Table of Contents

• The Origin Story: It Started with 1.1.1.1
• What DNS Resolvers Do
• Why Cloudflare Built 1.1.1.1
• Enter WARP: April 1, 2019
• How WARP Actually Works
• WireGuard: The Protocol Underneath
• What Cloudflare Changed
• The Data Flow
• What WARP Is Not
• The Business Model: Why Is It Free?
• Cloudflare’s Real Business
• The Technical Stack in Detail
• Cloudflare’s Network Architecture
• The 1.1.1.1 App
• DNS-over-HTTPS and DNS-over-TLS
• WARP vs. Traditional VPNs
• Setting It Up
• Mobile (iOS / Android)
• Desktop (macOS / Windows / Linux)
• Verifying It Works
• My Experience
• The Takeaway

I’ve been running Cloudflare WARP on my phone and laptop for a while now. It’s free, it’s fast, and it just works — I flip a switch and my traffic is encrypted through Cloudflare’s network. No account required for the basic tier, no bandwidth caps, no ads. Which naturally made me wonder: what’s the catch? And how does this thing actually work under the hood?

So I went down the rabbit hole. Here’s what I found.

---

The Origin Story: It Started with 1.1.1.1

To understand WARP, you need to go back to April 1, 2018 — the day Cloudflare launched 1.1.1.1, a free public DNS resolver.

What DNS Resolvers Do

Every time you type a URL into your browser, your device needs to translate that human-readable domain name (like example.com) into an IP address (like 93.184.216.34) that computers can route to. This translation is handled by a DNS resolver — a server that looks up domain names and returns IP addresses.

By default, your DNS resolver is assigned by your ISP (Internet Service Provider). This means your ISP can see every domain you visit — not the full URL or page content, but the domain itself. They know you visited netflix.com at 10pm and webmd.com at 2am. In many countries, ISPs are legally allowed to log and sell this data. Some ISPs inject ads into DNS responses. Some redirect failed lookups to their own search pages filled with advertising.

Why Cloudflare Built 1.1.1.1

Cloudflare’s pitch was simple: a DNS resolver that is:

1. Fast — they aimed for the fastest public resolver in the world, and largely achieved it. As of today, 1.1.1.1 consistently benchmarks as one of the top two fastest public resolvers globally (alongside Google’s 8.8.8.8).

2. Private — Cloudflare committed to never selling user data, never using DNS query data for ad targeting, and purging all query logs within 24 hours. They hired KPMG to audit this commitment annually.

3. Secure — full support for DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), encrypting DNS queries so they can’t be read or tampered with in transit.

The IP address 1.1.1.1 was deliberately chosen for memorability — it’s the DNS equivalent of a vanity phone number. Cloudflare had to negotiate with APNIC (the Asia-Pacific internet registry) to get it, since the 1.0.0.0/8 block had historically been used for research and was plagued by junk traffic from misconfigured devices. The deal: Cloudflare would operate the resolver and share anonymized DNS research data with APNIC.

1.1.1.1 was a hit. Within months, it was handling tens of billions of DNS queries per day. But it had a fundamental limitation: it only encrypted the DNS lookup, not the rest of your traffic. Your ISP couldn’t see which domains you were resolving, but they could still see the IP addresses you connected to afterward — and for many websites, the IP address alone is enough to identify the destination.

Cloudflare needed a way to protect the full connection, not just the DNS query.

---

Enter WARP: April 1, 2019

Exactly one year after launching 1.1.1.1, Cloudflare announced WARP — a free service that would encrypt all traffic between your device and Cloudflare’s network. Not just DNS queries. Everything.

The announcement was met with immediate skepticism. A free VPN from a major tech company? With no bandwidth limits? The internet had seen this movie before — “free” VPN providers that monetized by logging traffic, injecting ads, or selling user data. The phrase “if you’re not paying for the product, you’re the product” was repeated in every comment thread.

Cloudflare’s response was that WARP isn’t a VPN in the traditional sense, and their business model doesn’t depend on user data. But more on that later.

