After many years of asking, my Internet Service Provider (ISP) still doesn’t support IPv6; the same goes for many other ISPs. This is a problem for many reasons, the first being the exhaustion of IPv4 addresses, leading some ISPs to implement “Carrier-Grade NAT” (CGN), where many customers share the same address—the second being that it is getting more and more expensive for small websites to have their own dedicated IPv4 addresses, including cloud providers instituting a cost to have an address. The obvious solution would be for all ISPs to start supporting IPv6, but sadly, this requires effort on the part of ISPs, and the problem isn’t known to many of their customers, so the easy path for them is to keep status-quo.
What I have done to work around this is to rent a server in a datacentre that has an IPv6 address, and to tunnel my traffic through it using Wireguard. This is a moderately involved solution, and does come with a cost, but by showing websites that IPv6 traffic is increasing, perhaps it’ll show that IPv6 is important to implement.
You can do this with any server that has an IPv6 address, but I’ll be using one from OVH, because they don’t have bandwidth costs, and they have a datacentre located near me to reduce any additional latency that may be introduced from tunnelling my traffic. Other providers, such as DigitalOcean, Vultr, Linode, or others could also work, but beware around bandwidth costs.
The way I started was to install Wireguard on both my laptop, and server. Assuming you are using Debian, or Ubuntu, you can run apt install wireguard
on both your laptop and server to install all the software you need.
Next, I had to create a public and private key for both my laptop, and server. I did this by using the wireguard tools we just installed.
mkdir ~/.wg
cd ~/.wg
wg genkey | tee privatekey | wg pubkey > publickey
This will create a private key, and a public key in the ~/.wg
directory. Now, you’ll need to configure the tunnel on the client and server.
# server config
# /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24 # Private IPv4 subnet for the VPN
Address = fd42:42:42::1/64 # Private IPv6 subnet for the VPN
PrivateKey = <private_key_from_server>
ListenPort = 51820
[Peer] # your laptop
PublicKey = <public_key_from_laptop>
AllowedIPs = 10.0.0.2/32, fd42:42:42::2/128
# ... you can add many other peers to this file, just make sure to increment their allowed IPs
# client config
# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <private_key_from_laptop>
Address = 10.0.0.2/24, fd42:42:42::2/64 # addresses that matches "AllowedIPs" from server config
DNS = 1.1.1.1, 2606:4700:4700::1111 # your choice of DNS server, these are cloudflare's but you could choose your own
[Peer]
PublicKey = <public_key_from_server>
AllowedIPs = 0.0.0.0/0, ::/0 # this says to send all traffic over the tunnel
Endpoint = <server_public_ip>:51820
Now, you need to make sure your server can route your IPv6 traffic for you. This is done with some iptables configurations, and other system settings.
# as root run the following commands
# the next three commads will let your system packet forward for IPv4 and IPv6
echo 'net.ipv4.ip_forward = 1' | tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | tee -a /etc/sysctl.conf
sysctl -p # this will immediately apply the configuration additions
# now we need to let iptables to route the traffic appropriately
# on my machine, my network interface is eno1, but it may be eth0 for you or something else, you can find this using: ip addr
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -A FORWARD -o wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o <YOUR_NETWORK_INTERFACE> -j MASQUERADE
ip6tables -A FORWARD -i wg0 -j ACCEPT
ip6tables -A FORWARD -o wg0 -j ACCEPT
ip6tables -t nat -A POSTROUTING -o <YOUR_NETWORK_INTERFACE> -j MASQUERADE
# ensure that your server has the wireguard ports open
iptables -A INPUT -p udp --dport 51820 -j ACCEPT
ip6tables -A INPUT -p udp --dport 51820 -j ACCEPT
# don't allow outside traffic to connect back to your machine that you didn't initiate
# this is to prevent your machine becoming world accessible
# if you plan on running a public service, such as a webserver on your laptop, you may need
# to adjust these
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -j DROP
Now, both your laptop and server are ready to go. To start Wireguard on your server, run wg-quick up wg0
on your server. To start Wireguard on your laptop, run wg-quick up wg0
on your laptop. You can check that it’s working by running wg show
on both your laptop and server.
Editors Note: Instead of using wireguard for this, you could use something like Tailscale and setup/configure an exit-node, but this is left as an exercise for the user.