Personal IPv6 exit IP as alternative to port forwarding

[CentralPivot 3]

With IPv6 allowing practically infinite IPs it should be possible to assign a dedicated IPv6 address to each connection, allowing incoming connections to any port to be forwarded. This would be a great way to circumvent the port forwarding restrictions on IPv4 that exist because multiple clients have to share the same exit IP, and I think would make for a nice optional feature.

[Tech Jedi Alex 1518]

But then, why even use a VPN for privacy reasons? IPv6 was specifically configured to be NATed to have a similar pseudonymic way of operation as with IPv4.
Also, this would mean that port forwarding will only work with v6, but half the ISPs in the world don't even rollout v6, and most VPN users simply disable v6 upon connecting. There'd be backlash with such a decision.

[CentralPivot 3]

11 hours ago, Tech Jedi Alex said:

But then, why even use a VPN for privacy reasons? IPv6 was specifically configured to be NATed to have a similar pseudonymic way of operation as with IPv4.

Privacy is not the only only reason to use a VPN. Also, while it would be possible to assert that traffic going to a specific IP is tunneled to the same end user, going through a VPN means you still don't know who that end person is or where they're located based on their IP. And since we're talking about incoming traffic, this kind of analysis is already possibly by also looking at the destination port of the incoming connection.

11 hours ago, Tech Jedi Alex said:

Also, this would mean that port forwarding will only work with v6, but half the ISPs in the world don't even rollout v6, and most VPN users simply disable v6 upon connecting. There'd be backlash with such a decision.

This wouldn't affect IPv4 port forwarding. All IPv4 connections would still use a shared IPv4 exit address. It wouldn't even affect port forwarding for IPv6 users that don't enable this feature. This would just be an option to get a dedicated exit IP that would forward all traffic statelessly. Traffic going to the shared exit IPs would go through the same port forwarding translations it already does.

[larry.munday 1]

I’m with @CentralPivot on this Topic.

Would be lovely for FileSharing etc. and I don’t see any Downsides @Tech Jedi Alex suggests applying.

Using a shared IPv6 obviously needs to be the Default.
But @CentralPivot seems to suggest for it to work in a similar Way as Port Forwarding does now:
Activate it and get a completely forwarded v6 for In&Out instead of a Port on a v4.
(Having a (semi) fixed v6 helps with getting a positive Rating in BitTorrent Swarms.)
Maybe a fresh IPv6 on Reconnects as an Option?

For my Use Cases Peers without v6 are completely irrelevant to be honest, but v4 Port Forwarding doesn’t need to stop working for that Feature to exist?
In the other Direction there are quite a few ISPs in the World that only do v4 via Gateways for their Users, because getting IPv4-Addresses for their Customers is impossible.

IPv6 has been a "Draft" since 1998 and a Standard since late 2017…

[Tech Jedi Alex 1518]

On 12/6/2025 at 10:45 AM, CentralPivot said:

This would just be an option to get a dedicated exit IP that would forward all traffic statelessly. Traffic going to the shared exit IPs would go through the same port forwarding translations it already does.

Granted, but then.. if you cannot expand the port forwarding/sharing capabilities, since you'll still be limited to the 64000 ports you can forward with v4 so as to not overcomplicate the port forwarding feature in the client area, what is the technical advantage of going through the pain of implementing all this? Just so you can have a unique v6? For what? You're still blocked by public trackers, WAFs and blacklists because the server (more like its address range) is hosted by a notorious VPN server hoster (M247 for example). You also don't gain throughput because it's still the same server with the same CPU and client count, load and latency.
 

15 hours ago, larry.munday said:

(Having a (semi) fixed v6 helps with getting a positive Rating in BitTorrent Swarms.)