WARP launched publicly in September 2019 after a waitlist period that accumulated millions of sign-ups. It was initially available only on iOS and Android via the 1.1.1.1 app. Desktop support for macOS, Windows, and Linux followed in 2020.

---

How WARP Actually Works

WARP is built on WireGuard, a modern VPN protocol that deserves its own section.

WireGuard: The Protocol Underneath

WireGuard was created by Jason Donenfeld and publicly released in 2015. It was designed as a radical simplification of VPN technology. At the time, the two dominant VPN protocols were:

• OpenVPN — open-source, battle-tested, but complex. The codebase is over 100,000 lines of C. Configuration involves managing certificates, choosing cipher suites, and tuning dozens of parameters. It runs in userspace, which adds overhead from context switches between kernel and userspace for every packet.

• IPsec (with IKEv2) — the enterprise standard, built into most operating systems. Extremely capable but notoriously complex to configure correctly. The specification sprawls across dozens of RFCs. Security researchers have repeatedly found implementation bugs stemming from this complexity.

Donenfeld’s thesis was that a VPN protocol should be simple enough to audit in an afternoon. WireGuard’s entire codebase is roughly 4,000 lines of code — small enough that it was merged into the Linux kernel in March 2020 (Linux 5.6). By comparison, OpenVPN’s codebase is 25x larger.

WireGuard achieves this simplicity through opinionated design choices:

Decision	WireGuard’s Choice
Key exchange	Noise Protocol Framework (based on Curve25519)
Symmetric encryption	ChaCha20-Poly1305
Hashing	BLAKE2s
Key derivation	HKDF
Cipher agility	None — there’s exactly one cipher suite, no negotiation

That last point — no cipher agility — is the most controversial and the most important. Traditional VPN protocols let you choose which encryption algorithms to use, which sounds flexible but creates a massive attack surface. Cipher negotiation is where many real-world VPN vulnerabilities live. WireGuard simply doesn’t negotiate: both sides use the same fixed set of modern cryptographic primitives. If any of them are ever broken, the entire protocol gets a version bump, and everyone moves to the new version. No backwards compatibility, no downgrade attacks.

The performance difference is substantial. WireGuard operates in the kernel (on Linux) rather than userspace, eliminating the per-packet context switch overhead that plagues OpenVPN. Benchmarks consistently show WireGuard achieving 2-4x higher throughput than OpenVPN and establishing connections in under 100 milliseconds — fast enough that the VPN can reconnect seamlessly when you switch between WiFi and cellular.

What Cloudflare Changed

Cloudflare didn’t use WireGuard as-is. They built a custom implementation called BoringTun (a play on Google’s BoringSSL, their stripped-down fork of OpenSSL). BoringTun is written in Rust and runs in userspace rather than requiring kernel-level access. This was a deliberate choice:

1. Cross-platform deployment — kernel WireGuard only exists on Linux. BoringTun runs identically on macOS, Windows, iOS, and Android without needing kernel extensions or drivers.

2. App Store compatibility — Apple and Google’s app stores don’t allow apps that install kernel modules. A userspace implementation can ship as a normal app.

3. Memory safety — Rust’s ownership model prevents entire classes of memory bugs (buffer overflows, use-after-free, data races) that have historically been the source of VPN vulnerabilities. For a tool that handles every packet leaving your device, this matters enormously.

BoringTun was open-sourced on GitHub in March 2019, before WARP even launched publicly.

The Data Flow

Here’s what happens when WARP is enabled on your device:

1. Your device establishes a WireGuard tunnel to the nearest Cloudflare data center. Cloudflare operates in over 330 cities across 120+ countries, so “nearest” usually means within a few milliseconds of network latency.

2. All traffic from your device — not just DNS, not just browser traffic, but everything — is encrypted and sent through this tunnel to Cloudflare’s edge.

3. At Cloudflare’s edge, the traffic is decrypted and forwarded to its destination on the public internet. DNS queries go to 1.1.1.1. Web requests go to the origin server. Everything else goes where it’s addressed.

