Skip to content

Cloudflare WARP Integration

Waveshift offers optional integration with Cloudflare WARP to provide enhanced privacy through traffic normalisation and massive anonymity sets while maintaining the control and flexibility of AWS-based egress points.

Why AWS + Cloudflare?

Waveshift uses a hybrid approach that combines the strengths of both AWS VPNs and Cloudflare WARP.

Benefits of Using AWS as VPN Infrastructure

1. Full Control & Transparency

  • You control the server and software stack
  • Audit and configure everything—no trusting third parties
  • Complete visibility into your infrastructure

2. Avoid Shared Infrastructure

  • Commercial VPNs route thousands of users through same servers
  • With AWS, your traffic isn't mixed with strangers
  • Reduces chance of being caught in broad surveillance or bans

3. Unknown Exit IP

  • Your AWS EC2 instance has a unique IP
  • Not publicly known as a VPN server
  • Helps avoid detection and blocking by services that blacklist VPN IPs

4. No Logging by Default

  • AWS does not log your EC2 traffic (beyond standard cloud metrics)
  • No metadata logging unless explicitly enabled
  • Contrast to VPN providers that may log usage data

5. Geographic Flexibility

  • Choose from dozens of AWS regions worldwide
  • Change VPN server location anytime
  • Bypass geo-restrictions while staying private

6. Dedicated Bandwidth

  • Not sharing bandwidth with thousands of users
  • Significantly better performance during peak hours
  • Consistent, predictable speeds

7. Trustworthy Jurisdiction

  • Deploy in countries with strong privacy laws
  • Avoid Five Eyes nations if desired
  • Match your deployment to your threat model

Things to Consider

Operational Complexity

  • You need to manage and update servers
  • Waveshift handles this automation for you

No Shared Anonymity Set

  • Using AWS alone, traffic is just you
  • Your instance could be identified
  • Cloudflare integration solves this

Cloudflare WARP Benefits

Security Features

1. Encrypted Traffic

  • Uses WireGuard protocol (modern, fast, secure)
  • Traffic encrypted through Cloudflare's network
  • Protection from compromised Wi-Fi or ISP snooping

2. Zero Trust Integration

  • Integrates with Cloudflare Zero Trust Access
  • Identity-aware routing for organisations
  • Fine-grained access control

3. DNS Protection

  • Includes DNS over HTTPS (DoH) via 1.1.1.1
  • Prevents ISPs from seeing DNS queries
  • Protects against DNS poisoning

4. IP Address Privacy

  • Masks real IP address from websites
  • Anonymizes your public IP
  • Unlike traditional VPNs, optimized for speed

5. No Logging

  • Cloudflare claims no user-identifiable data logging
  • Published audits of 1.1.1.1 service
  • Privacy-focused posture

6. Mitigates Common Threats

  • Man-in-the-middle (MITM) attack protection
  • DNS poisoning prevention
  • Packet sniffing protection on insecure networks

7. Performance Optimisation

  • Routes traffic over Cloudflare's premium network
  • Dynamic route optimisation for stability
  • Reduces latency-based vulnerabilities

What WARP Does NOT Do

  1. Not a traditional VPN - Can't choose specific exit country
  2. Not full anonymity - Traffic passes through Cloudflare (they see metadata)
  3. Not for torrenting - Not suitable for P2P file sharing
  4. Not for geo-spoofing - Limited geographic control

WARP Use Case

Cloudflare WARP excels at general-purpose security and privacy on unsafe networks, but isn't designed for full anonymity or circumventing regional restrictions.

Anonymity Sets Explained

An anonymity set is the group of people your traffic blends in with. The larger the set, the harder it is to identify you.

