Enable peers' to connect to the IPv6 WAN through Wireguard's IPv4 connectivity

Hello there!

I'm revisiting a topic from a few months ago, though with a bit of a broader scope to see if I'm able to get an answer.

I have a dual stack connection to the Internet from my ISP, with both a type B NAT for my v4 and a /64 prefix for my v6, both of which I use with a domain, Cloudflare and its DDNS script to update both A and AAAA records and point them to my router's address upon boot.

This in turn is then used to connect over Wireguard several devices like laptops and phones over IPv4 in a road warrior configuration, giving them access to the v4 Internet and my home's LAN through my router, but in spite of having them assigned already a v6 address within each peer's configuration, they are only able to connect to the router's Wireguard instance over v4 as expected, given that most mobile networks have not yet deployed v6 connectivity to regular phones as far as I'm aware.

However, I was wondering if there would be a way to deploy a 6in4 tunnel within my network such as that when devices connect to the router over Wireguard in IPv4-only networks they'd get assigned a public IPv6 address alongside their respective LAN prefix, allowing them to access the Internet in a dual stack configuration while away from home and allowing them to interact with IPv6-only websites and services.

I have already installed 6in4 to my router, but aside from that I'm honestly lost as to what would the next steps be, or even if the way I'm thinking about solving the problem is wrong in any shape or measure.

What should I do?

V4 and/or v6 can be sent inside any Wireguard tunnel regardless of the type of addressing that the encrypted packets use on the outside.

As your ISP only grants you a single /64 you will need to use ipv6 relay DHCP so all the clients are under the same /64 prefix issued by the ISP.

I see.

At the moment I have configured my LAN interface in hybrid mode, and I'm successfully able to ping a peer using its local v6 address, but even after restarting the Wireguard interface with its delegation prefix filter set to wan_6, it seems I'm unable to get the Wireguard interface a public v6 address. Should I set the LAN interface as the designated master, or am I going about it in the wrong direction?