Get IPv6 connectivity with wireguard


If your ISP or phone operator doesn't provide you an IPv6, you still can get IPv6 connectivity as long as you have somewhere a server with IPv6 -- let's say a VM at :).

Let's configure IPv6 over ipv4 with wireguard and OpenBSD.


Generate a private IPv6 range

On the server

# cat /etc/pf.conf
pass in on egress proto udp from any to any port 4545 keep state
match out on egress from (wg0:network) to any nat-to (egress)
pass on egress from (wg0:network) to any
pass on wg0
# cat /etc/sysctl.conf
# cat /etc/hostname.wg0
inet6 fd9c:f774:0bfa:acfc::1/64
wgkey [...snip...]
wgport 4545
# peer 1
wgpeer [...snip...] wgaip wgaip fd9c:f774:0bfa:acfc::2/128
# peer 2
wgpeer [...snip...] wgaip wgaip fd9c:f774:0bfa:acfc::3/128
# peer 3
wgpeer [...snip...] wgaip wgaip fd9c:f774:0bfa:acfc::4/128

I removed the key as you can see.

The port is 4545, but use whatever you want :)

It is really important to end ipv6 allowed ip by /128 !

On a client

# cat /etc/hostname.wg0
wgkey [...snip...]
wgpeer [...snip...] \
	wgendpoint <XX.XX.XX.XX> 4545 \
	wgaip \
	wgaip ::0/0 \
	wgpka 25
inet6 fd9c:f774:0bfa:acfc::3/64
wgrtable 1
!route add -inet default
!route add -inet6 default fd9c:f774:0bfa:acfc::1
# cat /etc/hostname.iface
rdomain 1
inet autoconf

Of course, edit endpoint ipv4.

It is important to set wgaip to any IPv4 and IPv6 to encrypt for both.

As you can see, we set the default route to the VPN endpoint IP.


HE is another way to get IPv6 connectivity.

Full WireGuard setup with OpenBSD

Something to say ?

Send your comment by mail.