Considering ditching my non-profit super-private open-source military-grade VPN subsciption for a greedy BIG-TECH's corporate proprietary Cloudflare WARP

My VPN is always-on.
Like many people I do believe that using a VPN from some decent provider could really benefit one’s privacy. Blending in with other users of that VPN combined with different low-effort anti-fingerprinting tools leads to me peacefully watching Google Ads that not even remotely interesting to me when I turn off adblocker from time to time.

I don’t believe it can realistically protect from something more sophisticated and motivated, no matter what VPN company promise.

It also helps me to be anonymous feel pseudonymous with many services I use.

Until it doesn’t.

I’m talking about downtimes.

No VPN provider wrote on their site something like “Ultimate privacy - most of the time!” or “Not 100% protection but we apologize when something doesn’t work”.

Yes, I have kill-switches. The point is: sometimes I just can’t afford to be without any internet access for 3+ hours like it happened after recent Proton “incident”. It’s not for the first time. And not for the last for sure.

And If I’ll just turn off the kills-switch and start using internet like most normal people who have nothing to hide, it will ruin my perception of pseudonymity. Why bother with hiding my real IP for some time if someday it will be logged and tied to my accounts anyway?

At this point I see two options:

1. Stop using VPNs completely

2. Find more robust and admittedly less private service, which still offering some anti-tracking capabilities for the price of small performance penalties and betrayal of my ideals

Since I’ve learned that Google One VPN is already dead, the only contender is Cloudflare WARP.

It is free (as a beer) and requires you to believe it doesn’t keep activity logs (like with any other VPN provider). It even was audited - gold standard for VPN marketing.

Of course I know there’s no free beer, but seems like they actually have valid reasons for offering free services, even if we’re not counting promotion of their paid WARP+ subscription.

If community believes in Apple’s and Google’s privacy policies, I don’t see why should I question Cloudflare’s.
And they actually have their own infrastructure, so at least it is possible for them to keep their promises, unlike for almost all VPN providers who don’t actually have full control over their servers.

Turns out there’s an open-source tool to extract Wireguard configs from WARP, so it can be used with any regular Wireguard client. Paired with good firewall configuration this will probably eliminate possible leaking from WARP.

Cloudflare says it can even make internet connections faster, which I hardly believe, but it would be faster than any regular VPN for sure. And their user-base is really big. Maybe I would even stop getting this “humanity verification” everywhere, since it Cloudflare’s.

Before resorting to my first option I’m tempted to use WARP’s wg.conf on my router with occasional additional on-device usage of VPN/TOR when I feel that I need UNPARALLELED SECURITY AND PROTECTION.

But even before trying this I decided to seek community assistance and evaluation of such idea. I hope that my threat model is clear - mass surveillance, not targeted.

Cloudflare WARP is mighty fast and reliable, only major downside is you can’t choose where the servers are it just picks the closest ones for speed and to avoid breakage. So keep that in mind but otherwise not a bad option.

It looks like Google still offers their VPN it’s just called VPN by Google now. It’s not just blind trust either they use blind signatures to authenticate so it does have a technical edge over other VPNs.

Apple’s private relay is even better because they use two separate relays owned by separate parties, and also use blind signatures to authenticate with both relays (although it doesn’t cover all traffic on the device which is annoying). So I don’t think it’s accurate to say you just have to trust Google and Apple’s privacy policy they have technical reasons to as well.

Believes in != trusts. We can believe their privacy policies are accurate, and they accurately show that they are terrible for your privacy.

You should.

Google Cloud going down took down half their business just a few months ago.

WARP isn’t your traditional VPN service. It is very useful for maintaining higher speeds and protecting your web traffic at public wifi networks.

However, if you need to do something like accessing geo-locked content, or p2p downloads, you are better off with a traditional VPN provider that allows you to change servers. There are a lot of other considerations besides “security”, like speed/reliability as you mentioned and usability.

Yeah, this is no good for censorship circumvention, but I can use additional tools if I will need to.

Well, I mean it seems like the consensus here that iPhone is a decently private option. And we have to trust that Google-made hardware, firmware and big chunks of software can be private too.
And while absolutely anyone can verify millions of open-sourced code lines themselves, usually we just have to trust in someone’s words and reputation. And while Cloudflare is not a privacycentric company, it’s not making money from privacy violations either.
But maybe I just don’t know enough about them.

Personally, I don’t believe in anyone’s policies, I’m just saying that their is not bad compared to other’s.

I know, but I’m planning to use it like a traditional one, just with “choose the best server automatically” option that can’t be disabled.

