Cloudflare WARP showing private 172.16.0.0/12 and now 240.0.0.0/4 addresses in X-Forwarded-For ? (and private fd* ipv6)

So I posted this on reddit but it was automatically deleted as spam >:( :man_facepalming:

I’ve started using warp vpn for a bit again and was confused to find whatismyipaddress.com (which is on cf) etc show me a private 172.16* address. Or an fd* private ipv6 address. But not always, it seems for the first request after a while, the site gets my real address as normal, but then requests after that get the mysterious private IPs.

Well they were 172.16 until now I got a 240 one, which is not even for private network but “reserved for future use”. Here you can see two zones, the first one I turned off IPv6.

Now I turned warp off and on again and now, each ipv4 request x-forwarded-for is my real address but the ipv6 is private. So it’s kind-of inconsistent and confusing.

I found this thread that suggests it happens with HTTP/3 connection, which I would have replied to instead but it is closed: Using HTTP/3 w/ Warp on Cloudflare Websites Shows Private IP

That would make sense for some of the inconsistency. But it is really intriguing. Did Cloudflare make a mistake, or are they planning to make Cloudflare WARP a fully anonymous VPN?

Hi! Author of the thread you linked. The issue is still prevalent almost a year later after I made that post! Those sites show your initial IP at first because your browser most likely connected with http/2, saw the http/3 headers, and on refresh used http/3 instead.

This issue is extremely aggravating, causing CAPTCHA’s to show up on not only Cloudflare’s dashboard every time I log in, but on various other sites simply because Cloudflare is telling the host that I’m connecting with an IP that should not be on the public internet. Note that this issue only occurs with sites that are on Cloudflare’s network.

Maybe better luck this time?

edit: you can see if you are connecting with http/3 by visiting the /cdn-cgi/trace page after the domain. i.e. https://cloudflare.com/cdn-cgi/trace

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.