Sean Posted October 24, 2019 CID Share Posted October 24, 2019 Over the past few years, the Irish Three mobile network has prioritised certain types of traffic on its network. This includes the likes of Google services (e.g. YouTube), CloudFlare, some Microsoft services and certain hosts. In the past, this included traffic over certain port #s such as port 8080 that Ookla's Speedtest traffic runs over. This also made it possible to exploit the traffic prioritisaton by making a VPN connection over port 8080, however, they (and Vodafone Ireland) stopped traffic shaping by port # shortly after I posted about it. With Cloudflare recently launching a privacy App 1.1.1.1 for Android, it made me wonder if I could exploit Cloudflare's traffic prioritisation with its WARP+ service. I purchased the Unlimited subscription to try, but quickly ran into a problem. While the service worked over Wi-Fi, I could not browse the web over Three's mobile data and Apps had no connectivity. After doing some diagnostics, I found that WARP+'s DNS queries were not getting through, but TCP connectivity was working. This is surprising giving than the 1.1.1.1 App is supposed to securely encrypt DNS queries back to Cloudflare. Since connectivity by IP address was working, this gave me an idea - Enable DNS over HTTPS on Firefox for Android: Enter the address: about:config Change network.trr.bootstrapAddress to 104.16.248.249 Change network.trr.mode to 3 This gave me Internet connectivity in the Firefox App until I disconnected WARP+. I had to change network.trr.mode to 2 for Firefox to work once I disconnected WARP+. While the other Apps still had no connectivity with WARP+ enabled, I was mainly interested in running speed tests. In Ballybofey with a good 4G+ signal on Three, I ran TestMy on every server with a linear 50MB block size with WARP+ disconnected. I then enabled WARP+ and reran the tests. Here are the download speeds in Mbps: While Cloudflare's 1.1.1.1 made a substantial difference, I believe this is mainly down to Three's traffic shaping of Cloudflare traffic. It's interesting to see that even Sydney at the opposite side of the globe to me got nearly a 10x speed boost. The Los Angeles TestMy server appears to be on a server that Three prioritises as repeat tests consistently deliver around 70Mbps when even Ookla's speed test with local servers couldn't achieve anything higher than the 30s. From testing Three's masts in different areas, it appears that most (if not all) Three's 3G masts and certain 4G masts are not affected by traffic shaping. For example, in Donegal town I get much better speed with a direct connection than over 1.1.1.1 WARP+. London,GB - Direct connection vs 1.1.1.1 WARP+: Frankfurt, DE - Direct connection vs 1.1.1.1 WARP+: Sydney, AU - Direct connection vs 1.1.1.1 WARP+: I didn't have enough time to test all the servers, but it's clear that WARP+ was actually slowing down my connection in this location. Based on the London speed test, it's quite possible Three don't apply traffic shaping to masts fed directly into the fibre network. Whenever Cloudflare releases this service for the desktop, I will carry out some testing over a tethered / Hotspot connection as Android bypasses any VPN connection when tethering is enabled. Jardee and CA3LE 2 Quote Link to comment Share on other sites More sharing options...
Jardee Posted January 15, 2020 CID Share Posted January 15, 2020 (edited) I had the same problem when using WARP trial 10Gb. and gave up on it. Does this mean that the Warp traffic is not encrypted or.... And that it should work if tethered to a phone using 3? thx + Edited January 15, 2020 by Jardee typo and double paste Quote Link to comment Share on other sites More sharing options...
Sean Posted January 15, 2020 Author CID Share Posted January 15, 2020 Going by Cloudflare's WARP+ article, when WARP+ is enabled, all the traffic is encrypted. However, it appears that in whatever way it handles DNS traffic, it is unable to transfer it over the Three network. The WARP+ traffic however appears to transfer fine. When tethering (Hotspot) is enabled on Android, it does not tether traffic over the VPN connection, even with other VPN services. You will need to use a third party App to tether the WARP+ connection. One example is the App VPN Hotspot, however, I have not tried this yet. As DNS does not work over WARP+ with the Three network, it's very likely tethered traffic will have the same issue, where only applications that support DNS over HTTPS work. Quote Link to comment Share on other sites More sharing options...
Jardee Posted January 16, 2020 CID Share Posted January 16, 2020 Thx for that Sean, I found it difficult to find any clear info using search engines, as once the abvr. "VPN" Is used, the results are all adverts or honeypot reviews. I previously found a similar situation to you, I retested today to confirm. and found - pic CF1 However after I installed the latest version of the app, My attempts seemed to show that the cloudflare DNS is now in use, - Pic CF2 I lost access to the WARP+ function of the CF apk - I mistakenly reset it when looking at the logs!, so couldn't test further. Also if a VPN is active on the Hotspot Provider it seems unable to provide an I.P. to the Hotspot Client, but if I momentarily disconnect the Provider VPN an IP is assigned to the client. A VPN will then operate successfully on the client, I used the Nord Apk. If I understood your answer properly this is the way to do it? I'm probably wrong as I'm figuring it out as I go. A huge Thank U for the Editor site - I am amazed at your generousity Sean 1 Quote Link to comment Share on other sites More sharing options...
Sean Posted January 16, 2020 Author CID Share Posted January 16, 2020 That's interesting that the Cloudflare DNS worked for you over 4G. I tried connecting WARP+ on my end over Three mobile data, but the DNS queries still do not work. What I meant about the VPN is WARP+ itself rather than a third party. However, the issue is that WARP+ is currently not available for the desktop, so depends on an App being able to tether the WARP+ connection established on the mobile. With Android's built-in tethering, it bypasses WARP+. Jardee 1 Quote Link to comment Share on other sites More sharing options...
Sean Posted March 4, 2020 Author CID Share Posted March 4, 2020 It appears that the Cloudflare 1.1.1.1 App now works on the Three network as I no longer need to use DNS over HTTPS to get online while connected. In fact, it appears that WARP+ now blocks DNS over HTTPS while it is connected. For example, if Firefox has network.trr.mode set to 2 or 3, there is no connectivity while WARP+ is connected. Unfortunately, it looks like either Three has tweaked its traffic shaping or Cloudflare's WARP+ servers are facing congestion. Traffic is now only intermittently prioritised while the WARP+ is connected. For example, at the moment, here is a 50MB test with TestMy London directly and over WARP+: TestMy Australia and over WARP+ It's quite erratic also, so could give 10Mbps on one test and hit as high as 50Mbps on the next test. I did manage to find an App that could share WARP+ to my laptop over a tethered Wi-Fi connection, however the WARP+ trick is of limited use now. It was nice while it lasted. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.