Implement Cloudflare WARP Native IPv4/IPv6 Dual-Stack Networking to Linux Cloud Servers

Actually I did this for ChatGPT :-)

Implement Cloudflare WARP Native IPv4/IPv6 Dual-Stack Networking to Linux Cloud Servers

1. Background

Cloudflare WARP is a WireGuard-based network traffic security and acceleration service provided by Cloudflare, which allows you to achieve privacy protection and link optimization by connecting to Cloudflare's edge nodes. However, due to the UDP protocol used for WireGuard data transmission, network operators in mainland China will implement QoS for it, and the IPs of many nodes are blocked, so it can be said that it is almost unavailable now. However, there are no such restrictions for areas with free networks. In addition, there are tools made by foreign developers that can generate common WireGuard configuration files, which allows us to deploy it on VPS and obtain the following functions:

1.1 Difference of IPv6 and IPv4

WARP network entrances and exits are dual-stack (IPv4/​IPv6), so a single-stack VPS cloud server can connect to the WARP network for additional network connectivity support:

  • IPv6 Only VPS can gain access to the IPv4 network, no longer limited to the constraints of NAT64/DNS64, and can customize any DNS resolution server, which is very effective for using proxies.
  • IPv4 Only VPS can gain access to IPv6 network, for example, it can be used as an SSH springboard for IPv6 Only VPS. In addition, the quality of WARP's IPv6 network is better than that of HE IPv6 Tunnel Broker or even that of VPS, and there are few detours.

1.2 Advantages of using WARP

The export IP of WARP's external access network is regarded as a real user by many websites, the so-called native IP or private home IP, which can lift the IP-based blocking restrictions of some websites:

  • Unblock Netflix non-made series
  • Solve the problem that Google search traffic jumps out of human-machine authentication frequently
  • Solve the problem of not being able to open Google Scholar (Google Scholar) 403 access restrictions
  • Solve the problem that Google's IP location drifts to a specific country and cannot use YouTube Premium

TIPS: It should be noted that WARP does not provide an independent public network IP address. It accesses the external network in the form of NAT, that is, it can only be used for external network access, and cannot be used for local access to the VPS. It can be understood as connecting A large intranet provided by Cloudflare. If your requirement is to have a public IPv6 address that can access the VPS, you can use HE IPv6 Tunnel Broker.

2. Install WireGuard

Since WARP is based on WireGuard, we first need to install WireGuard.
If you are too lazy to install manually, you can also use a one-click script to install:

bash <(curl -fsSL git.io/warp.sh) wg

Or, if you feel confident, you can check the official installation guide

3. Generate a WireGuard configuration file using wgcf

ViRb3/wgcf is an unofficial CLI tool for Cloudflare WARP that simulates a WARP client registration account and generates a generic WireGuard configuration file.

  • Install wgcf
curl -fsSL git.io/wgcf.sh | sudo bash
  • Register WARP account (wgcf-account.toml file will be generated to save account information)
wgcf register
  • Generate a WireGuard configuration file (wgcf-profile.conf)
wgcf generate

Remember to back up the two generated files, especially wgcf-profile.conf, in case the tool fails in the future, it may still be needed after reinstalling the system.

4. Edit the WireGuard configuration file

[Interface]
PrivateKey = wAMstRaku9brVlhbNq8KH7qjTC5tD/M3Noc5IVC0xGI=
Address = 172.16.0.2/32
Address = 2606:4934:120:997e:3f5a:5889:1ac2:b441/128
DNS = 1.1.1.1
MTU = 1280
[Peer]
PublicKey = bmXOD+F1DxEMD9dyiK2H5/1SAtzg0JuVo51h5wPpgyo=
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = engage.cloudflareclient.com:2408

Resolve the node domain name engage.cloudflareclient.com in the configuration file into an IP. There are generally two results:

162.159.192.1
2606:4700:d0::a29f:c001
$ nslookup engage.cloudflareclient.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	engage.cloudflareclient.com
Address: 162.159.192.1
Name:	engage.cloudflareclient.com
Address: 2606:4700:d0::a29f:c001

The reason for this is that the following operations need to select whether the node to be connected to WARP is an IPv4 or IPv6 protocol according to the network protocol that the VPS is equipped with.

