ANSWERED Wireguard for ipv6

[nicoco 1]

Hi!

Is wireguard supposed to work for IPv6? If yes, what is wrong with my config?

[Interface]
Address = 10.169.139.176/32, fd7d:76ee:e68f:a993:743d:617f:b79:27d7/128
PrivateKey = XXX
MTU = 1320
Table = off

[Peer]
PublicKey = XXX
PresharedKey = XXX
Endpoint = ch.vpn.airdns.org:1637
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 15
 

This works fine for IPv4, I can  curl --interface airvpn ip.network and it returns the airvpn IP. But if try curl -6 I get  curl: (7) Failed to connect to ip.network port 80 after 25 ms: Could not connect to serv
er.

Is this a config issue on my side, or doesn't airvpn work for ipv6 via wireguard? Thanks.

[Tech Jedi Alex 1551]

Please refer to the FAQ. ch.vpn.airdns.org only resolves to v4. Use ch.ipv6.vpn.airdns.org for v6.

[Staff 10537]

On 3/25/2026 at 6:09 PM, Tech Jedi Alex said:

Please refer to the FAQ. ch.vpn.airdns.org only resolves to v4. Use ch.ipv6.vpn.airdns.org for v6.

Hello!

Well, the problem seems different though... the OP should be able to enjoy IPv6 over an IPv4 tunnel with the published configuration file. UPDATE: Table = off in a WireGuard profile disables the automatic routing of traffic through the WireGuard interface, allowing the user to manage routing manually. Therefore it's up to the user to set the proper routes,

@nicoco 
First of all, there is an error in how you use curl. You must not specify the VPN interface: the interface must manage an IPv4 tunnel. IPv6 must be wrapped over it.
If you bind curl to the VPN interface, you bypass the routing table and you prevent the system from picking the correct source IPv6 address. You don't see this problem with curl -4 --interface <VPN interface> probably because there is no ambiguity in selecting IPv4 source address when curl binds to the VPN interface, in spite of the routing table bypass (i.e. lucky case).

Just omit this option and you should be fine (alternative: follow @Tech Jedi Alex solution, you will have an IPv6 tunnel over which you can tunnel IPv4 too and the problem could be "specular" with v4 when you use curl).
Side note: the option --interface is not supported in Windows.

If the problem persists: are you sure that your curl -6 tests are directed toward an IPv6 HTTP supporting service? Try https://ipv6.google.com for a cross-check, and ping6 too. 

If the problem still persists, please make sure that IPv6 support is enabled on your system and your network interfaces.

Kind regards
 

[nicoco 1]

Thanks for your replies.

We're reaching the limits of my networking knowledge, so I hope what I say is not too much nonsense.

> You must not specify the VPN interface: the interface must manage an IPv4 tunnel.

I use wireguard to create a new network interface which is not the default one. This way, I can choose to use this interface in qbittorrent and nicotine+ (both p2p file sharing clients). If I curl without specifying the network interface, it defaults to my enp12s0 interface, and fetching ip.network yields my ISP-given public IPv4 with -4 and my ISP-given public IPv6 with -6.

nicoco@tour ~> curl ip.network -4
82.66.XX.XX
nicoco@tour ~> curl ip.network -6
2a01:e0a:f09:XX:XX:XX:XX:XX

Specifying the interface with the wireguard one works as (I) expected for IPv4

nicoco@tour ~> curl ip.network --interface airvpn -4
185.156.XX.XX
 

But fails for IPv6:

nicoco@tour ~> curl ip.network --interface airvpn -6
curl: (7) Failed to connect to ip.network port 80 after 25 ms: Could not connect to server

Now, I don't really care about curl, the reason I investigated this was that I noticed that a torrent tracker I use reported my ISP-provided IPv6, despite specifying in qbittorrent settings that I want qbittorrent to only use the airvpn interface. I worked around the issue by forcing qbittorrent to use the airvpn interface AND to bind to the airvpn (local) IPv4 (10.169.139.176) only.
 

But ideally, I would love to be able to use both IPv4 and IPv6 in qbittorrent, through airvpn. My idea was that getting curl -6 --interface airvpn ip.network to yield airvpn's public IPv6 was the first step to verify that my setup is working correctly. But maybe this does not work the way I thought it did, and it's more complicated than that? ^^

[Staff 10537]

8 hours ago, nicoco said:

getting curl -6 --interface airvpn ip.network to yield airvpn's public IPv6 was the first step to verify that my setup is working correctly

Hello!

The idea is correct, but you must omit --interface option for the previously explained reasons. However this is a necessary but not sufficient condition to prevent traffic leaks. Binding qBittorrent to the VPN interface is a perfect solution. Our software Network Lock feature is another one. You may apply both settings for additional safety.

Please note that some qBittorrent versions could handle only IPv6 or only IPv4 traffic, but we think that qBittorrent devs resolved this limitation recently.

Kind regards
 

[nicoco 1]

I don't get it. If I omit --interface, then curl does not uses the wireguard tunnel, so my ISP-provided IPv6 is not hidden at all.

nicoco@tour ~> curl ip.network -6
2a01:e0a:f09:XX:XX:XX:XX:XX  # My ISP IPv6

> Binding qBittorrent to the VPN interface is a perfect solution

This is what I do, and while it does hide my ISP-provided IPv4 perfectly, the situation is different for IPv6, where my ISP-provided IPv6 is leaked to the tracker and my peers.

I think there is a confusion in your reply. My setup may be somewhat unusual because I do not want all traffic router through the wireguard interface. I only want certain software to specifically bind on this interface. For eg, web browsing, I'm fine not hiding my IP.

