No it’s still a vpn. You can pay to use their faster Virtual private backbone network, but it’s not designed to hide your IP to pass georesteictuons etc.

They have a release post now

What WARP Is Not

From a technical perspective, WARP is a VPN. But it is designed for a very different audience than a traditional VPN. WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit. If you’re looking for that kind of high-security protection then a traditional VPN or a service like Tor are likely better choices for you.

WARP, instead, is built for the average consumer. It’s built to ensure that your data is secured while it’s in transit. So the networks between you and the applications you’re using can’t spy on you. It will help protect you from people sniffing your data while you’re at a local coffee shop. It will also help ensure that your ISP isn’t hoovering up data on your browsing patterns to sell to advertisers.

WARP isn’t designed for the ultra-techie who wants to specify exactly what server their traffic will be routed through. There’s basically only one button in the WARP interface: ON or OFF. It’s simple on purpose. It’s designed for my mom and dad who ask me every holiday dinner what they can do to be a bit safer online. I’m excited this year to have something easy for them to do: install the 1.1.1.1 App, enable WARP, and rest a bit easier.

It is based on Neumob.
https://www.streamingmediablog.com/2017/09/addressing-the-gap-in-tcp-based-acceleration.html

I guess I can go fire up the app finally and play with it on android.

How can it be a VPN, while not obscuring your IP address?

If the “return address” on your IP packets is your actual WAN IP address, the server your connecting to will just talk around the VPN, and you would definitely break NAT if you are behind a router.

The only way this makes any sense to me is if either:

1. this in not actually a VPN in any way/shape/form
2. the connection is from Cloudflare’s IP address, but includes an additional header to let people track you; akin to Verizon’s UIDH in effect

This is a VPN and at the same time is not a VPN in the usual sense.

It is a VPN because it creates a tunnel and transfers encrypted traffic from point A to point B. But due to the specifics of the construction, it does not mask the user’s original IP address.

This is not a VPN. Nowadays, people get used to the fact that the return of a VPN means anomization, IP masking and traffic encryption. On the one hand this is true but on the other it does not quite have to specify a VPN exactly.

Can 1.1.1.1 + WARP be called a VPN? It can be described as such. What cloudflare is doing in public. Only to fully understand what it really is “WARP” you need to get acquainted with Neumob protocol. Which is wrapped in wireguard and all matched to the CDN network.

In an extreme simplification, TCP traffic is transferred to udp and passed through the tunnel to CDN. But this is not a classic exit point like a typical VPN.

Neumob, a mobile app acceleration company with offices in Silicon Valley and the UK, which focus its SDK-based solution on apps. Neumob solves the TCP problem by using UDP under-the-hood for its own protocol, or what they call the Neumob Protocol. UDP doesn’t suffer from HOLB, as it inherently does not require in-order data delivery. Neumob’s focus has been to create a mobile-first protocol, designed for the mobile apps in which 85-90% of all smartphone activity occurs, rather than taking a legacy protocol designed in the 1990s, and then retrofitting it to work for mobile world.

The company’s protocol accelerates everything within a mobile app, including all of those great (but heavy) 3rd-party calls like videos, images, ad network SDKs and analytics tools that make an app what it is. It doesn’t cache for one domain only, and it doesn’t meekly tune TCP. Instead, the company says they chose to develop its own robust UDP-based protocol, 3-POP WAN acceleration architecture and software-defined content routing that dynamically does one thing exceptionally well: speed up the performance of mobile apps, no matter whether its users are in the same city or halfway around the world.

Neumob says one of the differentiating features of their protocol is their network profiles approach. More than half of the connections the company serves are wireless: 4G, 3G (WCDMA, HSDPA, EVDO_A), 2G (EDGE, CDMA) and so on. Even in the same LTE network, any given mobile carrier will have different coverage and latencies, and all of these networks have different characteristics. The company says they have the ability to detect if the network connection is on, and tune connection parameters accordingly. With their SDK, the protocol is able to detect the mobile network carrier, the network technology (WiFi, LTE, HSPA etc) and the country in which the device is connecting, then apply different protocol parameters to maximize mobile app speed and error reduction. It’s a pretty simple approach, to a complex problem.

Historically, web-based CDNs have used edge servers in order to cache static objects efficiently. This is good for small web sites with a low amount of calls, but when the total size of typical libraries grew bigger, CDNs introduced another concept of placing a second level of cache in a few aggregation points (called parent cache, shield cache, super cache, super POP etc), near the origin in order to improve the cache hit rate in the edge server, while reducing access to the origin. This approach was also useful for accelerating dynamic objects (not cacheable and in need of origin access every time). These days, most CDNs support accelerating dynamic content in their own way, but this 2-POP approach is pretty common. Having edge POP and another POP near the origin, and using various middle-mile acceleration techniques between edge POP and a POP near to the origin is foundational architecture the allows CDNs to accelerate dynamic content.

