So yes, they would very much like the entire Internet to run through them. Or more accurately, terminate to their customers.
lozenge|3 years ago
crazytalk|3 years ago
Related question: given this obviously generates logs, what are CloudFlare doing to protect log data in transit within its own network from similar attacks to the Google-NSA episode? ( https://www.washingtonpost.com/world/national-security/nsa-i... )
rozenmd|3 years ago
datalopers|3 years ago
radicaldreamer|3 years ago
The client software implementations are poor and unreliable. Any possible performance gain will be wiped out by constantly needing to debug issues.
m348e912|3 years ago
mulligan|3 years ago
the saying is overused and mostly misleading, unfortunately.
unknown|3 years ago
[deleted]
daqnal|3 years ago
maxboone|3 years ago
https://1.1/
"APNIC's research group held the IP addresses 1.1.1.1 and 1.0.0.1. While the addresses were valid, so many people had entered them into various random systems that they were continuously overwhelmed by a flood of garbage traffic. APNIC wanted to study this garbage traffic but any time they'd tried to announce the IPs, the flood would overwhelm any conventional network."
latchkey|3 years ago
https://labs.apnic.net/?p=1127
Interestingly, we are now 4 years into this 5 year experiment.
birdyrooster|3 years ago
ac29|3 years ago
thrdbndndn|3 years ago
Edit: Out of curiosity I searched in some Chinese tech forums. Apparently it works, but it is so slow, not really useful for any serious use.
jarym|3 years ago
Now maybe CF have a more efficient route here or there but really I can’t believe that for most people it’ll be faster.
As for security or privacy I can’t imagine they’re much safer than browsing most HTTPS sites directly. There’s nothing to say they’ll be able to resist a secret US government subpoena for records either.
kevincox|3 years ago
stjohnswarts|3 years ago
Implicated|3 years ago
Normal_gaussian|3 years ago
WARP was built on the philosophy that even people who don’t know what “VPN” stands for should be able to still easily get the protection a VPN offers. For those of us unfortunately very familiar with traditional corporate VPNs, something better was needed. Enter our own WireGuard implementation called BoringTun.
The WARP application uses BoringTun to encrypt all the traffic from your device and send it directly to Cloudflare’s edge, ensuring that no one in between is snooping on what you're doing.
vbezhenar|3 years ago
sedatk|3 years ago
stjohnswarts|3 years ago
xyzzy_plugh|3 years ago
I'm sure that the traffic analysis it unlocks for them is incredibly valuable. But I'll never use this.
120bits|3 years ago
I'm not sure if its related, but I had some DNS resolution when I switched on WARP. I know that 1.1.1.1 is DNS over SSL, some ISP don't like that? I don't remember which applications had issues(guessing it might be steam client, I could be wrong)
Also, never noticed a significant gain in network speed or reliability either. I don't use it anymore, but will give it a try again.
ReptileMan|3 years ago
rhplus|3 years ago
pram|3 years ago
xenospn|3 years ago
smsm42|3 years ago
ugjka|3 years ago
secondcoming|3 years ago
LouisvilleGeek|3 years ago
syntaxing|3 years ago
Varloom|3 years ago
mmastrac|3 years ago
sorenjan|3 years ago
awinter-py|3 years ago
ughghg scroll jank nausea
forget ad blockers I need a css blocker
Ayesh|3 years ago
nemo44x|3 years ago
There’s no reason to believe this. This is the same company that publicly stated their principled position relating to the culture of free speech and then flip-flopped not even 3 days later.
It’s not about that issue but rather that this company has lost credibility and should not be trusted with any promises. Keep at arms length.
stjohnswarts|3 years ago
matt_attack|3 years ago
gadders|3 years ago
DefineOutside|3 years ago
valdagger|3 years ago
Ayesh|3 years ago
You can't change the exit node (the server that web sites see), and is free, unlike most commercial VPN providers.
RedditKon|3 years ago
kiliancs|3 years ago
willk|3 years ago
letsgo39|3 years ago
Ayesh|3 years ago
dustinmoris|3 years ago
phantom_of_cato|3 years ago
[deleted]
0134340|3 years ago
socialismisok|3 years ago
markdown|3 years ago
doliveira|3 years ago