When using an IPv6-only machine, various inconveniences often arise. If you have a machine with a dual-stack network (IPv4+IPv6), you can use WireGuard to enable an IPv6-only VPS to access IPv4 via the dual-stack VPS’s IPv4 outbound connection.
Example Setup Using Debian 12
In this example, Device A has a dual-stack network, while Device B has an IPv6-only network. Both devices need to have WireGuard installed:
apt install wireguard-tools
Concept
The idea is to use WireGuard to create a local network connecting multiple devices via IPv6. Each device is assigned an internal IPv4 address. Device A is configured with NAT for the internal network, allowing Device B to access the internet through Device A’s gateway.
Implementation Steps
1. WireGuard Configuration Directory
WireGuard configuration files are located in /etc/wireguard. By default, this directory is empty. Navigate to it:
cd /etc/wireguard
2. Generating Key Pairs (Required on Both Devices)
- Generate a private key and save it to
priv_key:wg genkey > priv_key - Generate a public key from the private key:
wg pubkey < priv_key > pub_key - Now, both devices have their key pairs. You can view them with:
cat priv_key # View private key cat pub_key # View public key
3. Configuring wg0.conf
We allocate a /24 subnet (10.0.0.1/24).
3.1 Configuration for Device A (Dual-Stack VPS)
[Interface]
PrivateKey = <Replace with A's private key>
Address = 10.0.0.1/24
ListenPort = 12345
PostUp = echo "1" > /proc/sys/net/ipv4/ip_forward
PostUp = iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
[Peer]
PublicKey = <Replace with B's public key>
AllowedIPs = 10.0.0.1/32
3.2 Configuration for Device B (IPv6-Only VPS)
[Interface]
PrivateKey = <Replace with B's private key>
Address = 10.0.0.2/32
[Peer]
PublicKey = <Replace with A's public key>
AllowedIPs = 0.0.0.0/0
Endpoint = [A's IPv6 address]:12345
4. Starting WireGuard
systemctl start wg-quick@wg0
5. Enabling WireGuard on Boot
systemctl enable wg-quick@wg0
Enabling Internal IPv4 for Multiple IPv6-Only Machines
If you have an additional IPv6-only machine (e.g., Device C), configure the WireGuard network as follows:
Configuration for Device A (Updated for Additional Peer)
[Interface]
PrivateKey = <Replace with A's private key>
Address = 10.0.0.1/24
ListenPort = 12345
PostUp = echo "1" > /proc/sys/net/ipv4/ip_forward
PostUp = iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
[Peer]
PublicKey = <Replace with B's public key>
AllowedIPs = 10.0.0.2/32
[Peer]
PublicKey = <Replace with C's public key>
AllowedIPs = 10.0.0.3/32
Configuration for Device B
[Interface]
PrivateKey = <Replace with B's private key>
Address = 10.0.0.2/32
[Peer]
PublicKey = <Replace with A's public key>
AllowedIPs = 0.0.0.0/0
Endpoint = [A's IPv6 address]:12345
Configuration for Device C
[Interface]
PrivateKey = <Replace with C's private key>
Address = 10.0.0.3/32
[Peer]
PublicKey = <Replace with A's public key>
AllowedIPs = 0.0.0.0/0
Endpoint = [A's IPv6 address]:12345
This configuration allows multiple IPv6-only machines to obtain an internal IPv4 address via the dual-stack VPS (Device A).
Comments NOTHING