4. Responses travel back through the same path: origin server to Cloudflare edge, encrypted through the tunnel, decrypted on your device.

This means your ISP sees only encrypted WireGuard packets flowing between your device and Cloudflare. They can’t see which domains you’re visiting, which pages you’re loading, or what data you’re sending. The traffic looks like a single encrypted stream to a Cloudflare IP address.

What WARP Is Not

This is where the “not really a VPN” distinction matters:

• WARP does not hide your IP address from websites. When your traffic exits Cloudflare’s network, the destination server sees an IP address in the same geographic region as your real one. Unlike a traditional VPN where you can choose to appear in another country, WARP deliberately routes you through the nearest data center. You can’t use it to watch Netflix from another region or bypass geo-restrictions.

• WARP does not anonymize you. Cloudflare knows your real IP address (it has to, to send responses back to you). Traditional privacy-focused VPNs like Mullvad go to extreme lengths to avoid knowing who you are — accepting cash payments, generating random account numbers, running on RAM-only servers. WARP doesn’t pretend to offer this level of anonymity.

• WARP is not designed to circumvent censorship. While it does encrypt your traffic (which can incidentally bypass some forms of network filtering), Cloudflare has stated that WARP is not designed as a censorship circumvention tool. In countries that actively block VPN protocols, WARP’s WireGuard traffic can be identified and blocked just like any other VPN.

What WARP is designed to do:

• Encrypt your traffic on untrusted networks — coffee shop WiFi, hotel networks, airport hotspots. This is genuinely valuable. On an unencrypted network, anyone with a packet sniffer can see your DNS queries and unencrypted HTTP traffic.

• Prevent ISP snooping — your ISP can no longer see which domains you’re visiting or sell that data to advertisers.

• Improve performance in some cases — Cloudflare’s network is often faster than the default path your ISP takes to reach a destination. WARP can route your traffic through Cloudflare’s optimized backbone, reducing latency for connections that would otherwise take a suboptimal path across the public internet.

---

The Business Model: Why Is It Free?

This is the question everyone asks, and the answer is surprisingly straightforward.

Cloudflare’s Real Business

Cloudflare is a publicly traded company (NYSE: NET) with revenue over $1.5 billion annually. Their business is selling cloud security and performance services to businesses: DDoS protection, CDN, Web Application Firewall, Zero Trust access, Workers (serverless compute), R2 (object storage), and more. Their customer list includes roughly 20% of all websites on the internet.

WARP fits into this business in several ways:

1. Network utilization. Cloudflare has already built a massive global network to serve its paying customers. The marginal cost of routing consumer WARP traffic through this network is relatively low — the infrastructure exists regardless. Consumer traffic helps justify network expansion in regions where enterprise demand alone might not warrant a new data center.

2. Brand awareness and trust. Every person running WARP on their phone is a potential advocate for Cloudflare. When those people make infrastructure decisions at work — choosing a CDN, a DNS provider, a security vendor — Cloudflare is already a name they trust. This is marketing that scales.

3. The paid tier: WARP+. For $4.99/month, WARP+ routes your traffic through Cloudflare’s Argo Smart Routing network, which uses real-time network intelligence to find the fastest path between you and your destination. This is the same technology Cloudflare sells to enterprise customers for optimizing their web properties. Consumer WARP+ subscriptions are a lower-margin but high-volume revenue stream.

4. Zero Trust pipeline. Cloudflare’s enterprise product Cloudflare Zero Trust (formerly Cloudflare for Teams) uses the same WARP client to connect employees to corporate networks. An employee who already has WARP on their personal phone is one configuration profile away from being enrolled in their company’s Zero Trust deployment. The consumer app is, in effect, pre-installed enterprise software.

5. Network intelligence. The aggregate traffic flowing through WARP gives Cloudflare visibility into internet routing, performance, and security trends. This data (in aggregate, not individually) informs their network engineering decisions, their threat intelligence products, and their Radar platform (a public internet trends dashboard). Cloudflare has been explicit that they don’t sell individual user data and don’t use it for ad targeting.

