What is the best way to get IPv6 for LAN Clients from a Wireguard VPN with /128 bit IPv6 address


I'm using a Wireguard protocol based VPN (Mullvad) which has both IPv4 and a IPv6 address. The VPN is the Internet access for my LAN clients. The LAN clients can access the IPv4 internet without any issues thanks to NAT. So what I want to do now is to make IPv6 work for the clients, so they can access IPv6 websites.

The problem is that the Wireguard interface has a single /128bit IPv6 address, and as such cannot be used for LAN clients as a prefix. The router can ping IPv6 addresses but the LAN clients cannot.
I would prefer not to use the IP6over4 tunnel services when the Wireguard VPN has already the capability of IPv6.

Anybody could suggest me what to do? Is NAT6 the only way to make this work without changing the VPN provider? (Does NAT6 even work with Wireguard?)

"Best way" is to get a Virtual Private Server (VPS) with a /64 or better IPv6 assignment and use that with your own WireGuard instance.

Second best is to get a commercial VPN provider that will to the same.

NAT6 is pretty much of a hack and is frowned upon greatly. NPT6 has some valid, enterprise use, but that is a completely different thing, You might as well use IPv4 and NAT, unless there are really sites you need to access that don't have IPv4 access (I haven't run across any).

Edit: If you can't get meaningful, robust IPv6 IPv6 connectivity any other way, https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6


It should work with the proper ip6tables workaround script, as NAT6 support is broken in fw3.

Technically, it is the same ip6tables table for both NAT6 and NPT6.

1 Like