Cloudflare WARP Anonymity Set

Cloudflare WARP benefits from a very large anonymity set:

1. Massive User Base

  • Millions of devices globally use WARP and 1.1.1.1
  • Your traffic blends with millions of other users
  • Global distribution across all continents

2. Shared Exit IPs

  • Unlike AWS (unique IP per PoP), WARP uses shared Cloudflare IPs
  • Much harder to isolate or track your specific activity
  • Same IPs serve many users simultaneously

3. Existing Cloudflare Presence

  • Cloudflare proxies 20%+ of internet websites
  • Your traffic enters same infrastructure as regular users
  • Massive existing network of legitimate traffic

Anonymity Comparison

Service Anonymity Set Shared IPs Infrastructure Control Anonymity Type
Cloudflare WARP Very large (millions) Yes No Passive (crowd-based)
AWS VPN Very small (just you) No Yes Active (controlled)
Commercial VPN Large (millions) Yes No Passive (crowd-based)
Waveshift Hybrid Very large (millions) Yes High Both

How Waveshift Works With Cloudflare

The Hybrid Approach

Waveshift combines both methods to get the best of both worlds:

Step-by-Step Traffic Flow:

  1. Your device → WireGuard encryption → Node
  2. Node → Encrypted tunnel over internet → AWS PoP
  3. AWS PoP → WireGuard encryption → Cloudflare WARP server (near PoP)
  4. Cloudflare WARP → Public internet

What This Achieves

Privacy Protection:

  • Cloudflare sees traffic from AWS, not your real IP
  • Your origin is protected behind AWS infrastructure
  • Cloudflare cannot determine true traffic source

Anonymity Enhancement:

  • Internet sees Cloudflare shared IP (millions of users)
  • Your traffic is normalized into crowd
  • Extremely difficult to identify or track

Control Maintenance:

  • You choose AWS PoP location
  • You control which Cloudflare region is used
  • Full visibility into your infrastructure

Traffic Normalisation

This is what we call traffic normalisation:

Your Device (Unknown)
    ↓ WireGuard
Node (Your Circuit)
    ↓ WireGuard
AWS PoP (Your IP, but controlled)
    ↓ WARP
Cloudflare (Sees: AWS source)
Public Internet (Sees: Cloudflare shared IP)

Key Points:

  • ✅ Your real IP is hidden from Cloudflare
  • ✅ Your traffic blends into millions of WARP users
  • ✅ You control the egress region via AWS
  • ✅ Two layers of encryption and anonymisation

Technical Implementation

Cloudflare Integration Sequence

The automated process when building a PoP with Cloudflare:

sequenceDiagram
    participant Client
    participant Proteus
    participant AWS PoP
    participant Cloudflare

    Client->>Proteus: Request WG-CF Config
    Proteus->>AWS PoP: Build WireGuard Instance
    Note right of Proteus: Peer Public keys in User Data
    AWS PoP->>Cloudflare: Register Device (WGCF)
    Note right of AWS PoP: PoP Public key provided to Cloudflare
    Cloudflare-->>AWS PoP: Device Registration Response
    AWS PoP-->>Proteus: Server WG Pub Key
    AWS PoP-->>Proteus: WireGuard Instance Built
    Note right of Proteus: PoP Public Key via SSM Parameter Store
    Proteus-->>Client: WireGuard Peer Configs

    Client->>AWS PoP: Connect via WireGuard
    AWS PoP->>Cloudflare: Forward via WARP
    Note right of Cloudflare: Authenticate & Route Traffic
    Cloudflare-->>Internet: Normalized Traffic

Configuration Details

When you enable Cloudflare integration:

  1. AWS PoP is built in your selected region
  2. PoP registers with nearest Cloudflare WARP endpoint
  3. WireGuard keys exchanged between PoP and Cloudflare
  4. Routing configured to forward all egress through WARP
  5. Peer configs generated for your devices

Your devices connect to: AWS PoP
AWS PoP connects to: Cloudflare WARP
Internet sees: Cloudflare shared IP

Entropy and Security

Why Entropy Matters

Q: What is entropy in cryptography?

Entropy refers to randomness collected for use in encryption. High-quality entropy is essential for generating secure private keys. The more unpredictable, the harder to crack.

Q: Why does entropy matter for WireGuard?

WireGuard uses public-key cryptography (Curve25519). If random number generation lacks sufficient entropy, keys may be predictable or weak—undermining security.