Neumob has expanded this idea to the actual device in the user’s hand. The company says CDNs take what is basically a server-side only approach, with no information about the device itself, and simply assumes it’s “a good client”. This assumes it has a good DNS resolver configuration, so that it can find a nearby edge POP using DNS (or relying on anycast to find a nearby edge POP), and that it knows how to connect using an up-to-date protocol.

Neumob’s approach, by contrast, hosts a small and intelligent proxy right in the device itself by virtue of its embedded SDK within the app being used. Traffic from the app travels through Neumob’s small edge server in the device. This enables the protocol to get unique information about the client, while providing Neumob with the ability to optimize the last mile from the edge of the internet to the device itself, something they say was not possible in the traditional CDN approach.

For example, Neumob can identify that the device is connecting to a Wifi network or to LTE via a specific mobile carrier, without guessing, which enables Neumob to apply the most appropriate protocol parameters. Neumob is able to fall back properly when anything bad or unexpected happens during content transmission, which reduces errors, collects more detailed metrics about the request, alerts about unusual errors, and more. This is effectively having an intelligent agent on the device that’s constantly reporting on network connections.

So how does all of this reduce errors within mobile apps? Neumob says it’s important to underscore how effective the UDP-driven protocol is in reducing errors within apps. These errors include timeouts, when an app’s responses effectively freeze, and force the user to refresh or navigate elsewhere, since images or other content can’t be delivered. Errors can also include blank spaces with missing images; third-party-hosted content that never arrives; and even advertisements that are never seen by the user (and therefore can’t be monetized) because of failed delivery.

Neumob says typical mobile app error rates range from 3% on faster networks such as LTE, to over 12% on 2G & 3G networks, and in countries such as India and China. By not being inherently limited by HOLB (“Head of Line Blocking”), the Neumob protocol already provides apps with a leg up in reducing these frustrating errors. It also uses innovative loss detection & recovery mechanisms, while providing fine-grained control with the aforementioned 3rd POP implemented right inside the SDK.

The traditional PC-focused Internet and TCP/IP protocol were never designed to support the fast delivery of mobile apps. Both introduce a number of delays throughout the mobile app delivery process, making fast mobile app performance (and low error rates) on end-user devices an elusive goal for most developers. Neumob is looking to address these challenges, and because it has been specifically and exclusively engineered for mobile apps, it by necessity incorporates a variety of improvements and network-driven leaps forward. The company says they are able to achieve mobile app speed gains of 30-300%, and reduction of in-app errors by up to 90%.

The SDK revolution, in which app developers can add small bits of code to their apps that contain everything from robust analytics to advertising solutions, is where that next stage of performance and speed innovation lies. The right SDK can effectively transform the last, mobile mile from a latency-filled bottleneck into a lightning-fast conduit for images, files, high-bandwidth videos and more.

It’s a tricky problem for mobile-first infrastructure providers to solve, but therein lies the kernel of the solution: reimagining how we interact with the internet in this newly-dominant era of mobile, and of mobile apps, versus the way we did things in the now-fading PC internet and mobile web era.

Cloudflare bought a Neumob in November 2017.

I don’t understand the point of this fucking thing.

There’s no need to “ensure that your data is secured while it’s in transit. So the networks between you and the applications you’re using can’t spy on you”.

It’s 2019. Every site uses HTTPS. These mythical coffeeshop snoops could technically sniff your destination IP, but over half the internet is on some CDN or Cloudflare itself anyway so you wouldn’t get much there either.

If it doesn’t obfuscate your source IP, it offers no privacy advantages. If it doesn’t allow you to get around your work firewall or watch Netflix, it offers no functionality advantages either.

So again, what is the point of this fucking thing?

I have been thinking about this…

Walled garden only they could data mine ? We know what they" state" is not often what it turns out to be.

The main goal is probably faster delivery of web resources for mobile users from the CDN network.
Traffic encryption is rather a side effect.
Apparently, the way it is built on also has less impact on the smartphone in the context of battery life and cpu load.

Apparently they have a plan for this solution since they have invested time and money in it.
It can also, if successful, increase the attractiveness of their CDN networks to customers. And it can give them better statistics for analyzing which network resource is attractive for a mobile user. In a way like their dns.

They define it as a solution for non-technical people. Fast and simple. Which is to give a level of security without going into technical aspects but at the same time probably do not want to take on the problems that arise from anonymization and thus refer them to abuse cases.

WARP is not just a product, it’s a testbed for all of the Internet-improving technology we have spent years developing. One dream was to use our Argo routing technology to allow all of your Internet traffic to use faster, less-congested, routes through the Internet. When used by Cloudflare customers for the past several years Argo has improved the speed of their websites by an average of over 30%. Through some hard work of the team we are making that technology available to you as WARP Plus.

The WARP Plus technology is not without cost for us. Routing your traffic over our network often costs us more than if we release it directly to the Internet. To cover those costs we charge a monthly fee — $4.99/month or less — for WARP Plus. The fee depends on the region that you’re in and is intended to approximate what a Big Mac would cost in the same region.

