“We want to grow it to secure every single phone”
Cloudflare first announced that it was building its very own virtual private network (VPN) on April 1, 2019, saying it had planned a launch that month, but the product needed some ongoing finessing. It’s one of the latest in a string of new products for the newly public company (which says it is “developing products… including compute, storage, 5G, and IoT”), and the Cloudflare WARP VPN finally landed September 25.
The sheer appetite for a rather unusual (read on) mobile VPN took the company by surprise: CEO Matthew Prince says there were two million people on the waiting list (“the demand embarrassed us”), and director of product Zack Bloom admits Cloudflare ran into a “long list of platform-specific bugs” as it developed the VPN.
It’s not a classic VPN as most would know it (no IP address-masking or server-geography choosing), and some confusion reigns about what it does, and why users might choose it. Computer Business Review did a quick explainer.
Four things you should know about the Cloudflare WARP VPN.
1: It Won’t Hide your IP Address
The classic notion of a VPN is that it creates a secure, encrypted tunnel between a user’s device and the servers of the VPN provider. Typically, users can choose which geography servers they connect to, in order to get around geoblocking rules, as well as hiding their IP address.
The Cloudflare WARP VPN doesn’t do this. It does not hide users’ IP addresses from the websites they visit. Nor does it allow them to circumvent geo-restricted content. What it does do is encrypt user data while it’s in transit.
Why? As CEO Prince puts it: “… so the networks between you and the applications you’re using can’t spy on you. It will help protect you from people sniffing your data while you’re at a local coffee shop. It will also help ensure that your ISP isn’t hoovering up data on your browsing patterns to sell to advertisers.”
For enterprise users keen to boost broader user security, this may prove attractive, if a VPN isn’t already required by default on BYO devices.
2: It’s Built on WireGuard
As we reported in April, WARP is unique in that it’s been built on the pared-back codebase of the emergent Wireguard protocol, which in its barest bones iteration comprises just 4,000 lines of code – whitepaper here – versus the approximately 600,000 total lines of code for OpenVPN + OpenSSL.
Cloudflare adapted that project (to the initial faint disgruntlement of developer Jason Donenfeld, who wanted to see the company’s engineers develop WARP as an open source Wireguard sub-project) and built it out using the Rust language; instead of using what Donenfeld earlier described as an admittedly “somewhat iffy” Go codebase.
Prince says: “[Wireguard’s] original code-base is less than 1 percent the size of a popular IPsec implementation, making it easy for us to understand and secure. We chose Rust as the language most likely to give us the performance and safety we needed and implemented WireGuard while optimizing the code heavily to run quickly on the platforms we were targeting.”
It has now open sourced WARP, so the Rust codebase is there for all-and-sundry to poke about in…
3: It’s Free (but Buggy… )
Cloudflare has a blunt ambition: “We want to grow it to secure every single phone”.
As an adoption play, it’s offering the quasi-VPN for free (no bandwidth caps), with a paid-for version coming in at circa $4.99/month that uses its private network backbone, Argo, for greater speed.
Zack Bloom admits it’s still buggy: “There are an unimaginable number of device and connection combinations, and each connection doesn’t just exist at one moment in time, they are always changing, entering and leaving broken states almost faster than we can track. Even now, getting WARP to work on every device and connection on Earth is not a solved problem, we still get daily bug reports which we work to triage and resolve.”
4: This Is What Your Traffic Looks Like.
A WARP request communicates over the WireGuard protocol to a server running in one of Cloudflare’s 194 data centers.
The use of Wireguard means it does this using UDP not TCP, using a session key negotiated with public-key encryption for security; or rather, a complete TCP packet inside a UDP packet.
As Bloom explains: “Inside the payload encrypted by WireGuard we have a complete TCP header which contains all the information necessary to ensure reliable delivery. We then wrap it with WireGuard’s encryption and use UDP to send it over the Internet. Should it be dropped TCP will do its job just as if a network link lost the message and resend it.
Once decrypted, Cloudflare can examine the destination IP address to see if it is an HTTP request destined for a Cloudflare-powered site, or a request destined elsewhere.
“If it’s destined for us it enters our standard HTTP serving path; often we can reply to the request directly from our cache in the very same data center. If it’s not destined for a Cloudflare-powered site we instead forward the packet to a proxy process which runs on each machine”, Bloom explains.
All in All…
To users who like Cloudflare (and don’t like their ISP and its penchant for selling user data to advertising firms, or furnishing it to HMG), it may prove attractive.
Cloudflare promises to never write user-identifiable log data to disk; never sell browsing data “or use it in any way to target you with advertising data”; and users don’t need to provide an personal information to sign up.
To internet users averse to nation-state level snooping, it’s scant protection; to those averse to nation-state snooping conducted by ISPs as a government proxy under domestic legislation, or the shallower end of the dragnet surveillance economy, it may prove more enticing.
Getting it on every phone? Cloudflare can hope…