Skip to content

Instantly share code, notes, and snippets.

Last active November 20, 2023 23:43
  • Star 24 You must be signed in to star a gist
  • Fork 6 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save MartinBrugnara/cb0cd5b53a55861d92ecba77c80ba729 to your computer and use it in GitHub Desktop.
DigitalOcean, assign public ipv6 to wireguard clients
# /etc/sysctl.d/wireguard.conf
#/etc/wireguard/wg0.conf (DO virtual machine)
# The server interface does not actually need an ipv6.
# The 2 following must be repeated for each used addres [0, 1]
PostUp=ip -6 neigh add proxy 2a03:b0c0:2:f0::2c:2002 dev eth0
PostDown=ip -6 neigh del proxy 2a03:b0c0:2:f0::2c:2002 dev eth0
# This must be one of the ips assigned by DO,
# usually they assign a /124 thus only
# the last 4 bits can vary for a total of 16 addresses.
# Example for a vm with ip -> 2a03:b0c0:2:f0::2c:2001
AllowedIps =, 2a03:b0c0:2:f0::2c:2002/128
#/etc/wireguard/wg0.conf (client)
Address =, 2a03:b0c0:2:f0::2c:2002/64
# ...
AllowedIPs =, ::/0
# Refs and Resources
Copy link

@luciaDary46 all that does is NAT66 IPv6. It does not configure NDP-Proxying nor ensure each client gets a proper IPv6 address instead of NAT66.

Copy link

Nyr commented Dec 9, 2021

@daryll-swer it is not possible to automate provision a "proper" IPv6 address for each client when almost all of the cloud and dedi providers do not provide a routed IPv6 subnet, and most IPv6 implementations are broken somehow. That is why I do NAT for IPv6 (which was already the case for IPv4 anyway).

Copy link

(which was already the case for IPv4 anyway).

Agreed. But I don't see why you are promoting NAT for IPv6! @Nyr

Anyways, you can automate it via your scripting with dynamic variables, ask the user to input the non routed subnet/prefix range available and you can automatically inject those for NDP Proxy and mapping of each client in a serial/chronological order. That's basically what I do manually on DigitalOcean with their broken /124.

Copy link

Nyr commented Dec 9, 2021

@daryll-swer I am not promoting anything, just doing what I can to provide working IPv6 connectivity.

There are a lot of providers giving a single /128 address per server, your proposal would not work in many places and is less user-friendly. There are also many providers which require to route each /128 manually from their control panel, this is actually how SolusVM works (SolusVM is the industry standard for VPS providers).

Copy link

daryll-swer commented Dec 9, 2021

Oh boy, I would strongly recommend avoiding such crappy providers! Defeats the purpose of IPv6!

Not ALL cloud providers are bad with IPv6, this an example that provides routed /64s to the customer's host:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment