Skip to main content
Post in category: Internet, Hardware

Turbocharge your internet connection (WARP, IPv6, OpenWrt)

Published
Updated
Read Time 10 min.
Contents

Cloudflare is known for being the next Google and providing us with high-quality services, many of which can be used for free without any compromises. Fortunately, unlike Google, it is not so eager to kill its services.

From domain management, to SSL certificate for your website, secure and fast DNS, to turbocharging your internet connection with WARP (or WARP+ for those who want more).

Cloudflare WARP

WARP is a sort of VPN server designed to speed up your internet. However, it is not a true VPN like TunnelBear or others. It does not allow you to hide your original IP address or the country you are browsing from. WARP focuses on directing traffic in such a way that it is fast and secure.

WARP, in conjunction with DNS (Name Server) 1.1.1.1, encrypts traffic not only through DNS, but also between you (your device) and Cloudflare’s servers. This ensures that only you (and Cloudflare) know what you’re visiting online, not your ISP or the country’s intelligence services that actively eavesdrop on your traffic, especially unencrypted traffic.

The name server itself (1.1.1.1) caused quite a stir and “speeded up” the internet. When it was joined with encryption of our DNS queries, creating the so-called secure DNS (DNS over HTTPS), WARP added its own, additionally encrypting the traffic leaving our device.

WARP is available as an app for various devices via official apps.

Cloudflare WARP & WireGuard

At a time when Cloudflare desktop apps weren’t available yet (they are now), I dug into this topic, trying to get a Cloudflare tunnel up and running using the appropriate WireGuard app configuration.

Yes, you read correctly, Cloudflare uses a protocol based on WireGuard.

In recent weeks, most major VPN providers have noticed the positive side of this solution and are adding it to their network (like NordVPN with their NordLynx).

In my post I described how to add a WireGuard-based VPN server to an OpenWrt router.

Since Cloudflare WARP uses WireGuard for communication, you can also use our router as a VPN client.

Why? I’ll explain.

Well, WARP is not only about encryption and speed, it is also IPv6 support. If your ISP (like mine) does not offer connection over IPv6, connecting to WARP gives us that option.

Occasionally, the official Cloudflare app for macOS causes issues with IPv6 network access. Setting up a Cloudflare connection through WireGuard (using wgcf) rather than the official app helps fix this.

I recently described how to add an IPv6 tunnel to our internet connection in order to get access to the world via IPv6. However, this type of solution has a few drawbacks if your ISP (in my case Virgin Media in the UK) decides to introduce unwritten filtering and slowing down of traffic coming from these types of connections. In my case, the entry I created is ideal, but for me personally useless, so I am constantly looking for another solution.

When Cloudflare (1.1.1.1) desktop apps weren’t available yet, I decided to use WireGuard and add WARP to my computer. Of course, I did it with wgcf — Unofficial, cross-platform CLI for Cloudflare WARP.

This got me thinking.

Cloudflare WARP, WireGuard & IPv6

The IPv6 tunnel (6in4) created by me according to my previous post is not useful on my current connection (due to the speed being limited to 10% of my full connection speed), while IPv6 connectivity via WARP does not have such problems, I thought that since it uses WireGuard as a VPN server, why not use it as a client on my router?

Having the client and server on one device is somewhat strange, but entirely possible.

I use the WireGuard server to connect to my local network when I’m away from home. I would use the Wireguard client to add encryption to my internet traffic and IPv6 support using Cloudflare WARP.

Of course, connecting to WARP on the router side is one thing, but adding WARP support to devices on the local network is another, especially when it comes to IPv6 (which is not so obvious).

Adding WARP to the router is done by adding a new interface and configuring it. It is not extremely difficult and will allow us to use the Internet over IPv4 via a Cloudflare connection. More on that in a moment.

Another issue is with IPv6. Cloudflare does not assign us a range of IPv6 addresses to use, but only a local single address (in the /128 mask), which is then directed further with appropriate rules.

Once we have IPv6 available on the router, we can also use it to route traffic over this protocol using available rules and masquerading.

So let’s see how to do it.

Cloudflare WARP and a router with OpenWrt

First, we need to generate the Cloudflare WARP configuration file and then add it to our router.

wgcf - the app

To do this, we log in to our OpenWrt router via SSH terminal and download the wgcf app.

Going to Releases on GitHub, from the Assets section we need to download and save the version compatible with our hardware.

In some browsers, the Assets list is displayed in a truncated form. To see all available files for various hardware platforms, we must additionally click the button below the list, Show all XX assets.

Going to our administration panel of the router with OpenWrt (default 192.168.1.1), after logging in, on the first information page we will immediately receive information, in the Architecture section, about what processor we have.

