Connecting via Cloudflare Warp - Wrong IP in /cdn-cgi/trace

Zero Trust Access
1

Hi,
I noticed today that connecting to Cloudflare-powered sites via WARP client shows the wrong IP address when visiting /cdn-cgi/trace on that website.

For example, Cloudflare is seeing my IP as 8.44.63.64 (which is actually Cloudflare’s own IP).

This is causing issues in Cloudflare Access with rules that specify which IP address/country the user must connect from.

fl=29f78
h=www.speedtest.net
ip=8.44.63.64
ts=1661962845.477
visit_scheme=https
uag=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
colo=YYZ
sliver=none
http=http/2
loc=CA
tls=TLSv1.3
sni=plaintext
warp=on
gateway=on
kex=X25519

2

Might be because of the peering from your local ISP :thinking:

I remember I have restricted access to only my country, but somehow I got an IP from the IP range of my ISP provider which somehow wasn’t going over the regular country, rather from neighbour country, therefore Cloudflare WARP got me an IP from the neighbour country and I wasn’t being able to bypass it because of my settings were set to my country.

Tracing my true IP down, I found that I went over other (neighbour) country which is a bad thing as I don’t want it. However, that’s because of the peering of my ISP and I cannot do anything except wait them to get the “peer” or “route server/connection” over the same IX point (data center) where Cloudflare has it.

Until then, in case if I get the IP from them, and any other IP range, I am stuck with that ISP except if I move to some other, where the packets and routing would go straight through Cloudflare peer/point.

3

I don’t think the issue is the peering.
I think the issue is that the IP address the trace is reporting is the IP of the Cloudflare datacenter, not the IP of the connecting users ISP (in my case, Rogers).

In other words, from the trace above,
ip=8.44.63.64

should actually be:
ip=99.x.x.x (my Rogers IP Address).

Something has changed on the Cloudflare backend where they are no longer reporting the users IP address when connecting via Warp.

Cloudflare is usually smart enough to know the visitors ip address location (irrespective of which Cloudflare PoP you connect to and whether it is in a different country or not). It wasn’t doing this yesterday so something has changed since yesterday.