Routing IPv6 over Wireguard Tunnel

Something I’ve wanted to do for a while now is share my /48 from Hurricane Electric’s Tunnel Broker service over my Wireguard network to other servers that don’t have IPv6 available. Well, they do, but, the data center will only route a /48. They were more than happy to setup RA on my VLAN, but this means that everything has to work on a flat /48. Since I am also using RFC 1918 space, it also poses another problem. My /48 is only available on the “public” side. Well, that terminates at a network firewall. Since I have no routing capabilities, I can’t extend this network to the “private” side.

Now HE will happily give you a /48 for free, but we have another problem – they will only route this /48 to your one router that you have registered. But since they route the entire /48 to you, you can now split up this /48 into many /64s or /56s and route it how you want! Including to networks that don’t have IPv6.

So why do I want to do this? First, I’m not sitting on a pile of IPv4 addresses. I rely HEAVILY on a centralized reverse proxy. That’s about as fun as it sounds. The other reason is that IPv6 restores the whole point of the Internet: allow point-to-point communication. There are a few “gotchas” here. The first being that I’m still relying on IPv4. That means if IPv4 goes down, so does my entire IPv6. The other thing is my Wireguard tunnels also rely on IPv4.

Is this solution perfect? Hell no. But, you play the cards you’re dealt. I just gotta get a router to the data center so I can handle the routing of my own IPv6.

Side note: I currently use OPNsense.

Configure Wireguard

First, you want to re-configure Wireguard. Pick a /64 that you can use for your tunnel. Why a /64? Read this post. I used the aaaa:bbbb:cccc:dddd::1 address for my “primary” router’s tunnel address and aaaa:bbbb:cccc:dddd::2 address for my remote router’s tunnel address. I left the existing IPv4 addresses in place.

For the peer, I added ::/0 as allowed for the tunnel. And this is the thing about IPv6 – it’s point to point. You don’t know who is coming over the tunnel so you need to allow everything.

Likewise, I did the same for the second side, just replacing the “1” with a “2” in my IPv6 address. Also, take note, I’m using a global IPv6 prefix for my tunnel. Remember, with IPv6, you don’t need to be concerned about addresses, only networks.

Update Firewall Rules

Like with IPv4, you need to adjust firewall rules for IPv6.

I leave my Wireguard tunnel rules wide open. That is because I do firewalling at the device and my Tunnel Broker interface. More on that in a bit.

Create IPv6 Gateways

Now you need to create gateways and routes on both sides. The primary side, you’re creating a static route for the prefix for the LAN side on the remote site and routing it over Wireguard. On the remote side, you’re creating a default gateway for IPv6 and using the primary side as the gateway but you don’t need to add a static route. This is because we’re routing ALL IPv6 traffic over Wireguard to our primary, IPv6-enabled location.

Hopefully this screenshot helps clear things up. If not, here’s a helpful guide:

Primary FirewallRemote Side Firewall
Add IPv6 Gateway using Wireguard interface and remote side’s IPv6 address.Add default gateway for IPv6 and use primary side’s Wireguard IPv6 address
Add static route for remote side’s LAN IPv6 prefix to the IPv6 tunnel gatewayDO NOT ADD ANY IPV6 ROUTES

Setup Router Advertisements

IPv6 really shines by letting clients configure themselves. The best way to do this is with configuring Router Advertisements. It’s really simple:

Now all your devices should start assigning their own IPv6 addresses!

Routing External Traffic

Now IPv6 is useless if you can’t get to it (mainly if you have public services such as web servers. If you’re just looking to add IPv6 to a network without it, you can actually stop now and skip this section – but see the IPv6 & Security section below!). On my primary firewall, I have rules for my Tunnel Broker interface. This is how I add a layer of security to my IPv6 devices. Here’s what I have setup:

For testing purposes I am allowing ALL IPv6 to the prefix on the remote side, which is the top rule. Once everything is tested, I’ll go back and start tweaking my firewall rules similar to what you see.

If you did everything correctly, you should now be able to access devices with IPv6!

IPv6 & Security

Remember, now that IPv6 restores point-to-point access, you absolutely must run firewalls on everything. Depending on what you’re doing, adjust your rules. As a fail safe, I also configure my Linux servers’ firewall with matching rules. firewalld will be your best friend (if you run Enterprise Linux distros). Learn it, live it, love it. Learn the Windows firewall.

Remember: NAT was never for security. It was to help conserve limited IPv4 addresses. When you introduce IPv6 to your networks, you need to start thinking more secure.


Hopefully this helps anyone in a similar situation. Don’t be afraid of IPv6! Embrace it and love it!

Leave a Comment

Your email address will not be published. Required fields are marked *