Basic WARP is free. Our first priority is not to make money off of WARP however, we want to grow it to secure every single phone. To help make that happen, we wanted to give you an incentive to share WARP with your friends. You can earn 1GB of free WARP Plus for every person you share WARP with. And everyone you refer also gets 1GB of WARP Plus for free as well. There is no limit on how much WARP Plus data you can earn by sharing.

Once we got WARP to a stable place, this was my first question. My initial inclination was to go to one of the many Speed Test sites and see the results. And the results were… weird. Sometimes much faster, sometimes much slower. Overall, they didn’t make a lot of sense. The reason why is that these sites are designed to measure the speed of your ISP. WARP is different, so these test sites don’t give particularly accurate readings.

The better test is to visit common sites around the Internet and see how they load, in real conditions, on WARP versus off. We’ve built a tool that does this. Generally, in our tests, WARP is around the same speed as non-WARP connections when you’re on a high performance network. As network conditions get worse, WARP will often improve performance more. But your experience will depend on the particular conditions of your network.

We plan, in the next few weeks, to expose the test tool within the 1.1.1.1 App so you can see how your device loads a set of popular sites without WARP, with WARP, and with WARP Plus. And, again, if you’re seeing particularly poor performance, please report it to us. Our goal is to provide security without slowing you down or burning excess battery. We can already do that for many networks and devices and we won’t rest until we can do it for everyone.

The baseline Warp service can’t be faster. It adds a hop. They claim the paid Warp+ routes across their special network, but I am deeply dubious that will actually offer better performance. They really admit as much when they say “you can’t trust speedtests”, which is, of course, complete BS.

It has less impact on battery and CPU load than OpenVPN, certainly, that’s a wireguard benefit. I use WG myself every day. It does however have more impact than running no VPN (or whatever the hell Warp is) at all.

And it doesn’t add any security because everything is HTTPS, so again, I just don’t see the point.

My understanding is that Cloudflare cashes like half the internet on their network, including here, and this is partially how there getting some of their improvements. As they said though this doesn’t necessarily give you faster speeds.

They only claim the paid Warp+ service is faster. Even assuming it is, then what is the point of Warp non-plus? If it isn’t faster, why does it exist?

From a bit of research, here’s how Warp actually works.

It is a real WG VPN into Cloudflare’s network. They go out of their way to deliberately forward your IP address only to websites that run Cloudflare, which is something like 10% of the Internet.

The Warp VPN route immediately exits the Cloudflare network at whatever local POP you connect to, while the Warp+ VPN routes to your destination using “Argo”, which is kind of their replacement for BGP.

So getting back to “the point of the fucking thing”, if your mobile service provider runs packet shaping to force 480p video or whatever, since it is a real VPN, this should help with that. If your work firewall blocks access to bigboobies.com, it will help with that too.

Just don’t expect it to offer meaningful privacy or security, because it doesn’t.

That said, if people start using the free service to watch HD video I would fully expect CF to bypass the VPN on major players like YouTube and Netflix. Very easy for them to do that.

On a side note, looks to be very easy to get Warp running on other platforms. It POSTs your public key to https://api.cloudflareclient.com and then basically just connects normally.

IP address leakage

That Bleeping Computer article really clears things up, he links to a HackerNews post from Zack Bloom:

We haven’t figured out how to expose them yet for sites not using Cloudflare. We do have some experience solving this problem for Spectrum [1] we’re hoping to lean on. The most important thing to us is users don’t expect us to keep their IP private, as that is not the intent of WARP.

with a link to this blog post:

Neumob

As an aside, that Neumob system sounds rather disconcerting. If I understand correctly, it is using locally running code on the users device to report back network statistics to the Cloudflare, and also uses a proprietary protocol in place of TCP.

Summary of WARP/WARP+

• For most websites, WARP and WARP+ act like normal VPNs though Cloudflare is hard at work (see mmproxy post) trying to find ways to leak your IP address to the sites you visit.

• For websites designed to use Cloudflare, WARP and WARP+ are already able to give out your IP address.

• The difference between WARP and WARP+ is whether the internet connection to the final server is made from the PoP (Cloudflare’s servers) closest to you, or closest to your destination. If the latter, Cloudflare’s private network will use its Argo routing system.

WARP

device  →  PoP near user  →  server
        |                 |
  tunneled internet    internet

WARP+

device  →  PoP near user  →  PoP near server  →  server
        |                 |                   |
 tunneled internet    CF private net       internet

That’s what I just said, isn’t it?

Oh, somewhat I guess; I have had this sitting as a draft for several hours and coming back to it, wanted to finish it. I do think it still works as a quick reference or TLDR of sorts.

Ahh OK, that explains it.

So an attempt being made to build their own garden. That is what i get from that. Not overly fond of some of their business practices in the past year or so. Appeasement to certain entities is certainly not in the best interest of the consumer.

I really can not comment much on the technical side.