First I've heard of swarms rating their peers. I know that torrent clients can be configured to prefer the allocation of upload slots to peers by certain criteria, but the swarm doesn't care about your IP address or how "fixed" it is. They care about your peer ID. If you're in, you're a peer, be it new or seeding since two years ago. If you're seeding for longer, you'll be found quicker, of course, since your peer ID is known in the swarm, but whether your IP is fixed or dynamic, doesn't matter at all. You restart the torrent client, you get a random peer ID, even if your address is the same.
Did you maybe mean positive ratings on torrent trackers/indexers? If so, I believe mapping your traffic stats to accounts is done by passkeys in the tracker announcement URL. Which also doesn't care about how "fixed" your address is.

Though, I cannot rule out that certain private trackers/indexers also check the address; after all, the tracker software would know it inevitably. In this case, maybe the privacy-focused AirVPN is not the best fit for people with such a use case?
 

15 hours ago, larry.munday said:

Maybe a fresh IPv6 on Reconnects as an Option?

If I as such a spammer will notice that I get a new public address on each reconnect, I would abuse the heck out of this mechanism. I mean.. I wouldn't even need a botnet anymore, I can just cycle my IP with this and attack from literally TRILLIONS of IPs. For, what, 7€ a month? Even less with longer subs? Plus sales? Is it christmas already? (Even if it is right now. ) And if there is no such randomizing mechanism the user can control, you force yourself to use the same UGA on the same server (unless you regenerate the conf, maybe), defeating the purpose of AirVPN.

All valid points with v6, of course, and I also always advocate for not devaluing v6 just because "v4 works" (instead of disabling v6 upon problems, fix those problems). If you know of a provider with a good implementation of v6 UGA assignments that preserve privacy of every user, I'd be happy to look into it more closely (please do so via private messaging). Who knows, maybe there is a practical solution for this I don't see yet?
But here and now I see that v6 works brilliantly in NAT mode and preserves users' privacy the best way it can. Configuring a VPN connection by generator or ad-hoc is simple, too, and demand is negligible as of now.

Also mind my signature: 

Quote

NOT AN AIRVPN TEAM MEMBER

I speak for myself.

[CentralPivot 3]

4 hours ago, Tech Jedi Alex said:

Granted, but then.. if you cannot expand the port forwarding/sharing capabilities, since you'll still be limited to the 64000 ports you can forward with v4 so as to not overcomplicate the port forwarding feature in the client area, what is the technical advantage of going through the pain of implementing all this? Just so you can have a unique v6? For what? You're still blocked by public trackers, WAFs and blacklists because the server (more like its address range) is hosted by a notorious VPN server hoster (M247 for example). You also don't gain throughput because it's still the same server with the same CPU and client count, load and latency.

This wouldn't really interact with the existing port forwarding system at all. The point is to not have to forward any ports at all, all traffic to your public IP would automatically be forwarded to you, circumventing the entire port forwarding mechanism. The advantage is that you don't have a limitation on the number of forwarded ports anymore or restrictions on which exact ports are available. You'd have access to the entire range of 65535 ports. This is useful for several scenarios, for example if you have multiple clients that need port forwarding you run out very fast. It's also useful for punching through restricted networks or heavily NATed/CG-NATed networks and get a publicly addressable IP. Useful if I want to e.g. share a file with someone on IRC but we're both behind CG-NAT, or if I want to spin up a http server to show off a demo but the cafe I'm at blocks incoming port 80.

As for the server infrastructure, stateless address translation is less resource intensive than stateful NAT, so the more popular of a feature this is the less the routing overhead on the servers will be.

4 hours ago, Tech Jedi Alex said:

If I as such a spammer will notice that I get a new public address on each reconnect, I would abuse the heck out of this mechanism. I mean.. I wouldn't even need a botnet anymore, I can just cycle my IP with this and attack from literally TRILLIONS of IPs.

There's plenty of ways for spammers and other evildoers to do that for free already, they wouln't need an AirVPN subscribtion to get trillions of ipv6 addresses. Which is why with ipv6 nobody blocks on a per-address level, but prefixes.