[Staff 10537]

3 hours ago, nicoco said:

If I omit --interface, then curl does not uses the wireguard tunnel, so my ISP-provided IPv6 is not hidden at all.

Hello!

In this case there's something wrong in setup. The configuration file is correct:
AllowedIPs = 0.0.0.0/0, ::/0

This line tells WireGuard to tunnel the entire IPv4 and IPv6 address space. Any leak is caused by wrong binding or bad routing table together with absence of "network lock" leaks prevention.

Use the AirVPN Suite to get rid of these problems, but it would be interesting to investigate further, if you don't mind. We could start by examining the routing table, the network interface settings and the firewall rule set during a connection, while the problem is occurring. Tracing IPv6 routes can provide valuable clues too.
 

Quote

Quote

Binding qBittorrent to the VPN interface is a perfect solution

This is what I do, and while it does hide my ISP-provided IPv4 perfectly, the situation is different for IPv6, where my ISP-provided IPv6 is leaked to the tracker and my peers.

This is a symptom hinting at a serious mis-configuration (or some previously un-detected qBittorrent bug, but it's unlikely as something so important would have been immediately noticed). Network Lock would prevent this situation but your case is very interesting and in our opinion deserves further investigation.
 

Quote

I think there is a confusion in your reply. My setup may be somewhat unusual because I do not want all traffic router through the wireguard interface. I only want certain software to specifically bind on this interface. For eg, web browsing, I'm fine not hiding my IP.

In this case your setup is plausibly the source of the problem. Traffic splitting on an application basis requires some care to avoid those very leaks that you are experiencing. Consider running the AirVPN Suite for a safe traffic splitting on an application basis. 

AirVPN Suite resources: https://airvpn.org/forums/topic/79336-airvpn-suite-resources/

Kind regards



 

[nicoco 1]

Apologies about the long delay.

About my config, Table = off is why not all traffic is routed through airvpn despite the "allowed IPs" line.

I'm happy to provide more information to investigate this further if it is interesting but I wouldn't know where to start. I would like to avoid leaking my IP in this forum, but I'm fine providing traces and other things in private messages if that is useful for you.

[dnmaster 0]

I am facing the same issue. Did you find a solution?

[Staff 10537]

8 hours ago, dnmaster said:

I am facing the same issue. Did you find a solution?

Hello!

The cause of the problem (Table = off and improper traffic splitting setup) and its solution can be found in the "best answer" post of the thread. If they don't apply to you, please feel free to open your own thread.

Kind regards
 

[nicoco 1]

@dnmaster My solution was to disable IPv6 in qbittorrent. I did not understand the reply from staff, and I disagree that "there is a problem in how I use curl", having a wireguard interface for airvpn is precisely what I am trying to achieve and it works for IPv4 with the configuration I posted. I have limited knowledge when it comes to networking and my setup "just works" for IPv4, I wish someone explained how I need to "set up routes" or something like that.

[DeepAnger 0]

23 hours ago, nicoco said:

@dnmaster My solution was to disable IPv6 in qbittorrent. I did not understand the reply from staff, and I disagree that "there is a problem in how I use curl", having a wireguard interface for airvpn is precisely what I am trying to achieve and it works for IPv4 with the configuration I posted. I have limited knowledge when it comes to networking and my setup "just works" for IPv4, I wish someone explained how I need to "set up routes" or something like that.

I don't know on what OS you're trying to make this work but on OpenWrt, I've been able to have both IPv4 and Ipv6 going through the WG VPN. To avoid IPv6 leaks, I disabled the wan6 interface so the only IPv6 addresses known in my LAN are private and in theory shouldn't be routed on the Internet. I gave some more details in the following topic:

https://airvpn.org/forums/topic/69197-title-ipv6-not-routing-through-airvpn-on-openwrt-wireguard/?tab=comments#comment-262564

qBittorrent is bound to "All adresses" but the number of IPv6 peers is lower compared to IPv4 (usually less than 10 % with 500 to 1500 peers connected). But this isn't probably an anomaly as discussed in the following topic:

https://airvpn.org/forums/topic/80136-ratio-percentage-of-ipv4-vs-ipv6-peers-in-your-torrents/?tab=comments#comment-262646
  Edited ... by DeepAnger
Fix typing mistake(s)

[dnmaster 0]

@DeepAnger I am not trying to get all traffic to go through the interface, and that is not what the OP wanted to do either.

I want only applications bound to the wireguard interface to communicate through airvpn, and other applications by default to use the main ISP routes. I already had a seperate routing table with the airvpn default route, but I was missing a routing policy rule to make the interface use that rule, i.e. 

ip rule add from all oif wg-airvpn table airvpn

I'm not sure why IPv4 was working without this when IPv6 required it, but now my setup is working as intended.

[DeepAnger 0]

I'm glad (if) I could help. On OpenWrt I use Policy Based Routing for IPv4 only. And the AirVPN WireGuard tunnel for IPv6 because I have no other use for IPv6 yet and I don't use the IPv6 from my Internet provider (I tried before and it worked in relay mode but I received a threatening e-mail from ZOG because they didn't like me sharing all those Linux ISOs). When I got that 1 / 2 Gbps fiber plan, I discovered that it was close to a nightmare : CG-NAT for IPv4 and a /64 for IPv6. It couldn't be worse. But now, thanks to AirVPN, I can have incoming port forwarding with IPv4 and incoming IPv6 without using a public IPv6. I have already been a few times in the Top User Speed and now in Top User Session Traffic and this with a Flint 2 (GL-MT6000) home router. I believe that it couldn't be better.