From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: toke@toke.dk Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 12364389 for ; Sun, 16 Sep 2018 17:45:39 +0000 (UTC) Received: from mail.toke.dk (mail.toke.dk [52.28.52.200]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 4185363d for ; Sun, 16 Sep 2018 17:45:38 +0000 (UTC) From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= To: Lane Russell , David Cowden Subject: Re: Configure WireGuard for Roaming Between IPv4, IPv6 In-Reply-To: References: Date: Sun, 16 Sep 2018 19:47:08 +0200 Message-ID: <87pnxd8hcz.fsf@toke.dk> MIME-Version: 1.0 Content-Type: text/plain Cc: "wireguard@lists.zx2c4.com" List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Lane Russell writes: > Thanks so much for setting me straight. I've gotten IPv6 working over > my IPv4 tunnels to ensure that IPv6 traffic can't leak out while I'm > using Wireguard. Since my ISP uses SLAAC to hand out /56s, I have a > /64 pointed at the local subnet where my VPN server is. From there, > the VPN clients use my ULA prefix to talk to the server. The server > masquerades these ULA addresses to its global address. Why are you using masquerading? Kinda defeats the whole point of IPv6, doesn't it? :) You can just pick a public /64 from your subnet and assign that for use inside the tunnel, then give your clients addresses from that and use normal routing on the wireguard server. You'll have to get the prefix routed to your wireguard server, of course; either set that up manually, or use something like DHCP prefix delegation, or a routing daemon... If you don't want to use a whole /64 (but really, there's no reason you shouldn't be able to), you can also use /128's inside the tunnel and just route those from your gateway to your wireguard server. -Toke