Back to all posts
Published on · by Renaud Deraison

Running a VPN inside Bromure — and a plain-language primer on Cloudflare WARP

What a VPN actually does, what it doesn't do, why running one per profile inside Bromure changes the anonymity story, and a tour of how Cloudflare WARP works under the hood.

Anonymity online is not a hacker concern. It is what you want every time you would rather your grocery store, your insurer, your kid's school, and six ad networks not know which articles you read at one in the morning.

Most people reach for a VPN when they are traveling, streaming, or shopping for something they would rather not see retargeted back at them in a pop-up ad next week. Fewer people think about where the VPN runs — on the operating system, on the router, or somewhere more interesting. The answer to that last question turns out to matter a lot. This post walks through what a VPN actually does, what it doesn't do, why running it per-profile inside Bromure changes the math, and — because people keep asking — what exactly Cloudflare WARP is.

Your IP address is a name tag you cannot take off.

Every request your computer makes to every web service contains your IP address. It has to: the response has to come back somewhere. The trouble is that the same IP, from the same home, typically persists for days, weeks, or months, and that is long enough for every analytics pipeline on the internet to treat it as a stable identifier — "the laptop at the kitchen table" — and to stitch together, across entirely unrelated sites, a picture of what the person at that laptop does in their free time.

Youhome connection203.0.113.45News sitevisitor 203.0.113.45Social networkvisitor 203.0.113.45Online shopvisitor 203.0.113.45Medical forumvisitor 203.0.113.45Ad networkvisitor 203.0.113.45Data brokervisitor 203.0.113.45Same number on every line. Congratulations — you are a key in every database.
A single IP address appears on every page you visit, from every site, over weeks and months. That is enough for ad networks and data brokers to build a rich profile — no cookies required, no login required. Your name tag came pre-printed.

Your IP is not the only identifier on the internet; cookies and logged-in accounts are stronger ones. But IP is the one you cannot turn off. You can clear cookies, you can refuse to log in, and the IP still goes out, the same IP, on every request.

That is the problem a VPN addresses.

What a VPN actually does — and what it does not.

A VPN — virtual private network — reroutes your traffic through an intermediate server, so that the websites you visit see the VPN's IP address instead of yours. The traffic between your device and the VPN is encrypted, and the websites you visit see whatever geographic region the VPN chose to exit from.

Youreal IP203.0.113.45ENCRYPTED TUNNELWireGuard / OpenVPN /IKEv2 · all payload opaqueVPN exitrewrites source IP185.220.42.17Websiteseesvisitor 185.220.42.17The VPN provider can see everything the ISP could see. You are trusting the VPN instead of the ISP — not adding trust, moving it.
A VPN rewrites the return address on your internet traffic. Every site sees the VPN's IP instead of yours. The traffic between you and the VPN is encrypted; the traffic between the VPN and the site is not (though nearly all of it is wrapped in TLS at the application layer already).

What a VPN gives you:

Your IP is hidden from websites

Sites see the VPN's IP. Their ad partners see the VPN's IP. Data brokers aggregating visits across the internet end up aggregating around a shared exit, not around your home.

Your traffic is hidden from your ISP and your network

The café, the airport, the hotel, and your ISP all see a single encrypted stream going to the VPN. They cannot see which sites you are visiting. DNS lookups go through the VPN too, so they cannot even see what you were looking up.

You can choose a geographic exit

Most commercial VPNs let you pick a country. If a site is only available in Japan, or if you want to see the shopping prices your counterpart across the ocean is seeing, a VPN is the easy answer.

You do not become anonymous

This is the honest part. A VPN hides your IP, not your identity. If you log into the same accounts you always log into, you are as identified as before — just via a different IP. Browser fingerprinting, cookies, passkeys, and "sign in with Google" don't care about IPs.

Why running a VPN inside Bromure is a better shape.

Most people run a VPN on the operating system. The whole machine is either VPN-on or VPN-off. The problem with that is twofold.

