You don’t have an IPv6 connection but the server you need to connect has only an IPv6 address because of the IPv4 address exhaustion and some providers are now requiring you to pay to have an IPv4 address.
Note that this will only provide an IPv6 connectivity, not a public IPv6 address that you can connect to from the outside since Cloudflare WARP only provides a single NATed IPv6.
Generate Cloudflare WARP account
- Download wgcf.
- Register new account.
- Generate WireGuard profile.
Now you will have wgcf-profile.conf like this:
Setup MikroTik Cloudflare WARP WireGuard
- Add new WireGuard interface with private key from wgcf-profile.conf.
/interface wireguard add mtu=1420 name=Cloudflare-WARP private-key="your_private_key"
- Add WireGuard peer to connect to Cloudflare WARP with endpoint address and port, and public key from wgcf-profile.conf. It is better to set allowed address to
::/0so that only global unicast will get routed.
/interface wireguard peers add allowed-address=2000::/3 endpoint-address=engage.cloudflareclient.com endpoint-port=2408 interface=Cloudflare-WARP public-key="bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="
- Add Cloudflare WARP’s IPv6 address to the WireGuard interface.
/ipv6 address add address=2606:4700:110:8ced:11b5:d064:abc:ee89/128 interface=Cloudflare-WARP
- Set the Neighbor Discovery to the correct interface. By default, Neighbor Discovery is enabled for all interfaces, but it’s better to run it just at LAN. Take note of the MTU, since the default MTU of WireGuard is 1420, set the MTU of ND to 1420 so that the packets don’t fragment.
/ipv6 nd set [ find default=yes ] interface=bridge mtu=1420
- Add IPv6 ULA in your LAN interface.
/ipv6 address add address=fd00:1234:5678:9abc::/64 advertise=yes interface=bridge
- Enable NAT66. Yes, I know NAT is bad, awful when we are talking about IPv6, but since Cloudflare WARP only provides a single IPv6 address, it’s necessary to use NAT in IPv6. The
out-interfaceshould be the WireGuard interface. The
to-addressshould be set to the IPv6 address of the WireGuard interface.
/ipv6 firewall nat add action=src-nat chain=srcnat out-interface=Cloudflare-WARP to-address=2606:4700:110:8b7b:2edb:5201:dddd:19fd/128
- Add IPv6 route that goes to the Cloudflare WARP WireGuard interface.
/ipv6 route add dst-address=2000::/3 gateway=Cloudflare-WARP
- Try to ping an IPv6 server or use test-ipv6.com.
If you get “Your browser has a real working IPV6 address but is avoiding using it.” on test-ipv6.com, this is normal as IPv4 has higher metric than IPv6 ULA. To prefer IPv6, either change the metric on your device or use an unallocated address like
ace:cab:deca:deed::/64or use documentation prefix
Now you can access IPv6 only servers now via Cloudflare WARP.