In my case it’s ARMv7 so I need to download the file wgcf_2.2.22_linux_armv7.

At the time of updating this post, the latest version was version 2.2.22.

Using curl:

curl -L https://github.com/ViRb3/wgcf/releases/download/v2.2.22/wgcf_2.2.22_linux_armv7 > wgcf

or using wget

wget https://github.com/ViRb3/wgcf/releases/download/v2.2.22/wgcf_2.2.22_linux_armv7 -O wgcf

After downloading it, we add execution rights and run it without parameters to see if it works.

chmod +x wgcf
./wgcf

When everything works as it should, we can proceed to the next step, which is generating the necessary configuration files.

wgcf - configuration file for WireGuard

Once we have wgcf on our router we need to register with Cloudflare WARP:

wgcf register

After accepting Terms of Service we will receive the file wgcf-account.toml

Using this file (the app will use it itself) we will generate our configuration file:

wgcf generate

If everything went well, we will get the wgcf-profile.toml file. This file contains the WireGuard configuration, which we will use to set up the connection on our router.

You can use the configuration file generated in this way on any device where you can install the WireGuard app. As I mentioned earlier, in the case of the official Cloudflare WARP app for macOS, this method allows us to access the IPv6 network when the official app fails.

Setting interface

If you don’t already have WireGuard installed on your router, do the following from an SSH terminal:

opkg update
opkg install luci-app-wireguard luci-proto-wireguard kmod-wireguard wireguard-tools
reboot

Do not proceed unless you have restarted the router with the reboot command (third command in the above block).

After installing and restarting our router, we are ready for the next step.

We go to Network > Interfaces in our router administration panel via a web browser.

By clicking the Add new interface… button, we enter the name (Name), select the WireGuard VPN protocol (Protocol) and confirm with the Create interface button.

OpenWrt - Add New Interface - WireGuard VPN

After creating the interface, additional options will appear. Scroll to the bottom and click the Load configuration… button.

OpenWrt > Interface > WireGuard VPN - General Settings

In the terminal we read the contents of the file wgcf-profile.toml.

tail wgcf-profile.toml

We select and copy the content to the clipboard, paste it into the import field and finish by clicking the Import settings button. Before you do that, read below.

OpenWrt - WireGuard VPN - Import configuration

From what I’ve noticed, during import, IP addresses are imported incorrectly. After importing the settings, we should have IPv4 and IPv6 addresses in both General Settings > IP Addresses and in the Peers configuration, where in Allowed IPs we should see both 0.0.0.0/0 and ::/0.

Reading the wgcf-profile.toml file, in the [Interface] section we have 2 lines of Address = and in the [Peer] section 2 lines of AllowedIPs = which causes that only the last address (2.) is added.

Before pressing Import settings we need to make one line from two lines and separate the addresses with a comma (,).

For example, the address line in the [Interface] section should look like this:

Address = 172.16.0.2/32, 2606:4700:110:8998:1b86:d65a:d153:1234/128

The allowed IP addresses line in the [Peer] section should look like this:

AllowedIPs = 0.0.0.0/0, ::/0

I don’t know if this is a bug in wgcf or in the OpenWrt package. I’ve reported this bug to the creator and we’ll see what happens.

The WireGuard app for macOS imports the information correctly without requiring you to modify anything.

Before we save the settings, let’s go to the Firewall Settings tab and add our connection to the wan group.

OpenWrt - Interface - WireGuard VPN - Firewall Settings

In the Advanced Settings tab of our new interface, in order to optimize speed we still need to change the default settings for MTU — Maximum transmission unit (Use MTU on tunnel interface) to 1280 (from the default 1420).

OpenWrt - Interface - WireGuard VPN - Advanced Settings

The MTU is usually set to the MTU of our network connection minus 20. If our internet connection uses MTU 1500, then we set it to 1480. We can check our MTU for individual interfaces with the ifconfig command from the terminal. However, the author of the wgcf script recommends setting the MTU to 1280 as the maximum value.

Additionally, go to the Peers tab and click on the only configuration available there, the Edit button.

Select the Route Allowed IPs check button and enter the value 25 for Persistent Keep Alive.

OpenWrt - Interface - WireGuard VPN - Peer Settings

A small note. Once we save and apply the changes to the Route Allowed IPs option, we will momentarily lose our internet connection, after which all our traffic will be routed through the Cloudflare connection.

As I noticed, enabling Route Allowed IPs caused my WireGuard-based VPN server on the router, as well as my Cloudflare Zero Trust tunnel, to stop working (being accessible from the Internet). This happened because the new interface took over IPv4 and IPv6 support. Editing Peers and removing IPv4 traffic routing (0.0.0.0/0) from the Route Allowed IPs section allows you to limit the use of the Cloudflare network to IPv6 traffic only. This way, when we do not have an Internet connection with IPv6, we will gain it throughout the network, but more on that in a moment.