The math works because WARP’s cost to Cloudflare is marginal (the network already exists), while the strategic benefits — brand trust, enterprise pipeline, paid tier upsells, and network intelligence — are substantial.

---

The Technical Stack in Detail

Cloudflare’s Network Architecture

Cloudflare’s network is built on an anycast architecture. This means the same IP addresses are advertised from every Cloudflare data center in the world. When your device connects to WARP, BGP routing directs the connection to the physically closest data center.

This is different from how traditional VPN providers work. A typical VPN provider operates a fixed set of servers in specific cities. You choose “connect to London” and your traffic goes to a specific server farm in London, regardless of whether there’s a closer server. If that server is overloaded, your speed drops.

With anycast, there is no server selection. Your traffic automatically goes to the nearest point of presence. If a data center goes offline, BGP reconverges and your traffic is automatically routed to the next-closest one — typically within seconds, often without dropping your connection. This is the same technique Cloudflare uses for its CDN and DDoS protection, so it’s battle-tested at enormous scale.

The 1.1.1.1 App

The user-facing software is the 1.1.1.1 app, available on iOS, Android, macOS, Windows, and Linux. On mobile, it uses the OS’s native VPN API (NetworkExtension on iOS, VpnService on Android) to create a system-wide tunnel. On desktop, it installs a lightweight daemon that manages the WireGuard tunnel.

The app offers three modes:

Mode	What It Does
1.1.1.1 (DNS only)	Routes only DNS queries through Cloudflare’s encrypted resolver. The rest of your traffic is unaffected.
WARP	Routes all traffic through the WireGuard tunnel to Cloudflare. DNS goes to 1.1.1.1, everything else exits through Cloudflare’s network near your location.
WARP+	Same as WARP, but uses Argo Smart Routing for optimized paths. Paid tier.

Switching between modes is instant — the tunnel is established or torn down in milliseconds, which is one of WireGuard’s key advantages over older protocols.

DNS-over-HTTPS and DNS-over-TLS

Even in DNS-only mode (without the full WARP tunnel), the 1.1.1.1 app encrypts your DNS queries using either:

• DNS-over-HTTPS (DoH) — DNS queries are wrapped in HTTPS requests to https://cloudflare-dns.com/dns-query. This looks like normal HTTPS traffic on port 443, making it difficult for network operators to selectively block DNS encryption while allowing other HTTPS traffic.

• DNS-over-TLS (DoT) — DNS queries are encrypted with TLS and sent to port 853. This is more transparent (network operators can see it’s encrypted DNS) but slightly more efficient than DoH since it doesn’t have HTTP overhead.

Both prevent your DNS queries from being read or tampered with in transit. Traditional DNS (port 53, unencrypted) sends domain lookups in plaintext — anyone on the network path can read them.

---

WARP vs. Traditional VPNs

If you’re already paying for a VPN service, you might wonder how WARP compares. The honest answer is that they serve different purposes.

Feature	WARP (Free)	Traditional VPN (e.g., Mullvad, ProtonVPN)
Price	Free (WARP+: $4.99/mo)	$5-12/month
IP masking	No — exits near your location	Yes — choose exit country
Geo-unblocking	No	Yes (server selection)
Anonymity	Limited — Cloudflare knows your IP	Stronger — cash payments, no logs (varies by provider)
Speed	Excellent — anycast, minimal latency	Varies — depends on server load and distance
Protocol	WireGuard (BoringTun)	WireGuard, OpenVPN, or proprietary
Censorship bypass	Not designed for it	Some are designed for it (obfuscated protocols)
ISP snooping protection	Yes	Yes
Public WiFi protection	Yes	Yes
Kill switch	Yes (on desktop)	Yes
Multi-device	Unlimited	Typically 5-10 devices

If your primary concern is privacy from your ISP and security on public networks, WARP does the job for free. If you need to appear in another country, avoid being tracked by IP address, or bypass censorship, a traditional VPN is the right tool.

I use WARP because my threat model is simple: I don’t want my ISP logging my DNS queries, and I don’t want coffee shop WiFi to be a security risk. WARP handles both without me thinking about it.

