Using WireGuard with Cloudflare Warp (ipv6 working!) and some questions from a layman

After flashing OpenWrt 23.05.2 on my new Belkin RT1800, installing WireGuard and configuring Cloudflare Warp as the VPN, I quickly discovered that ipv6 was not being routed through Cloudflare and my ISP ipv6 address was displayed on the online ipv6 tests, while ipv4 was being properly displayed as Cloudflare. I am not the only one to have this specific problem on this forum with WireGuard and Cloudflare Warp, after much Googling searching for a solution to this.

While perusing many articles and forum posts on here, I decided to try a couple things:

Following this article,

and also changing MTU from 'default' to 1280 in 'interfaces - wg0 - advanced settings' through luci (ipv6 would not function correctly with Warp until I did this). This MTU change was specified in the wgcf-profile.conf but I did not believe it necessary at the time.

It now all works like a charm! The speed is not the best, only ~90mbps down and ~25mbps up, compared to 130mbps down and 30mbps up that I pay for, but it is fully Cloudflare ipv4 and ipv6 according to, but an ominous warning of 'no browser ipv4 fallback' according to another test I conducted. I did not see any other solutions on other posts for this specific issue that worked for me, even after hours of testing, so I thought I would share.

I set up the WireGuard interface with this Youtube as a reference guide and this wonderful CLI program for the Cloudflare Warp config details. Everything else is stock vanilla in my overall config, besides packet steering and software offloading enabled (with most likely placebo improvement to anything). My entire network setup is entirely simplistic:

Arris Surfboard Cable Modem -- Belkin RT1800 -- one wired client plus 8 others wireless. I have service through Xfinity. All clients connected to the rt1800 seem to be working properly, iPhone and Android phones included, and I have had no problems today other than the lowered max internet speed and somewhat higher latency, which I expected from a free VPN service.

I started this process to configure WireGuard properly so I can connect remotely to my Jellyfin and Sunshine sever on my main PC (both rely on UDP connections and I refuse to forward ports or use UPNP to access them, the security risk is too real, at least from my limited knowledge of such things). I have not yet configured either remote service until I have researched enough to understand what exactly needs to be done and why, lest I spend hours trying to troubleshoot some problem I inadvertently created from using a random guide on Reddit or somewhere. The first step was getting the Wireguard VPN configured correctly.

I have some questions about the recent changes I made to my configuration.

I have read that setting up NAT6(6?) and/or ipv6 masquerading is no good, for reasons I do not understand but would like to. Also, have I effectively disabled ipv4 on my network to some degree, given the warning on the online test that 'my browser has no ipv4 fallback'? I am very interested in what exactly is different when the WireGuard VPN is up.

I am somewhat new to higher level networking, however I am receiving formal education towards a Computer Science degree (in college). I say this because some of the posts and articles on here can be honestly out of my depth at the moment, even though I am leaps and bounds ahead of most of my peers concerning tech in general.

Can someone please explain what exactly I have done by changing those options in my firewall and network config? Any drawbacks or trouble I should expect? I will be forever appreciative of a layman's explanation.

Any other comments or suggestions are more than welcome. I really just wanted to share how I got it working to hopefully be helpful to another in a similar situation and also receive some answers to the questions I've posed.

Thank you very much.


Thank you for the useful info and for bringing up this subject.

You did everything correctly and everything seems to be working properly. By default, the Warp+ subscription seems to assign only 1 IPv6 to the interface and it doesn't seem to delegate IPv6 to the devices downstream.

The NAT6 workaround that you've mentioned takes that 1 IPv6 and allows the devices downstream to access the Internet through that 1 address (similar as regular NAT).

Whether that can other cause issues, I'm not sure. It might seem more appropriate to just remove the IPv6 part from the Wireguard config and use only the limited IPv4 range.