5. Network Support

5.1 IPv4 Only server adds WARP IPv6 network support

Replace engage.cloudflareclient.com with 162.159.192.1 in the configuration file and remove AllowedIPs = 0.0.0.0/0. That is, the [Peer] section in the configuration file:

[Peer]
PublicKey = bmXOD+F1DxEMD9dyiK2H5/1SAtzg0JuVo51h5wPpgyo=
AllowedIPs = ::/0
Endpoint = 162.159.192.1:2408

Principle: The AllowedIPs = ::/0 parameter enables IPv6 traffic to be taken over by WireGuard, allowing IPv6 traffic to access the external IPv6 network through WARP IPv4 nodes in the form of NAT.

In addition, the default DNS in the configuration file is 1.1.1.1. I measured that although the delay is very low, the resolution result is not ideal because of the lack of ECS function. Since it will replace the DNS settings in the system (/etc/resolv.conf), it is recommended that you replace it according to the actual situation, or delete the DNS line directly. The following configuration is for reference:

DNS = 8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844

5.2 IPv6 Only server adds WARP IPv4 network support

Replace engage.cloudflareclient.com with [2606:4700:d0::a29f:c001] in the configuration file and remove AllowedIPs = ::/0. That is, the [Peer] section in the configuration file:

[Peer]
PublicKey = bmXOD+F1DxEMD9dyiK2H5/1SAtzg0JuVo51h5wPpgyo=
AllowedIPs = 0.0.0.0/0
Endpoint = engage.cloudflareclient.com:2408

Principle: The AllowedIPs = 0.0.0.0/0 parameter enables IPv4 traffic to be taken over by WireGuard, allowing IPv4 traffic to access the external IPv4 network through WARP IPv6 nodes in the form of NAT.

In addition, the default DNS in the configuration file is 1.1.1.1. Since it is an IPv4 address, the query request will be sent through the WARP node. Since it will replace the DNS settings (/etc/resolv.conf) in the system, in order to prevent DNS requests from being sent out when the node fails, it is recommended to replace DNS with IPv6 addresses first, or delete the DNS line directly. The following configuration is for reference:

DNS = 8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844

5.3 Dual-Stack WARP Global Network Replacement

The dual-stack WARP global network means that both IPv4 and IPv6 access the network through the egress of the WARP network. In fact, the WireGuard configuration file generated by default has this effect. However, the default configuration file has no routing rules related to external access to the local IP. Once the VPS is used directly, the connection will be lost directly, so we still need to modify the configuration file. Routing rules need to be added between [Interface] and [Peer] in the configuration file, the following is an example of routing rules:

[Interface]
PrivateKey = wAMstRaku9brVlhbNq8KH7qjTC5tD/M3Noc5IVC0xGI=
Address = 172.16.0.2/32
Address = 2606:4934:120:997e:3f5a:5889:1ac2:b441/128
DNS = 8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844
MTU = 1280
PostUp = ip -4 rule add from <replace IPv4 addr> lookup main 
PostDown = ip -4 rule delete from <replace IPv4 addr> lookup main 
PostUp = ip -6 rule add from <replace IPv6 addr> lookup main 
PostDown = ip -6 rule delete from <replace IPv6 addr> lookup main
[Peer]
PublicKey = bmXOD+F1DxEMD9dyiK2H5/1SAtzg0JuVo51h5wPpgyo=
AllowedIPs = ::/0
Endpoint = 162.159.192.1:2408

The IP address part in the replacement configuration is the public IP address of the VPS. If the IDC provides a VPC intranet solution, it needs to be replaced with the intranet IP. Large companies such as AWS, Azure, Google Cloud, and Oracle Cloud all use VPC intranet solutions, and the intranet address is generally provided on the web panel. If you are not sure which network solution it is, enter ip a | grep <public IP address> to see if it is displayed, if not, it means it is a VPC intranet solution.

