fix(warp): prefer IPv4 with v6 fallback and userspace TUN in generated WireGuard outbounds (#5205)

The generated WARP outbound used domainStrategy ForceIP, which may pick
the AAAA record for engage.cloudflareclient.com; on a host with
half-configured IPv6 the handshake then blackholes with nothing in the
logs. ForceIPv4v6 prefers IPv4 and still falls back to IPv6 on
v6-only hosts, matching the official WARP client's behavior.

It also set noKernelTun: false, so with root privileges the real
outbound used kernel TUN — a path that needs CAP_NET_ADMIN plus fwmark
routing and fails silently on many VPS setups — while the panel's
connectivity probe always tests with noKernelTun: true. The status
check and real traffic exercised different data paths and could
disagree. Generate WARP and NordVPN outbounds with the userspace TUN
so both follow the path the probe validates.

Only affects newly added/reset outbounds; existing templates keep
their saved settings.

frontend/src/pages/xray/overrides/NordModal.tsx

@@ -209,7 +209,10 @@ export default function NordModal({
         secretKey: nordData?.private_key,
         address: ['10.5.0.2/32'],
         peers: [{ publicKey, endpoint: `${server.station}:51820` }],
-        noKernelTun: false,
+        // Userspace TUN — same reasoning as the WARP outbound (#5205): kernel
+        // TUN fails silently on many VPS setups and diverges from the data
+        // path the panel's connectivity test exercises.
+        noKernelTun: true,
       },
     };
   }

frontend/src/pages/xray/overrides/WarpModal.tsx

@@ -103,9 +103,17 @@ export default function WarpModal({
           secretKey: data?.private_key,
           address: addressesFor(cfg.interface?.addresses || {}),
           reserved: reservedFor(cfg.client_id ?? data?.client_id),
-          domainStrategy: 'ForceIP',
+          // Prefer IPv4 with IPv6 fallback: plain ForceIP may pick the AAAA
+          // record for engage.cloudflareclient.com, and a host with
+          // half-configured IPv6 then blackholes the handshake with no error
+          // logged (#5205).
+          domainStrategy: 'ForceIPv4v6',
           peers: [{ publicKey: peer.public_key, endpoint: peer.endpoint?.host }],
-          noKernelTun: false,
+          // Userspace TUN: kernel TUN needs CAP_NET_ADMIN + fwmark routing and
+          // fails silently on many VPS setups, and it is a different data path
+          // than the panel's connectivity test (which always probes with
+          // noKernelTun=true), so "test ok" and "traffic flows" can disagree.
+          noKernelTun: true,
         },
       };
       setStagedOutbound(outbound);