Cloudflare adds VPN features to privacy app

As promised in April, Cloudflare has finally launched Warp, a consumer mobile privacy app that looks a lot like a VPN without actually being one.

That sounds confusing so let’s start by describing the service itself, which can be accessed via a free Android and iOS app called Warp, and a $4.99 per month subscription app called Warp+.

The first, Warp, is a development of the service and mobile apps launched in 2018 as an alternative DNS resolver that headlined on the theme of privacy – i.e. we don’t log the sites you visit.

More recently, the app added support for the emerging encrypted DNS standards, DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), which hide the domains people visit from ISPs and anyone else listening in (Mozilla recently integrated this service into Firefox).

Now has become ‘ with Warp’ by adding the ability to encrypt all traffic from the mobile device and not just DNS queries, hence the similarity to a full VPN.

What does the Warp+ subscription add to this? Despite being limited to one device, the user gets unlimited bandwidth and 30% better performance thanks, Cloudflare says, to Warp+ traffic being routed over its global network in an optimised way.

Note that if you signed up for the Warp waiting list via the app, you also get the chance to try Warp+ free of charge with an initial 10GB of data.

If Warp isn’t a VPN, what is it?

Traditional VPNs route a user’s network traffic to a trusted, internet-connected server, via an encrypted ‘tunnel’. The security benefit of a VPN is that it lets a user send traffic via a provider they trust (the VPN company) while hiding it from others they don’t trust (ISPs, Wi-Fi snoopers and bad actors, which can’t).

The privacy benefit of a VPN is that a user’s traffic appears to originate from the trusted server rather than their own device. The server may be in a different country to the user and some commercial VPNs allow users to choose which country they appear to be browsing from.

This is why VPNs have become a popular way to dodge geographic restrictions placed on streaming content such as Netflix or the BBC.

Warp is different

Warp creates a VPN-like encrypted tunnel between the user and Cloudflare using an open-source protocol called WireGuard, which encapsulates TCP inside UDP.

Once connected, Warp behaves more like an optimised global routing network based on what Cloudflare calls ‘Argo Smart Routing’.

To make this fast, the traffic always enters Cloudflare at the nearest server to the user and exits from the network at a point closest to where the website is hosted.

However, the site is careful not to claim it can spoof or hide IP addresses as a VPN would. Websites visited see the real IP address of the user, which they wouldn’t with a true VPN.

In addition, Warp also excludes traffic to certain “over-the-top content provider websites, as determined by Cloudflare in its sole discretion,” from its network, which presumably refers to services such as Netflix, Hulu or Amazon.

In summary: if you don’t want your ISP to monitor which websites you visit, or want an extra layer of security when using public Wi-Fi, Warp is a simple way to ensure that for most sites – even if HTTPS and browsers such as Firefox and Opera already do much the same job.

What you don’t get is complete anonymity. Some apps can still see what you’re doing, as can websites and Cloudflare itself.

Anything else?

Warp might stop some apps from working (Google’s Play store and mobile data connections to name two), but it does allow apps to be excluded on an individual basis.

Similarly, Cloudflare is still working to get captive portals working when Warp is turned on. Some will work, some won’t.

In these cases, you can temporarily turn the app off.

As for using Warp with a laptop or PC, because Warp uses WireGuard, in principle there should be a way to make it work with these platforms with some fiddling.

Who can you trust? with Warp follows hot on the heels of Firefox’s collaboration with Cloudflare on its experimental Firefox Private Network – a similar sort of VPN-that-isn’t-a-VPN for your desktop web browser.

In at least one important respect, both of these things don’t do something you might expect a VPN to do: with Warp doesn’t hide your IP address and Firefox Private Network doesn’t encrypt all of your network traffic. That’s got some people worried that naive consumers who use them end up with less privacy or security than they’re expecting.

On the other hand, both are aimed at incrementally improving the security of people who aren’t already using a VPN and both position themselves as being like a VPN, rather than a VPN proper.

The common factor in both is CloudFlare. Through these and other projects, the company is now shepherd to a vast amount of our internet traffic, which requires that we place a great deal of trust in it.

Of course choosing not to trust your traffic to CloudFlare just means trusting it to somebody else: another VPN provider, your ISP or your mobile provider, for example.

Interestingly, because Warp+ is purchased through the Google Play store, the user doesn’t hand any personal data to Cloudflare itself.