6. Enable WireGuard network interface

  • Copy the WireGuard configuration file to /etc/wireguard/ and name it wgcf.conf.
sudo cp wgcf-profile.conf /etc/wireguard/wgcf.conf
  • Open the network interface (wgcf in the command corresponds to the file name prefix of the configuration file wgcf.conf).
sudo wg-quick up wgcf
$ sudo wg-quick up wgcf
[#] ip link add wgcf type wireguard
[#] wg setconf wgcf /dev/fd/63
[#] ip -4 address add 172.16.0.2/32 dev wgcf
[#] ip -6 address add 2606:4934:120:997e:3f5a:5889:1ac2:b441/128 dev wgcf
[#] ip link set mtu 1280 up dev wgcf
[#] resolvconf -a wgcf -m 0 -x
[#] wg set wgcf fwmark 51820
[#] ip -6 route add ::/0 dev wgcf table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
[#] ip -4 rule add from 10.0.0.2 lookup main
  • Execute the ip a command, and you can see the network interface named wgcf at this time
20: wgcf: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 172.16.0.2/32 scope global wgcf
       valid_lft forever preferred_lft forever
    inet6 2606:4934:120:997e:3f5a:5889:1ac2:b441/128 scope global
       valid_lft forever preferred_lft forever
  • After the test is completed, close the relevant interface, because this configuration is only temporary.
sudo wg-quick down wgcf
  • Officially enable WireGuard network interface
# start process
sudo systemctl start wg-quick@wgcf
# enable process
sudo systemctl enable wg-quick@wgcf

7. IPv4 and IPv6 network priority settings

When the visited website is dual-stack and the server is also dual-stack, by default, IPv6 has a higher priority than IPv4, and the application uses IPv6 addresses first.
In theory it should be as follows:

  • The IPv4 Only server preferentially accesses the external network through the newly added WARP IPv6 network.
  • The IPv6 Only server preferentially accesses the external network through the original IPv6 network.
    However, the situation of WARP is a bit special, which may be related to the routing rules of WireGuard,
    so the actual situation may be:
  • The IPv4 Only server preferentially accesses the external network through the original IPv4 network.
  • The IPv6 Only server preferentially accesses the external network through the original IPv6 network.
    If you are not satisfied with this setting, you can manually set the priority of IPv4 and IPv6 according to actual needs.

7.1 IPv4 in priority

Edit the /etc/gai.conf file and add the following line of configuration at the end:

precedence ::ffff:0:0/96  100

7.2 IPv6 in priority

Edit the /etc/gai.conf file and add the following line of configuration at the end:

label 2002::/16   2

8. Cloudflare WARP Internet Speed Test

Use the CLI tool provided by speedtest.net to test the extreme network speed of accessing external networks through WARP.

  • Install Ookla Speedtest CLI
curl -fsSL git.io/speedtest-cli.sh | sudo bash
  • Execute the speedtest command to measure speed
   Speedtest by Ookla

     Server: fdcservers.net - Tokyo (id = 28910)
        ISP: Cloudflare
    Latency:     1.65 ms   (0.04 ms jitter)
   Download:   460.39 Mbps (data used: 647.3 MB)
     Upload:   451.40 Mbps (data used: 550.3 MB)
Packet Loss: Not available.
 Result URL: https://www.speedtest.net/result/c/xxxxx012-cd29-4632-8dd2-xxxxx9e2333c

9. Lastly

Cloudflare has always provided excellent network services to us for free, and I hope everyone treats it well and do not abuse it.


Copyright statement: Unless otherwise stated, all articles on this blog adopt the CC BY-NC-SA 4.0 license agreement. For non-commercial reprints and citations, please indicate the author: Henry, and original article URL. For commercial reprints, please contact the author for authorization.