Q: How can machines lack entropy?

Headless servers, embedded systems, or VMs might not have enough user/hardware activity (keyboard, mouse, disk events) to feed the random pool. This is especially problematic early in the boot process.

Waveshift's Solution

Hybrid Entropy Approach:

  1. Public Entropy Sources - Uses Drand (distributed randomness beacon)
  2. Local Entropy Generation - System's own randomness pool
  3. Authenticated Sources - Only verified, signed entropy
  4. Early Boot Protection - Ensures strong keys even on cloud servers

Drand (Distributed Randomness Beacon):

  • URL: https://drand.love
  • Decentralized randomness beacon
  • Threshold cryptography among multiple participants
  • Supported by Cloudflare, EPFL, and other institutions

Trust Model:

  • Not relying on single entropy source
  • Hybrid approach combines public and local randomness
  • Drand provides verifiable, signed random numbers
  • Local entropy adds additional unpredictability

Risk Mitigation:

  • Public entropy sources require trust
  • Waveshift mitigates by using hybrid approach
  • Only authenticated, signed sources accepted
  • Local entropy ensures no single point of failure

When to Use Cloudflare Integration

Use Cloudflare WARP When:

✅ Maximum anonymity is priority
✅ Blending into crowd is important
✅ Accessing services that may track IPs
✅ Using public/untrusted networks
✅ Want DNS poisoning protection
✅ Need additional layer of security

Skip Cloudflare WARP When:

❌ Maximum performance is critical
❌ Direct AWS IP is acceptable
❌ Cloudflare in trust chain is concern
❌ Specific AWS IP address needed
❌ Lower latency required

Privacy Considerations

What Cloudflare Can See

With Waveshift: - Source: AWS data center (not your real IP) - Destination: Websites you visit - Timing: When connections occur - Volume: Amount of data transferred

What Cloudflare CANNOT See: - Your real IP address (hidden behind AWS) - Your actual location (sees AWS region) - Association to you personally

What AWS Can See

AWS Knows: - Your account owns the PoP - PoP's public IP address - Network metrics (bandwidth, connections)

AWS Does NOT Log: - Your actual traffic content - Websites you visit - Who connects to your PoP

What Your ISP Can See

With Waveshift: - Encrypted WireGuard traffic to Node's IP - Amount of data transferred - Timing of connections

ISP CANNOT See: - Destination websites - Traffic content - DNS queries

Configuration Options

Enabling Cloudflare

When creating a PoP, simply toggle:

Enable Final Egress through Cloudflare: [ON]

The system automatically: - Selects nearest Cloudflare endpoint to your AWS region - Configures WARP registration - Sets up routing rules - Tests connectivity

Regional Optimisation

Waveshift automatically pairs AWS regions with optimal Cloudflare endpoints:

  • US East → Cloudflare US East
  • EU West → Cloudflare EU West
  • Asia Pacific → Cloudflare Asia Pacific

This minimizes latency while maximizing anonymity.

Performance Impact

Expected Latency

Without Cloudflare: - Device → Node → AWS PoP → Internet - Typical: +20-50ms

With Cloudflare: - Device → Node → AWS PoP → Cloudflare → Internet - Typical: +30-70ms

Impact: Additional 10-20ms latency for the anonymity benefit.

Bandwidth

  • No bandwidth limit from Cloudflare side
  • Limited by AWS PoP instance type
  • Cloudflare's network is highly optimized
  • Minimal throughput impact

Summary

Cloudflare WARP integration in Waveshift provides:

Massive anonymity set - Millions of users
Traffic normalisation - Blend into the crowd
Origin protection - Cloudflare doesn't see your real IP
Geographic control - You choose AWS region
Two-layer security - AWS + Cloudflare encryption
Shared exit IPs - No unique fingerprint
Automated setup - No manual configuration

Trade-offs: - Slightly higher latency - Cloudflare in trust chain - Not suitable for torrenting

Best For: - Maximum privacy and anonymity - Protection on public networks - Services that track/ban VPN IPs - General secure browsing

See Also