Configure WireGuard for Roaming Between IPv4, IPv6

Toke Høiland-Jørgensen toke at
Sun Sep 16 19:47:08 CEST 2018

Lane Russell <lanerussell at> writes:

> Thanks so much for setting me straight. I've gotten IPv6 working over
> my IPv4 tunnels to ensure that IPv6 traffic can't leak out while I'm
> using Wireguard. Since my ISP uses SLAAC to hand out /56s, I have a
> /64 pointed at the local subnet where my VPN server is. From there,
> the VPN clients use my ULA prefix to talk to the server. The server
> masquerades these ULA addresses to its global address.

Why are you using masquerading? Kinda defeats the whole point of IPv6,
doesn't it? :)

You can just pick a public /64 from your subnet and assign that for use
inside the tunnel, then give your clients addresses from that and use
normal routing on the wireguard server. You'll have to get the prefix
routed to your wireguard server, of course; either set that up manually,
or use something like DHCP prefix delegation, or a routing daemon...

If you don't want to use a whole /64 (but really, there's no reason you
shouldn't be able to), you can also use /128's inside the tunnel and
just route those from your gateway to your wireguard server.


More information about the WireGuard mailing list