You don’t have an IPv6 connection but the server you need to connect has only an IPv6 address because of the IPv4 address exhaustion and some providers are now requiring you to pay to have an IPv4 address.
Note that this will only provide an IPv6 connectivity, not a public IPv6 address that you can connect to from the outside since Cloudflare WARP only provides a single NATed IPv6.
Generate Cloudflare WARP account
- Download wgcf.
- Register new account.
- Generate WireGuard profile.
Now you will have wgcf-profile.conf like this:
Setup MikroTik Cloudflare WARP WireGuard
- Add new WireGuard interface with private key from wgcf-profile.conf.
/interface wireguard add mtu=1420 name=Cloudflare-WARP private-key="your_private_key"
- Add Cloudflare WARP’s IPv6 address to the WireGuard interface.
/ipv6 address add address=2606:4700:110:8ced:11b5:d064:abc:ee89/128 interface=Cloudflare-WARP
- Add WireGuard peer to connect to Cloudflare WARP with Endpoint address and port, and public key from wgcf-profile.conf. It is better to set allowed address to
::/0so that only global unicast will get routed.
/interface wireguard peers add allowed-address=2000::/3 endpoint-address=engage.cloudflareclient.com endpoint-port=2408 interface=Cloudflare-WARP public-key="bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="
- Set the Neighbor Discovery to the correct interface. By default, Neighbor Discovery is enabled for all interfaces, but it’s better to run it just at LAN. Take note of the MTU, since the default MTU of WireGuard is 1420, it is better to set the MTU of ND to 1410 so that the packets don’t fragment.
/ipv6 nd set [ find default=yes ] interface=bridge mtu=1410
- Add IPv6 ULA in your LAN interface.
/ipv6 address add address=fd00:1234:5678:9000::/64 advertise=yes interface=bridge
- Enable NAT66 on IPv6. Yes, I know NAT is bad, really bad when we are talking about IPv6, but since Cloudflare WARP only provides a single IPv6 address, it’s necessary to use NAT in IPv6. The out-interface should be the WireGuard interface.
/ipv6 firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=Cloudflare-WARP
- Add IPv6 route that goes to the Cloudflare WARP WireGuard interface.
/ipv6 route add dst-address=2000::/3 gateway=Cloudflare-WARP
- Try to ping an IPv6 server or use test-ipv6.com.
If you get “Your browser has a real working IPV6 address but is avoiding using it.” on test-ipv6.com, this is normal as IPv4 has higher metric than IPv6 ULA. To prefer IPv6 ULA, either change the metric or use an unallocated address like
Now you can access IPv6 only servers now via Cloudflare WARP.