Since the post mentions IPv6, I thought I'd put out a BIG footgun that the WireGuard app to this date hasn't solved.

Imagine a situation with 464XLAT, e.g. on T-Mobile in the USA. You only have an IPv6 address. When you want to communicate to a server that only has an IPv4 endpoint you go over a proxy owned by T-Mobile. The traffic leaving your device is always IPv6, unlike say CGNAT, where there is IPv4 traffic between your device and the NAT gateway.

Problem with the default WireGuard app on iOS is that when it is set up to connect to a DNS name which offers both A and AAAA they default to the A one, which means on T-Mobile the connection goes over this proxy and constantly breaks, as the proxy connection times out after a while. So things like Push notifications stop working.

The fix is to create a separate config with the IPv6 address and connect to that one. No more middle-man, and push notifications keep on working, even when you disable KeepAlive.