CF trace web service shows wrong location

I test a VPN (other than WARP) now whose exit is currently set to the Netherlands (Amsterdam).

https://www.cloudflare.com/cdn-cgi/trace

detects the colo correctly, but the location is incorrect. I checked in RIPE db and the IP belongs to the Netherlands (AMS).

h=www.cloudflare.com
visit_scheme=https
colo=AMS
http=http/2
loc=FR
tls=TLSv1.3
sni=plaintext
warp=off
gateway=off

Why does location show wrong country? Especially if colo s detected correctly.

Cloudflare uses MaxMind’s GeoIP database to determine the “location” of an IP address. You can use their demo to check the “location” that Cloudflare will see: https://www.maxmind.com/en/locate-my-ip-address

I’d also like to mention that, at least in this context, “colo” is just another word for “data center” or “point of presence”. The colo you’re routed to is often the nearest colo in terms of distance, and may be in the same country/city as your “IP address location”. But in reality, the colo you’re routed to is determined by several factors such as latency, load, and whether there’s any maintenance/issues, and technically has nothing to do with your location.

If you’re interested in learning more about anycast routing then you can do so here:
https://www.cloudflare.com/learning/cdn/glossary/anycast-network/
https://blog.cloudflare.com/a-brief-anycast-primer/

I checked and found that
https://www.maxmind.com/en/locate-my-ip-address
and

show different data for this IP. MaxMins says it s in France but RIPE says it s in the Netherlands.

I dont think this VPN provider uses anycast, but unicast, since you can choose which city to connect to. Anycast routing may breach my decision. I can also choose US, etc which are far from my country. I m not in France, neither in the Netherlands.

Now we know why Cloudflare says France :slightly_smiling_face:
I’d usually trust MaxMind to be more accurate since, as far as I know, RIPE just shows the location of the AS (organization) the IP address was delegated to - not where it’s actually being used.

Ahh, sorry for being unclear. I was talking about Cloudflare’s IP addresses being anycasted. That’s how they’re able to route traffic to any colo, like I mentioned above.

So my current VPN provider is simply swindling me when I choose Amsterdam (NL) and my connection to the Internet in fact is from France… :slight_smile:
Right.
Since this is not CF WARP and does unicast routing, it s still unclear how colo and loc fields in returned data come together. I understand that CF’s webservice grabs the IP from request header and matches location against MaxMind’s db, but where does it get the colo information from?

Probably not. IPs don’t actually have a location so “IP location” usually refers to either:

  1. The location of the AS (organization) that owns the IP address (RIPE)
  2. The approximate location of the client(s) who use “use” the IP address (MaxMind)

The colo is just the data center you’re connected to. For example, I’m from Denmark so I’m usually routed to the CPH (Copenhagen) colo, but I’ve sometimes been routed to AMS (Amsterdam) or FRA (Frankfurt). That’s the beauty of anycast routing: a single IP address can be advertised from multiple locations.

Thanks for clarification. Now I just want to know where CF service

https://www.cloudflare.com/cdn-cgi/trace

gets colo data from. Is it somewhere in the request header?

The server handling the request knows which data center it is physically located in.

Sorry for asking too much, but how does CF server know that? As far as I know such info are not delivered in requests. IP matching to MaxMind db is a clear thing, but where the dc physical location comes from?
I m not using CF WARP VPN, but another one

You’re right, requests don’t contain the location of the server.

The server was told where it’s located when it was set up.

Can we know the IP address of VPN for investigate? We can check it with other provider such as IP2Location and perform a traceroute to confirm if it is located in France or other location.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.