Real IP leaked by warp when accessing websites on cloudflare cdn via http/3

maybeonly · April 29, 2023, 1:08pm

Real external IP will be leaked by warp when accessing websites on Cloudflare cdn via http/3

I noticed that some website got my real external ipv4, even I’m using warp.
So I checked my ip address via
https://cloudflare.com/cdn-cgi/trace
It seems it was warped well
But I refreshed the page, and it turned to show my real external ip address.

After checking my network, my real external ip address was leaked when I’m accessing via http/3.
I tried to access my site on Cloudflare cdn, and I got the same result from logs

warp ip when accessing via http/1 or http/2
while
my real external ip when accessing via http/3

I also tried to access other sites which not hosted on Cloudflare via http/3, they always got warp ip.

cherryjimbo · April 29, 2023, 3:07pm

Are you able to consistently reproduce this? I’m not able to currently.

Can you share any more information about your setup? Warp version, OS version, browser version, etc? Can you share your cdn-cgi/trace output, with IP omitted as needed?

maybeonly · April 29, 2023, 11:56pm

I compiled a curl with quiche so it is able to process http3 requests

curl --http3 -4 -v https://cloudflare.com/cdn-cgi/trace
*   Trying 104.16.132.229:443...
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
*  subjectAltName: host "cloudflare.com" matched cert's "cloudflare.com"
* Connected to cloudflare.com (104.16.132.229) port 443 (#0)
* using HTTP/3
* Using HTTP/3 Stream ID: 0 (easy handle 0x49fd30)
> GET /cdn-cgi/trace HTTP/3
> Host: cloudflare.com
> User-Agent: curl/8.1.0-DEV
> Accept: */*
> 
< HTTP/3 200 
< date: Sat, 29 Apr 2023 23:50:39 GMT
< content-type: text/plain
< access-control-allow-origin: *
< server: cloudflare
< cf-ray: 7b********dd-NRT
< x-frame-options: DENY
< x-content-type-options: nosniff
< expires: Thu, 01 Jan 1970 00:00:01 GMT
< cache-control: no-cache
< 
fl=22f376
h=cloudflare.com
ip=******(my external ip)
ts=1682812239.656
visit_scheme=https
uag=curl/8.1.0-DEV
colo=NRT
sliver=none
http=http/3
loc=JP
tls=TLSv1.3
sni=plaintext
warp=on
gateway=off
rbi=off
kex=X25519
* Connection #0 to host cloudflare.com left intact

while a request via http1.1

curl --http1.1 -4 -v https://cloudflare.com/cdn-cgi/trace
*   Trying 104.16.133.229:443...
* Connected to cloudflare.com (104.16.133.229) port 443 (#0)
* ALPN: offers http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare.com
*  start date: Apr  7 00:00:00 2023 GMT
*  expire date: Jul  6 23:59:59 2023 GMT
*  subjectAltName: host "cloudflare.com" matched cert's "cloudflare.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* using HTTP/1.1
> GET /cdn-cgi/trace HTTP/1.1
> Host: cloudflare.com
> User-Agent: curl/8.1.0-DEV
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 200 OK
< Date: Sat, 29 Apr 2023 23:50:47 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Server: cloudflare
< CF-RAY: 7b****************dd-NRT
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Expires: Thu, 01 Jan 1970 00:00:01 GMT
< Cache-Control: no-cache
< 
fl=22f376
h=cloudflare.com
ip=104.28.211.105
ts=1682812247.948
visit_scheme=https
uag=curl/8.1.0-DEV
colo=NRT
sliver=none
http=http/1.1
loc=JP
tls=TLSv1.3
sni=plaintext
warp=on
gateway=off
rbi=off
kex=X25519
* Connection #0 to host cloudflare.com left intact

maybeonly · May 2, 2023, 4:29am

It’s still reproducable now. Would this be fixed, or may I block udp 443?

juliotofan · May 2, 2023, 3:16pm

I have the same issue, for example if I check on https://www.privateinternetaccess.com/what-is-my-ip its gonna shows my real IP address.

cherryjimbo · May 2, 2023, 4:42pm

Can you provide the output of https://cloudflare.com/cdn-cgi/trace (with IP omitted as necessary) so we can get an idea of which colo you’re hitting?

I’ve pinged some folks internally, but I’m personally struggling to reproduce this with the tools I have. I couldn’t reproduce with curl + quiche when hitting LHR for example.

maybeonly · May 4, 2023, 7:25am

It seems that it has been fixed today.
When accessing via http/3, server will get an ip addr “104.28.157.25”
while it’s “104.28.211.105” via http/1.1 or http/2

Thank you very much

darelyaron · May 4, 2023, 9:37am

This problem occurs intermittently, usually the solution is to reconnect to the WARP.

https://whoer.net/ - this simple site always shows true data.

system · May 19, 2023, 9:38am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.