Using WireGuard with Cloudflare Warp (ipv6 working!) and some questions from a layman

After flashing OpenWrt 23.05.2 on my new Belkin RT1800, installing WireGuard and configuring Cloudflare Warp as the VPN, I quickly discovered that ipv6 was not being routed through Cloudflare and my ISP ipv6 address was displayed on the online ipv6 tests, while ipv4 was being properly displayed as Cloudflare. I am not the only one to have this specific problem on this forum with WireGuard and Cloudflare Warp, after much Googling searching for a solution to this.

While perusing many articles and forum posts on here, I decided to try a couple things:

Following this article,

https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6

and also changing MTU from 'default' to 1280 in 'interfaces - wg0 - advanced settings' through luci (ipv6 would not function correctly with Warp until I did this). This MTU change was specified in the wgcf-profile.conf but I did not believe it necessary at the time.

It now all works like a charm! The speed is not the best, only ~90mbps down and ~25mbps up, compared to 130mbps down and 30mbps up that I pay for, but it is fully Cloudflare ipv4 and ipv6 according to https://test-ipv6.com, but an ominous warning of 'no browser ipv4 fallback' according to another test I conducted. I did not see any other solutions on other posts for this specific issue that worked for me, even after hours of testing, so I thought I would share.

I set up the WireGuard interface with this Youtube as a reference guide and this wonderful CLI program for the Cloudflare Warp config details. Everything else is stock vanilla in my overall config, besides packet steering and software offloading enabled (with most likely placebo improvement to anything). My entire network setup is entirely simplistic:

Arris Surfboard Cable Modem -- Belkin RT1800 -- one wired client plus 8 others wireless. I have service through Xfinity. All clients connected to the rt1800 seem to be working properly, iPhone and Android phones included, and I have had no problems today other than the lowered max internet speed and somewhat higher latency, which I expected from a free VPN service.

I started this process to configure WireGuard properly so I can connect remotely to my Jellyfin and Sunshine sever on my main PC (both rely on UDP connections and I refuse to forward ports or use UPNP to access them, the security risk is too real, at least from my limited knowledge of such things). I have not yet configured either remote service until I have researched enough to understand what exactly needs to be done and why, lest I spend hours trying to troubleshoot some problem I inadvertently created from using a random guide on Reddit or somewhere. The first step was getting the Wireguard VPN configured correctly.

I have some questions about the recent changes I made to my configuration.

I have read that setting up NAT6(6?) and/or ipv6 masquerading is no good, for reasons I do not understand but would like to. Also, have I effectively disabled ipv4 on my network to some degree, given the warning on the online test that 'my browser has no ipv4 fallback'? I am very interested in what exactly is different when the WireGuard VPN is up.

I am somewhat new to higher level networking, however I am receiving formal education towards a Computer Science degree (in college). I say this because some of the posts and articles on here can be honestly out of my depth at the moment, even though I am leaps and bounds ahead of most of my peers concerning tech in general.

Can someone please explain what exactly I have done by changing those options in my firewall and network config? Any drawbacks or trouble I should expect? I will be forever appreciative of a layman's explanation.

Any other comments or suggestions are more than welcome. I really just wanted to share how I got it working to hopefully be helpful to another in a similar situation and also receive some answers to the questions I've posed.

Thank you very much.

3 Likes

Thank you for the useful info and for bringing up this subject.

You did everything correctly and everything seems to be working properly. By default, the Warp+ subscription seems to assign only 1 IPv6 to the interface and it doesn't seem to delegate IPv6 to the devices downstream.

The NAT6 workaround that you've mentioned takes that 1 IPv6 and allows the devices downstream to access the Internet through that 1 address (similar as regular NAT).

Whether that can other cause issues, I'm not sure. It might seem more appropriate to just remove the IPv6 part from the Wireguard config and use only the limited IPv4 range.

2 Likes

can you share the tutorial you followed to implement warp on your router i could not succesfully for now

1 Like

Yes please.

Thanks!

1 Like

heeeeeeyyyyyyy can you share the tutorial you followed to implement warp on your router i could not succesfully for now

What issues are you having?

With Warp, you just take they key/configs and setup a Wiregard [VPN] peer as normal.

2 Likes

I was hoping for a guide/how-to type instructions.

Right here in the first post.

There was no tutorial I followed. I read up on how things work and figured it out myself via some experimentation after getting wireguard interface and WARP .conf file for wireguard configuration.

For Ipv6 : https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6 , You're welcome. I can't provide any more support being a newbie myself. I'm familiar with my equipment and their own implementation of OpenWRT but I don't trust myself enough to help you with yours.

You got this, it's all pretty straight forward once you get WGCF conf file and have the Wireguard interface installed on your device.

1 Like

Thanks for the recognition and I thought I'd be helpful by sharing. I appreciate your explanation of what the ipv6 changes did.

No major problems with basic tasks really but you're correct about just leaving ipv6 out, disabling it actually, and using ipv4 only. Cloudflare seems to detect 'unusual activity' with an error message involved and limit some very specific things I do eventually, like connecting to some overseas servers or some CloudFlare hosted websites, until I create a new config with WGCF and pop it into Wireguard.

2 Likes