Wireguard IPv4 to IPv6 tunnel

hwthwt OG
in Technical

On your IPv6 only VPS, e.g. Mouse Server from Servarica:

root@ipv6_server:/etc/wireguard# cat wg0.conf
[Interface]
Address = 192.168.xx.2
ListenPort = 51820
PrivateKey = <ipv6_server privkey>
PostUp = ip route add default dev %i

[Peer]
PublicKey = <dual_home public key>
AllowedIPs = 192.168.xx.1/32
Endpoint = <dns AAAA record of dual home server>:<dual_home listenport>

On your dual homed VPS, e.g. one of the lowendspirit boxes:

root@dual_home:/etc/wireguard# cat wg0.conf
[Interface]
Address = 192.168.xx.1/24
ListenPort = <dual_home listenport>
PrivateKey = <dual_home privkey>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -i venet0 -o %i -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -A FORWARD -i venet0 -o %i -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -D POSTROUTING -o venet0 -j MASQUERADE

[Peer]
PublicKey = <ipv6_server public key>
AllowedIPs = 192.168.xx.2/32
Endpoint = <ipv6>:51820

Please change venet0 to eth0 or ensX to match the internet interface of your VPS.
Please also ensure that you have enabled IPv4 forwarding, e.g. In /etc/sysctl.d/99-sysctl.conf:

net.ipv4.ip_forward = 1

For wireguard to work, I had to set AAAA records for IPv6 addresses and use them instead of entering the servers' IPv6 addresses directly.

Hope this post helps :)

Thanked by (3)tgl souen servarica_hani

Comments

  • chocolateshirtchocolateshirt OG

    Two days ago I successfully connected mouse VPS to my LA VPS, but speed performance is horrible.. less than 1 Mbps..

    I will try to configure & connect other server to find out the issue..

    A simple uptime dashboard using UptimeRobot API https://upy.duo.ovh
    Currently using VPS from BuyVM, GreenCloudVPS, Gullo's, Hetzner, HostHatch, InceptionHosting, LetBox, MaxKVM, MrVM, VirMach.

  • RickRick Hosting ProviderOGServices Provider

    For the real cheap bastards who are on LXC/OpenVZ containers; Wireguard works based on a kernel module. In such cases, you'd probably have more luck trying a gre6 tunnel instead, same NAT/routing as mentioned above.

    Since we are only looking for outbound connectivity, it's really badass to simply forget about IPv4 and use NAT64. These amazing Dutch guys operate a public and free NAT64 service; https://www.tuxis.nl/blog/public-doh-dot-dns64-nat64-service-20191021/ - easy peasy to configure

    Thanked by (2)souen uhu
  • terrorgenterrorgen OG

    wireguard has a userland implementation: wireguard-go, so those without access to kernel won't be totally lost

    Thanked by (1)mikho

    We, the All Seeing Eye, possessing the knowledge of anything and everything, hereby declare that Our proclaimed pronoun be "We/Our/Ours".

    https://lowendspirit.com/discussion/comment/221016/#Comment_221016

  • uhuuhu OG

    @Rick said:
    free NAT64 service; https://www.tuxis.nl/blog/public-doh-dot-dns64-nat64-service-20191021/ - easy peasy to configure

    Work great for me. Github doesn't use IPv6, FFS.

  • umeume OG

    @hwt said:
    For wireguard to work, I had to set AAAA records for IPv6 addresses and use them instead of entering the servers' IPv6 addresses directly.

    That's strange. I use IPv6 on all my endpoints and it works well without AAAA records. Did you add the IP in brackets like this:
    Endpoint = [2606:4700:30::681b:86c3]:22334 ?

  • hwthwt OG

    @ume said:

    @hwt said:
    For wireguard to work, I had to set AAAA records for IPv6 addresses and use them instead of entering the servers' IPv6 addresses directly.

    That's strange. I use IPv6 on all my endpoints and it works well without AAAA records. Did you add the IP in brackets like this:
    Endpoint = [2606:4700:30::681b:86c3]:22334 ?

    Hmm.. thanks! I didn't know you could use brackets for IPv6.

Sign In or Register to comment.

© LowEndSpirit 2025

ipv6 ready