Cloudflare, the managed DNS service provider and DDoS mitigation company, says it is launching a free mobile Virtual Private Network (VPN), the “1.1.1.1 App with Warp” which it hopes to monetise by offering an enhanced “Warp+” service for security and privacy-minded enterprise customers.

The announcement is a big one for the company – which has seen its 1.1.1.1 DNS resolver service grow 700 percent month-on-month – and builds on its 2017 acquisition of mobile software specialist Neumob. With the global VPN market estimated to be worth £80+ billion by 2022, there’s a lot to play for.

The VPN is being built on the emerging WireGuard VPN protocol, which takes a radically different approach to creating a VPN and comprises just 4,000 lines of code – whitepaper here – versus the approximately 600,000 total lines of code for OpenVPN + OpenSSL. (Development of the open source WireGuard has been led by Jason Donenfeld, a security researcher/engineer who heads up Edge Security).

The mobile app will “take advantage of Cloudflare’s global network to improve mobile Internet reliability” the company said, opening a waiting list.

Cloudflare VPN
Cloudflare CEO Matthew Prince

Having initially planned a full launch April 1 “including working through the final hours before the launch” CEO Matthew Prince said in a blog today that the company “just made the call that there are still too many edge cases that we’re not proud of to start rolling it out to users”.

Cloudflare is aiming for general availability by July 2019 instead. (Its Github repo appears to be here…)

WireGuard: Lack of Upstream Engagement a “Bummer”

WireGuard author Jason Donenfeld lamented Cloudflare’s lack of upstream engagement in a note on March 27 to the protocol’s mailing list.

As he wrote: “Cloudflare have been] working on it [their WireGuard implementation] for some time, and we’ve discussed this privately at various points along the way. Each time it came up, I asked them if they’d consider working with the WireGuard project itself, and they’ve repeatedly refused.”

“They have insisted on remaining separate and expressed that they don’t want to work as part upstream. I expressed various concerns about unity of community and compatibility of implementations, as well as vision for simplicity and security, but they were pretty adamant about remaining separate.”

“We May Fork Cloudflare’s Rust Implementation”

“I thought the invitation to put their engineers as the head of a WireGuard subproject was a cool invitation, but alas. That’s a bummer, but that’s how it goes; folks are entitled to do what they wish with software they make. I guess they’ll make products or something and control is important to them; I just hope they don’t fragment or otherwise yank WireGuard in unfortunate directions with their access to vast engineering resources. ”

The frustration, he added, was because the protocol “could really use” a Rust implementation (something Cloudflare has developed) as the project has instead wound up with a “somewhat iffy” Go codebase.

“We may very well wind up forking it into `wireguard-rs`, to create something that matches our standards of security and vision. I think there’s significant value in having a first-party Rust implementation that we can maintain and keep up to date with our ongoing research, Donenfeld added.

“Naturally the door remains open to Cloudflare if they’d like to work with us.”

Cloudflare VPN: Built on WireGuard, Neumob Tech

Cloudflare, meanwhile, said it has had its eye on launching a VPN service for some years.

CEO Prince said: “We realized a few years back that providing a VPN service wouldn’t meaningfully change the costs of the network we’re already running successfully.”

(Cloudflare operates over 1,000 servers around the world via 175 data centres as part of its DNS resolution service; one of the world’s largest and fastest).

He added: “That meant if we could pull off the technology then we could afford to offer this service… We think there’s an exciting opportunity in the enterprise VPN space.”

“While companies require their employees to install and use VPNs, even the next generation of cloud VPNs are pretty terrible. Their client software slows everything down and drains your battery. We think the best way to build the best enterprise VPN is to first build the best consumer VPN and let millions of users kick the tires.”

By using encryption methods from the Noise Protocol Framework, and building on recent Internet protocol advances such as QUIC and HTTP/3, while pushing traffic through its network, the 1.1.1.1 App with Warp (when it lands) will be quick, secure, and not sap your battery, Cloudflare promised.

Existing 1.1.1.1. App not a VPN

The company already offers a 1.1.1.1 app for both Android and iOS, which allows users to bypass the default DNS from their internet service provider, but does not proxy traffic like a VPN does. Rather, it runs a local DNS resolver on the phone that that asks all other apps to send their DNS requests to the address of this resolver. This then encrypts them and sends them to Cloudflare’s 1.1.1.1 DNS resolution service.

(DNS servers are central to modern networking. When you type in a website, like www.cbronline.com, your DNS looks up the IP address tied to that domain so the page can be loaded. Most people stick with the default DNS from their internet service provider, but because ISPs often log DNS queries, alternatives are increasingly popular with the privacy-conscious.)

For extra speed the premium version will also use Cloudflare’s paid network traffic engine Argo, which allows the company to make decisions on how to carry traffic across our network in ways that optimise for a number of factors: latency, throughput, jitter, or in the case of the Bandwidth Alliance, cost to partners to exchange traffic…

A range of other providers are also offering WireGuard-based VPNs, including Sweden’s Mullvad.

See also:  “Bandwidth Alliance” Aims to Tackle Price Gouging