CloudFlare Warp+ for RT-AC86U (or RT-AX88U)

  • ATTENTION! As of November 1, 2020, you will not be able to reply to threads 6 months after the thread is opened. Threads will not be locked, so posts may still be edited by their authors.


New Around Here
I just set up my RT-AC86U with Warp+ from CloudFlare and thought I'd share how in case anyone else is interested. This is only for RT-AC86U (and RT-AX88U I assume though haven't tested) since it relies on the experimental WireGuard posted by @Odkrys. Here are the setup instructions:
  1. Sign up for Warp+ on an officially supported device like iOS or Android

  2. Install wgcf
    1. Download the latest release (currently 2.14)
    2. Copy it to your router, rename (to wgcf to match the commands below) and move to a folder in your PATH if you like, and don't forget to make it executable (chmod +x wgcf)
  3. Generate the WireGuard config file with wgcf
    1. Register a new device with
      wgcf register
    2. Update the wgcf config with your existing Warp+ license key (found in the account settings in your signed-in app)
      WGCF_LICENSE_KEY="0123456789abcedf" wgcf update
    3. Generate a WireGuard configuration profile
      wgcf generate
  4. Install WireGuard
    1. Follow the instructions in the first post in [Experimental] WireGuard for RT-AC86U/AX88U
  5. Update the wgcf-generated config to match the format WireGuard is expecting
    (wgcf generates a format meant for wg-guick, but that's not available in this version of WireGuard)
    1. The Warp+ config is is now in wgcf-profile.conf, which you should edit according to the instructions in the first post in [Experimental] WireGuard for RT-AC86U/AX88U, but just to reiterate, make sure you comment-out or delete Address (both IPv4 and v6), DNS, and MTU. I also found I had to delete AllowedIPs = ::/0, but maybe that's just because my ISP doesn't support IPv6? Then update /opt/etc/init.d/S50wireguard with the IP and DNS you had to remove from the config. You want client mode.
    2. You can also update the MTU in /opt/etc/wireguard/wg-up to match the one you had to delete from wgcf's config (1280), but I'm not sure if that's required. I did it since I assume that's optimal for Warp+ if it was in the original config.
    3. Copy wgcf-profile.conf to /opt/etc/wireguard/wg0.conf
  6. Start the service
    1. /opt/etc/init.d/S50wireguard start
      There's basically no output, so you just have to hope it works and imagine what might be wrong if it's not working. If you have a problem, disconnect with
      /opt/etc/init.d/S50wireguard stop
  7. Confirm you're connected to Warp+
    1. Check the CloudFlare trace, and if you see warp=plus, you're good! You can either navigate here in a browser or straight from your router with
  8. Enable script to connect automatically
    1. Also mentioned in the first post in [Experimental] WireGuard for RT-AC86U/AX88U, create the nat-start script to connect automatically
Remember you can also set your phone to not connect to Warp when you're on certain Wi-Fi networks, so it's probably best to add your network there so you're not double Warping. I doubt that causes a problem, but it's at least not necessary.



Very Senior Member
I'm not going to try and deny it, but I was a fanboy for this sort of thing not so long ago.
My perspective has changed:
Cloudflare is just as bad as Google/Alphabet and the socials.

Wireguard server on routers that can run it, absolutely...but not a client to an endpoint you don't control.
make that wireguard server/router your DNS with unbound...become your own quad1, 8, etc.

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!