The first problem is resolution. When the VPN is on, every app — your mail client, your Slack, your App Store updates, your Dropbox sync — goes through the VPN. That can break logins ("we noticed a sign-in from Germany"), it can slow everything down, and it leaks VPN use to every other service you talk to.

The second problem is leakage. When the VPN is off, some other app doing something helpful in the background can light up your real IP on a site you thought you were reaching anonymously. A single DNS leak, a single WebRTC leak, and the site correlates you with the real connection.

Bromure takes a different approach: each profile is its own virtual machine, each with its own network configuration. One profile can be on WARP. Another can be direct. A third can be on a paid commercial VPN exiting in Germany. A fourth can be on Tor. None of them see each other. And the host operating system — your real IP, your real connection — has no VPN on it at all, because it does not need one.

One laptop, one real IP — four worldsHOST · no VPN, just internetWorkcorporate appsno VPN(direct)Bankingfinance onlyno VPN(avoid flags)Personalnews, socialCloudflare WARP(hides IP, free)Researchrandom linkspaid VPN · DE exit(specific geography)Internetdirect from host IPCloudflare WARPCF edge IPPaid VPN · GermanyFrankfurt exit IP
On a traditional OS, a VPN is a toggle on the whole machine. In Bromure, every profile is its own network world. The host has its normal internet; each profile can route its traffic however you want it routed — and that choice does not leak out of the profile.

Three quiet consequences fall out of this shape.

No accidental correlation. The work profile and the research profile do not share a source IP. A site you logged into from "Personal" sees the WARP exit; a site you opened in "Research" sees a German commercial exit. They cannot tie the two sessions together from the network.

No leakage between profiles. A DNS leak, a WebRTC leak, a misconfigured app — these are VM-local. A badly-behaved page in one profile cannot discover the host's real IP, because the host's real IP is not inside that profile's network namespace. It is the next wall over.

Sessions end, routes end with them. A disposable session that had WARP running is torn down when you close the window. The next time you open the same profile, nothing about the previous session — cookies, caches, WireGuard keys, IP allocations — is there. The VPN is as ephemeral as the window was.

A primer on Cloudflare WARP.

WARP is Cloudflare's consumer VPN-ish product. It is, confusingly, both a free service that anyone can use and a paid product, and it lives alongside a whole suite of business products that also carry the WARP name (1.1.1.1 for Families, Zero Trust, Gateway). This section talks about the free, personal version, which is the one people ask about.

Your deviceBromure profileWireGuard clientENCRYPTED TUNNELWireGuard (UDP 51820)or MASQUE (QUIC/HTTP3)CLOUDFLARE EDGENearest PoP300+ cities worldwideDNS via 1.1.1.1sees decrypted trafficThe internetsees source IPa Cloudflare IPNo country picker. Exit geography = wherever the nearest Cloudflare PoP is for you.
What WARP actually does under the hood. Your traffic gets encrypted in a WireGuard tunnel (or, on newer clients, a MASQUE/QUIC tunnel), terminated at the nearest Cloudflare edge, and exits from Cloudflare's network. DNS queries run through 1.1.1.1 and are encrypted separately. There is no choice of country; the exit is wherever is closest to you on Cloudflare's network.

A very short history: WARP began as the consumer side of Cloudflare's 1.1.1.1 DNS resolver, launched in 2019. The idea was simple — Cloudflare already had one of the largest edge networks on the planet for serving websites, so terminating a WireGuard tunnel at the same edge was a small additional hop. The original client used Cloudflare's own Rust WireGuard implementation (BoringTun); more recent clients have added MASQUE — a newer VPN-style protocol built on HTTP/3 and QUIC, which is harder to block in many hostile networks.

What WARP gives you:

Free, no account to start

The basic WARP tier is free. No credit card, no email. A device identifier is generated locally; you can upgrade later if you want the paid tier, but the out-of-box experience is "install, connect, done."

Fast, because Cloudflare's edge is everywhere

Traditional VPNs backhaul your traffic to one of a few dozen data centers and exit from there. Cloudflare operates PoPs in over 300 cities. The extra hop your traffic takes is usually tiny, and for many users WARP is measurably faster than no VPN at all because of Cloudflare's transit peering.

