Unable to get IPv6 Traffic via WireGuard

Started by johnshill, May 11, 2026, 03:41:56 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 11, 2026, 03:41:56 AM Last Edit: May 11, 2026, 03:45:36 AM by johnshill
I have dual stack working correctly (I think) on my home network using DHCPv6 on WAN and "Identity association" on each of my three subnets with Router Advertisements set to "Assisted" mode. My ISP is Hyperoptic and I have /56 on the WAN for prefix delegation size and each of the subnets is using /64.

whatismyipaddress.com detects both IPv6 and IPv4 and test-ipv6.run passes with 10/10 on all my clients, however, any client connected via WireGuard fails.

I configured all the IPv6 settings per the WireGuard Road Warrior Setup guide to no avail, including:
-ULA for the tunnel address, fddd::1/64, and tried both fddd::2/64 and fddd::2/128 for the peer/client in every combination.
-Assigned an interface to WireGuard.
-Created an outbound NAT rule for IPv6 with Translation / target set to "Interface address"
-Created an inbound firewall rule on WAN for IPv4+IPv6
-Created a firewall rule on WireGuard letting it access all subnets and the internet.
-Created normalization rules with Max mss 1360

My config is as follows:

Code Select
[Interface]
PrivateKey = <redacted>
Address = 10.10.50.2/32,fddd::2/128
DNS = 10.10.50.1, fddd::1 <this is probably wrong>

[Peer]
PublicKey = <redacted>
Endpoint = ddns.myowndomain.com:51820
AllowedIPs = 0.0.0.0/0,::/0

I simply cannot get "What Is My IP Address" to detect an IPv6 when connected from my phone to my home network via VPN and would kindly appreciate some help.
May 11, 2026, 07:54:09 AM #1
Your end systems won't use an ULA if IPv4 is also available. The "happy eyeballs" algorithm prioritizes:

- IPv6 GUA if present
- IPv4 if present
- IPv6 ULA if present

So dual stack hosts never use ULA if the destination is reachable via IPv4, too.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 11, 2026, 03:33:03 PM #2
Thank you, I gave it another try by manually carving out another /64 from my /56 and assigning it to the WG interface.

My subnets in Overview > Interfaces followed this pattern: xxxx:xxxx:xxxx:xx00:yyyy:yyyy:yyyy:yyyb/64, xxxx:xxxx:xxxx:xx01:yyyy:yyyy:yyyy:yyyc/64, xxxx:xxxx:xxxx:xx02:yyyy:yyyy:yyyy:yyyd/64,

Thus, I codified xxxx:xxxx:xxxx:xx03:10:10:50:1/64 on the interface, and my config looks as follows:
Code Select
[Interface]
PrivateKey = <redacted>
Address = 10.10.50.2/32,xxxx:xxxx:xxxx:xx03::1/128
DNS = 10.10.50.1,xxxx:xxxx:xxxx:xx03:10:10:50:1

[Peer]
PublicKey = <redacted>
Endpoint = ddns.mydomain.com:51820
AllowedIPs = 0.0.0.0/0,::/0

Internet is fine, but still no IPv6 sadly...
Today at 04:04:23 AM #3
Hi Johnshill, I ran into a few issues getting IPv6 working with my WireGuard as well.  I'm going to go over some of my settings, maybe they will help you get yours set setup. I'm going to go over a lot of the basics, so apologies if some of this seems redundant. 

My ISP is Xfinity.

Interfaces > WAN
Generic configuration
IPv6 Configuration Type: DHCPv6
DHCPv6 client configuration
Prefix delegation size: 60
Request prefix only: unchecked
Request DNS configuration: Checked
Send prefix hint: Checked

Interfaces > WireGuardVPN
IPv4 Configuration Type: None
IPv6 Configuration Type: None

Interfaces > Overview
Go to the WAN row
Make note of the IPv4 Address (ignore the / and the numbers after it)
Next, select the Magnifying Glass icon at the end of the WAN Row
Scroll down to "Dynamic IPv6 prefix received", Mine is set as: 2601:xxxx:xxxx:xxxx::/60 (Redacted for privacy)
Notice the /60 prefix.  This means that I can use the following for my IPv6 address:
2601:xxxx:xxxx:xxx[0-f]::/60

I'm using 2601:xxxx:xxxx:xxxa::/64 for my LAN
I'm using 2601:xxxx:xxxx:xxxb::/64 for my VPN
The /64 means that the last digit of the prefix is locked for the specific network

VPN > WireGuard > Instances tab
Enabled: checked
Name: WG-VPN
Pubic Key: click Gear to generate Public and Private Key pair
Listen Port: set port (example: 51820)
Tunnel Address (this is where you set the IPv4 and IPv6 addresses for your VPN): 192.168.101.1/24 2601:xxxx:xxxx:xxxb::fffa/64
NOTICE the /64 and the b on the prefix, I also set the last 4 hex digits (hextet?)

Use the Peer Generator to create your peers.  It's an amazing tool:

Instance: WG-VPN
Endpoint: External IPv4 Address and port (Listen Port set earlier). Example: 17.16.15.14:51820
Name: Client Name. Example: MyPhone
Public Key: Auto Gen
Private Key: Auto Gen
Address: 192.168.101.2/32,2601:xxxx:xxxx:xxxb::fffb/128
DETAILS for Address: IPv4 address generated, Example: 192.168.101.2/32 IPv6 address prefix with full /128 address. You still need to specify the last hextet of the IP.  Prefill Example: 2601:xxxx:xxxx:xxxb::/128.  You need to add the last 4 of the ip: fffa or something, so it reads as follows: 2601:xxxx:xxxx:xxxb::fffa/128

Allowed IPs: 0.0.0.0/0,::/0
DETAILS for Allowed IPs: 0.0.0.0/0 is the IPv4 note to allow all IPv4 traffic through the VPN, ::/0 is the IPv6 version.

DNS Servers: 192.168.101.1,2601:xxxx:xxxx:xxxb::fffa
DETAILS for DNS Servers: It's your VPN Tunnel addresses.

When setting up the Clients, use the QR code.  Test with your phone. It basically starts with a blank rule and copys everything from the config section. 


Store and generate next: Checked
Enable WireGuard: Checked

ONLY WHEN THE QR CODE IS SAVED ON YOUR PHONE SHOULD YOU HIT APPLY. YOU CAN'T TEST OR USE THE VPN UNTIL YOU APPLY THE CHANGES! YOU CAN'T VIEW THE PRIVATE KEYS ONCE THE APPLY IS PRESSED, SO ORDER OF OPERATIONS IS IMPORTANT!

1. Enter info
2. Scan QR Code, Save to Device
3. Click Apply
4. Test VPN connections

Let us know what matches, what changes you didn't use, and what questions you have.
Print
Go Up Pages1
User actions