Beware: Cloudflare WARP Does Not Always Hide Your IP

We enjoy using CF WARP and have tested it many times over.

One thing that we’ve learned is that CF WARP does not always hide your native IP.

Here’s a sample list of sites that can still detect your native IP:

https://www.ipaddress.my/
https://iplocation.io/
https://whatismyipaddress.com/
https://www.whatismyip.net

Note: Results will vary depending on three conditions: (1) The browser and/or search engine you’re using (e.g., DuckDuckGo, Google Chrome, Edge, Firefox, Opera, etc.), (2) Your browser mode (Incognito or not), and (3) Whether your local DNS was flushed before activating CF WARP.

The above websites specialize in detecting IPs; however, many other non-specialized websites can also detect your native IP.

So, beware. Navigate responsibly and don’t rely 100% on CF WARP to protect your privacy.

If we missed something, please share.

Cheerio!

1 Like

According to the Cloudflare Docs website, WARP should hide your IP address. Can someone from Cloudflare verify this?

No. 1.1.1.1 + WARP replaces your original IP address with a Cloudflare IP that consistently and accurately represents your approximate location. This happens regardless of whether the site is on the Cloudflare network or not.

Refer to our blog post for more information on this topic.

Source: FAQ · Cloudflare WARP client docs

Did you visit the above websites to confirm our finding? What did you learn?

I was going to say that the feature to hide IPs was probably not yet released but if the docs say so… It’s probably a bug or the docs were updated a tad too fast.

I will ask somebody from CF to see whether this is expected behavior or not.

2 Likes

@Aviator

https://www.ipaddress.my/
https://iplocation.io/

For me, the above two reveals the ip address.

While these two didn’t. They worked fine. Cloudflare was shown as ISP.
That’s interesting a dig!

This works when warp is set in Private mode.

1 Like

Not exactly correct. If you are not using HTTP/3 then you will be hidden from sites in the Cloudflare Network too. I believe it’s a bug but not sure if the WARP team was aware of this one.

Before (about a year ago), if you had WARP turned on and visited those sites using HTTP/3, they would all show a private IP (in 172.16.0.0/12).

1 Like

I just tried visiting the websites you provided and they indeed reveal my real IP address. Sounds like a bug, hopefully Cloudflare will fix it soon! :crossed_fingers:

2 Likes

We respectfully disagree with you. The finding we reported occurs whether you have HTTP/3 enabled or not. We tested the above with HTTP/3 disabled/enabled and with CF WARP in Private Mode (DNS Protocol: WARP).

Further, many websites are not yet taking advantage of (or are connected to) HTTP/3. For example, the first website listed above (https://www.ipaddress.my/) is not HTTP/3 compliant. You can verify HTTP/3 compliance using this handy-dandy online tool.

To confirm that this isn’t just an issue with the free version of Cloudflare WARP, I have tested if Cloudflare WARP also reveals your IP when you use WARP+ or WARP for Teams.
I can conclude from my tests that the issue exists for those versions of WARP too.

1 Like

Hello, the problem exists, the real IP is exposed, despite meeting the installation requirements of warp +, with security certificates installed on each device, dns, Cloudflare zero trust location, etc. The real IP is exposed.

The privacy policy is also unclear (to me) about how the websites visited are not linked to a user (it says pseudoanonymised so are logged).

Do you know why this error occurs, because these check ip sites use Cloudflare cdn. Warp for all sites using Cloudflare cdn can not be hidden

For me I do not see my original IP address leaking on any of the sites above. I am using WARP version: 2022.9.582.0 (20221011.16).

We’re quite confident that future revisions of Cloudflare WARP will address and solve this topic.

The issue we initially reported (and confirmed) occurred with Cloudflare WARP for Windows Version 2022.8.857.0, dated September 12, 2022. For details, you can view the respective changelog here.

Out of curiosity, we went back to the sites listed above using Cloudlfare WARP for Windows Version 2022.9.583.0, dated October 11, 2022 (latest as of today) and, indeed, our native (origin) IPs are no longer exposed.

Before closing this topic, it would be great to let it “brew” for a while so others can share their findings and/or comments.

Thank you!

1 Like

From the first time - yes, if you refresh the page, you can see the real IP.

image

image

this site (whoer.net) always shows the real IP address, but when there were IPs from the 8...* block, it was always hidden.

Which Cloudflare WARP version are you running? And is this only happening on Windows? I cannot reproduce this on macOS or iOS with the latest WARP version.

Win10H2
image

I suppose it’s a Windows issue then. I’m not seeing this on Android, iOS, macOS and using the wgcf profile with WireGuard client.

I can no longer reproduce this issue, Cloudflare WARP no longer reveals my real IP as of today, with one exception.
On websites using Cloudflare that have IPv6 Compatibility turned off, Cloudflare WARP still reveals my real IP (first time it shows Cloudflare IPv4 address, but after reload it shows my own real IPv4 address).

1 Like

I’m currently on 2022.9.583.0, those websites failed to detect my real IP, some others were able to read my real IP, but only because it was leaking from WebRTC.
To solve it, I enabled: flags/#enable-webrtc-hide-local-ips-with-mdns