I’m sure that TLS can handle this alone anyway.

If I’ll need it I can still use a regular VPN on top of WARP. If Cloudflare don’t block such connections.

I hope that someone there already tried such setup and will share their experience. I’m curious about their wireguard keys rotation, how often it should be recreated and replaced. If I’ll have to do it manually too often it’s not practical at all.

If it has regular outages too I will reconsider paying for Proton or will have to learn to use internet like no one is watching.

I wouldn’t necessarily call them ‘privacy-centric’, but they are definitely more privacy aware than they get credit for (imo).

It’s just that the significant contributions Cloudflare makes to privacy are typically more at the systemic, or at the standards level, which are areas that most tech hobbyist and casual privacy communities don’t focus on.

Examples would be privacy enhancing initiatives and standards like:

• Oblivious DNS over HTTPS
• Encrypted Client Hello
• Oblivious HTTP
• DNS over HTTPS
• partner with and enable things like Apple’s Private Relay, Firefox’s Prio, an experimental ODoH server, and so forth.

I personally perceive Cloudflare as having a good-faith interest in improving baseline online privacy at the systemic level and supporting (and sometimes spearheading) privacy enhancing standards, and–like you–it gives me some confidence that Cloudflare’s core business model is not in conflict with user privacy for the most part. For a lot of threat models, I think Cloudflare is closer to an ally than a threat–though its not completely black & white, I see risks as well.

Would love to see independent articles, blogs or communities that do focus on these things. These are potentially the biggest privacy wins if implemented judiciously.

The remote VPN server will route the traffic… making it harder to track you or your precise location. Think of it this way — imagine you’re wearing a snowman costume in a crowd of snowmen.

It feels like a snowman teaching you how to get warm.

Why not? You just have to blindly trust they actually did this. Open-sourcing some client libraries and some 3rd party audit from 2021 don’t guarantee anything.
And it’s for 9-10gen Pixels only and probably won’t work on GOS. WARP looks way better anyway.

Absolutely no way to be sure these claims are actually true. Just like with Cloudflare - we have to believe their words about how they implement things.

Not profiting from user-profiling is good enough for me. It’s even strange, because they surely able to do this and no one would be surprised if they did.
But even Google tried avoiding “being evil” at first.

Well, Cloudflare-philosofy aside, I would be happy to hear about someone’s first-hand experience with daily-driving WARP, especially about usage without their clients and about downtime or other hiccups.

At least for iCloud Private Relay, it has been reverse-engineered before, which is a standard practice for security audit.

Reading the source code, compiling, and passing tests isn’t sufficient to show us a program’s final behavior. The only way to know what a program does when you run it is to…run it.

I like Cloudflare WARP because it’s good at bypassing VPN blocks on corporate/public Wi-Fi networks which for me is the main use case for a VPN. ProtonVPN, Mullvad and iVPN didn’t work for me on public Wi-Fi so they were basically useless for me.

I’d rather trust Cloudflare on a public/corporate network than the provider themselves.

Maybe it would be possible to chain two VPNs - Cloudflare as the entry and Mullvad/Proton/IVPN as the exit - to get the best of both worlds.

This is possible.

But I can’t make it work with Cloudflare IP as Endpoint instead of “engage.cloudflareclient.com:2408” that works fine.
WG connecting successfully, but no internet.
I want to use an IP address so I can use firewall rules as a killswitch.

And still can’t find any info on how often Wireguard keys should be renewed.

When did this happen? Did there VPN servers go down? First time I hear about this.

military-grade VPN

There is no such thing. They just use the same encryption as the military (as does everyone else). But this term is basically non-sense.

There is no link between privacy and reliability in this case. Cloudflare is bigger so this might play in your favor, but it could also fail.

This happens more often than I can tolerate. And they don’t write about every “incident” on their status page, sometimes it’s just “planned maintenance” or no mention at all.

I know. It was a bit of sarcasm. Because while I deem Proton as a superior VPN provider privacy-wise, I still don’t believe they are able to provide the level of protection their marketing words imply.

Anyway, I’m still struggling with firewall-killswitch configuration which allows connections only to engage.cloudflareclient.com and nothing else. I’m talking about Linux, Android killswitch is easy to implement.

Help from someone possessing such knowledge would be very much appreciated.

I basically use it all the time and never had any issue, so that’s a surprise to me. Their Linux app is bad, and I sometime need to cancel connection to a server by another server, to then chose my orignal server again. But this is more likely client-side.

If you frequently encounter downtime, maybe your ISP/Country is doing censorship?

AFAIK they don’t say they have military grade encryption.