---

Setting It Up

Mobile (iOS / Android)

1. Install the 1.1.1.1 app from the App Store or Google Play.
2. Open the app. Tap the toggle. That’s it.

No account creation, no email address, no payment information. The app generates a WireGuard key pair on-device, registers the public key with Cloudflare, and establishes the tunnel. The entire setup takes under 10 seconds.

Desktop (macOS / Windows / Linux)

1. Download the 1.1.1.1 client from Cloudflare’s website.
2. Install and run it. A small icon appears in the menu bar / system tray.
3. Click the icon and toggle WARP on.

On macOS, the app installs a system extension to create the VPN tunnel. On Linux, it’s a CLI tool (warp-cli) with a daemon (warp-svc):

# Linux setup
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
# Add repo and install...
sudo apt install cloudflare-warp

# Register and connect
warp-cli registration new
warp-cli connect

# Check status
warp-cli status

Verifying It Works

Once WARP is connected, you can verify it’s working by visiting https://1.1.1.1/help in a browser. The page shows your connection status, whether you’re using WARP, which Cloudflare data center you’re connected to, and whether DNS-over-HTTPS is active.

You can also check your DNS resolver from the command line:

# Should return 1.1.1.1 or 1.0.0.1
nslookup -type=txt whoami.cloudflare.com

---

My Experience

I’ve been using WARP on both my phone and laptop for months. A few observations:

Speed is a non-issue. On a decent internet connection, I genuinely cannot tell that WARP is running. Latency overhead is negligible — usually 1-3ms. This is a direct benefit of Cloudflare’s anycast network: the nearest data center is almost always within a few milliseconds. Some traditional VPN providers add 20-50ms of latency, which is noticeable in video calls and gaming.

Battery impact on mobile is minimal. WireGuard’s efficiency shows here. Unlike OpenVPN-based apps that can visibly drain your battery, WARP runs all day on my phone without a noticeable difference. The protocol’s ability to go silent when there’s no traffic (WireGuard doesn’t send keepalive packets unless configured to) means it essentially sleeps when your phone is idle.

It just reconnects. Moving between WiFi and cellular, waking from sleep, going through a tunnel with no signal — WARP re-establishes the connection almost instantly. This is WireGuard’s “roaming” in action: the protocol is stateless enough that the tunnel survives IP address changes without a full re-handshake.

No configuration needed. I set it up once on each device and haven’t touched it since. There’s no server to choose, no protocol to select, no settings to tune. The app has a grand total of one switch.

---

The Takeaway

WARP occupies an interesting niche. It’s not trying to be Mullvad or ProtonVPN. It’s not for journalists in authoritarian regimes or whistleblowers needing anonymity. It’s for everyone else — people who want their internet traffic encrypted by default without paying for a VPN subscription, without configuring anything, and without a noticeable performance penalty.

The fact that it’s built on WireGuard (via a Rust implementation), runs on Cloudflare’s anycast network, and is genuinely free with no bandwidth caps makes it a remarkably good deal. The trade-off — that Cloudflare can see your traffic at their edge, and you can’t mask your geographic location — is one I’m comfortable with.

For my use case — encrypting traffic on untrusted networks and keeping my ISP out of my DNS queries — it’s exactly the right tool. I flip the switch and forget about it.

Related Posts

Save Gigabytes of Storage: Build a Batch Photo Resizer with iOS Shortcuts

Tired of huge photo files eating up your iPhone and iCloud storage? Here is a step-by-step guide to building a simple, automated iOS Shortcut that resizes your images to a web-friendly 1920px in seconds.

I Wrote a Tool to Tame 15 Years of Photos — Here's How It Works

A Python CLI that deduplicates, downscales, converts, and classifies thousands of photos using perceptual hashing, Apple Vision, and HEIC — no cloud required.

Down the QR Rabbit Hole — A Weekend with Python & Pixels

What started as four lines of Python turned into a deep dive into QR code internals — history, encoding, error correction, and practical generation.