Encrypted DNS

By default, DNS queries inside the tunnel go to 1.1.1.1 over DoH or DoT. Your ISP, your office network, and the coffee-shop router cannot see what domains you are looking up — which, on unencrypted networks, would otherwise be plaintext.

Privacy claims you can actually read

Cloudflare has repeatedly published privacy audits of WARP (by third-party auditors — KPMG most recently) stating that IP addresses and browsing history are not logged or used for advertising. The policy is not bulletproof, but it is better than most free VPNs and meaningfully auditable.

What WARP is not.

It is easy to overestimate what WARP does. A few things to keep in mind before you treat it as a full privacy solution.

Not a geographic VPN

You cannot pick "exit from Japan" in free WARP. The exit PoP is determined by where you are. For geo-unlocking, you still need a commercial VPN with a country picker, or WARP+ variants that offer region control.

Trust moves from ISP to Cloudflare

Your traffic is only encrypted up to the Cloudflare edge. After that, Cloudflare routes it out to the public internet. Cloudflare can see every domain you connect to, every DNS lookup, every unencrypted byte (though most of it is wrapped in TLS). You are trading your ISP's visibility for Cloudflare's — which is a real step up if you do not trust your ISP, but it is a single well-known trust anchor.

Does not stop fingerprinting

A VPN hides your IP. It does not change your user-agent string, your list of installed fonts, your screen resolution, your WebGL/canvas fingerprint, your TLS signature. A well-equipped tracker correlates you across IPs anyway. Hiding the IP raises the bar; it does not flatten the field.

Some networks block WARP outright

Corporate networks, some airports, and certain countries detect and block the standard WARP endpoints. MASQUE helps with this, but is not magic. If WARP refuses to connect on a given network, that is usually not a bug — it is the network saying no.

Using WARP inside a Bromure profile.

The mechanical part is small. WARP's configuration can be exported as a WireGuard config file from the 1.1.1.1 app — the same kind of file any WireGuard client understands. You point a Bromure profile at that file, and everything the profile does travels through Cloudflare.

Because the configuration is per profile, you can keep the WARP profile for day-to-day reading and browsing, while your banking and work profiles stay on the direct connection. Your host OS, in the meantime, is not running a VPN at all — it does not need to, because nothing on the host is trying to anonymize its traffic. The anonymity lives exactly where you want to use it.

A short matrix for when to reach for what:

Use WARP when…

You want to hide your IP from most of the web, you are on a network you do not fully trust, you want encrypted DNS, and you would rather not pay or sign up for anything. Good default for the profile you use for random reading, research, and casual shopping.

Use a paid commercial VPN when…

You need a specific country exit, you need a provider that publishes a stronger privacy policy or is under a different jurisdiction than Cloudflare, or you are doing something that might get a shared IP rate-limited. Slower than WARP in most cases, but more control.

Use Tor when…

You need genuine anonymity against a serious adversary — a journalist sourcing a story, an activist in a hostile country, a researcher looking at an adversary's own infrastructure. Much slower than either WARP or a VPN; works for far fewer sites; but the threat model it resists is different.

Use no VPN when…

You are logging into your bank or your doctor or your government services. These sites are built to be suspicious of unusual IPs, and a VPN often triggers extra friction or outright blocks. Keeping a clean "real IP" profile for those sessions is not paranoia; it is convenience.

Closing.

You do not need a threat model that involves nation-states to want control over your IP. You just need to not want to be tagged on every page you read, every search you run, and every product you looked at once and then immediately regretted. A VPN is the most common tool for that; WARP is a good free default for anybody who wants the basics without a subscription. And Bromure, by putting every profile in its own network world, lets you mix those tools at the resolution they should have had all along: not per computer, not per app, but per world.

Install Bromure. Make a profile called "reading." Point it at WARP. See what the rest of the web looks like when it doesn't recognize you anymore.