Now we can save everything by clicking Save.

The next step is to click Save & Apply to apply the changes.

Check the interface

If we did everything correctly, our interface should start generating traffic visible in the RX and TX values.

If these values ​​remain at Zero, then the connection is not working.

To make sure the connection is working, we can use wgcf on the router:

./wgcf trace

Among the data spat out by the above command, note the line warp= which should return the value warp=on.

IPv6 Support

If our service provider does not offer us IPv6 access and the wan6 interface, although enabled, does not have its own IP address, adding the Cloudflare WARP tunnel using the above method, we have also added IPv6 support to our router.

To check this, simply execute the ping command.

ping ipv6.google.com

or

ping -6 openwrt.org

IPv6 routed traffic is sent through the Cloudflare interface. If we removed the 0.0.0.0/0 address from Route Allowed IPs, then IPv4 traffic will be sent through our main internet connection wan. If we have both addresses added in Route Allowed IPs, then everything is sent through the Cloudfflare WARP network.

Using Cloudflare connection in a local network (LAN)

This way our router has access to Cloudflare WARP. It responds to ping to addresses (domains) over IPv4, as well as IPv6 (using ping or ping6).

All that remains for us is to add the ability to support WARP on LAN devices.

Cloudflare assigns us an IPv6 address in the /128 mask, which means we only get one exit address to the Internet. Unlike my previous post Adding an IPv6 tunnel to a router with OpenWrt, in which adding an IPv6 tunnel allows you to assign external IPv6 addresses to devices in the LAN, here, in order for users in the LAN to use IPv6 access, we need to use masquerading and NAT66.

This will work in a similar way to how we have set a default IPv4 address from our service provider. Every user on the internet will be visible under the same IP address, both IPv4 and IPv6.

To do this, we need to make some changes to our system.

Enabling IPv6 Masquerading

W sekcji Firewall, w panelu sterowania naszego routera OpenWrt, klikamy przycisk Edit w sekcji Zones przy strefie wan.

Przechodząc do Advanced Settings zaznaczmy opcję IPv6 Masquerading i klikamy przycisk Save, następnie potwierdzamy i wprowadzamy zmiany przyciskiem Save & Apply.

OpenWrt - Firewall - Zone - IPv6 Masquerading

Samo włączenie maskarady po IPv6 nie wystarczy, aby klienci w sieci LAN mogli komunikować się przez ten protoków. Przed włączeniem maskarady, ping6 do adresu ipv6.google.com zwracał błąd, podczas gdy z włączoną maskaradą, odpowiedź pozostaje głucha. W związku z tym musimy dokonać jeszcze jednej zmiany.

Enabling IPv6 communication in LAN

Go to Network > Interfaces and click the Edit button next to the lan network.

Go to the DHCP Server tab and then to IPv6 RA Settings.

Here we change:

  • Default router to forced (from automatic).
  • RA Flags check both (M) and (O) (default is only (O))

OpenWrt - Interface - LAN - DHCP Server - IPv6 RA Settings

We click the Save button, then confirm and make changes with the Save & Apply button.

When the settings are saved, clients in the local network automatically received IPv6 address assignments and communication over the IPv6 network was enabled through our router using IPv6 masquerading.

We can check this by executing the following command on a computer in the network:

ping6 ipv6.google.com

Or by going to ipv6.google.com, which should load without problems.

If you are having trouble interpreting domains and their IPv6 addresses, make sure that you have added both IPv4 and IPv6 DNS name servers in Network > DHCP and DNS, Forwards tab, and in Interface > lan, Advanced Settings > Use custom DNS servers section.

1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001

In this way, we gained IPv6 support in our network without any major problems.

The use of masquerading and NAT66 is not recommended, as it contradicts the ideology of IPv6 addresses, but in the case when we have an IPv6 address in the /128 mask (i.e. one and only), it is more or less the only solution.

And that would be all.

If you don’t want to bother with configuring your router for Cloudflare WARP, you can use the available applications by going to 1.1.1.1 and clicking the appropriate link. You can also configure WireGuard to support Cloudflare WARP using wgcf, as described above.

Best regards.

Share on Threads
Share on Bluesky
Share on Linkedin
Share via WhatsApp
Share via Email

Comments & Reactions

See Also
Adding Cloudflare Tunnel to OpenWrt Router (VPN Alternative)
Installing a VPN server on a router with OpenWrt (WireGuard)
Adding an IPv6 tunnel to a router with OpenWrt
Secure DNS (in browser and on OpenWrt router)
Setting domain for dynamic IP address (OpenWrt and DDNS)
Categories