Since this is a home setup and my /56 might (will) change at some point, I don't want to have to reconfigure my router, server, and clients. Unless there's a way to dynamically reconfigure these devices in such a situation? -------- Original Message -------- On Sep 16, 2018, 12:47 PM, Toke Høiland-Jørgensen wrote: > Lane Russell writes: > >> Thanks so much for setting me straight. I've gotten IPv6 working over >> my IPv4 tunnels to ensure that IPv6 traffic can't leak out while I'm >> using Wireguard. Since my ISP uses SLAAC to hand out /56s, I have a >> /64 pointed at the local subnet where my VPN server is. From there, >> the VPN clients use my ULA prefix to talk to the server. The server >> masquerades these ULA addresses to its global address. > > Why are you using masquerading? Kinda defeats the whole point of IPv6, > doesn't it? :) > > You can just pick a public /64 from your subnet and assign that for use > inside the tunnel, then give your clients addresses from that and use > normal routing on the wireguard server. You'll have to get the prefix > routed to your wireguard server, of course; either set that up manually, > or use something like DHCP prefix delegation, or a routing daemon... > > If you don't want to use a whole /64 (but really, there's no reason you > shouldn't be able to), you can also use /128's inside the tunnel and > just route those from your gateway to your wireguard server. > > -Toke