Add dual-stack IPv6 support to WireGuard mesh network

Enable IPv6 support across all 10 mesh network hosts using ULA addressing (fd42:beef:cafe:2::/64). Modified generator to output dual-stack configurations: - Updated address() method to generate multiple Address directives for IPv6 - Modified peers() AllowedIPs to include both IPv4/32 and IPv6/128 addresses - Maintained backward compatibility for hosts without ipv6 field in YAML - Roaming clients still route all traffic (0.0.0.0/0, ::/0) through VPN All hosts now have IPv6 addresses assigned in YAML configuration. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
author: Paul Buetow <paul@buetow.org> 2026-01-15 19:31:07 +0200
committer: Paul Buetow <paul@buetow.org> 2026-01-15 19:31:07 +0200
commit: c87af70ba1fc2d79cbcb3284bd274c9cd3bd78dd (patch)
tree: 3814848e88774827d7caa7c72f3889dac4fda709
parent: a6984e1a9c59f19444bbc9013c59604e48cbf371 (diff)
2 files changed, 32 insertions, 5 deletions
diff --git a/wireguardmeshgenerator.rb b/wireguardmeshgenerator.rb
index 365b2b9..b12f0b9 100644
--- a/wireguardmeshgenerator.rb
+++ b/wireguardmeshgenerator.rb
@@ -139,11 +139,20 @@ WireguardConfig = Struct.new(:myself, :hosts) do
 
   # Generates the address configuration for the current host.
   # For OpenBSD, it returns a placeholder comment. Otherwise, it returns the
-  # IP address as that option isn't supported on OpenBSD.
+  # IP address (and optionally IPv6) as that option isn't supported on OpenBSD.
+  # Supports dual-stack: if ipv6 field is present, outputs both IPv4 and IPv6 addresses.
   def address
     return '# No Address = ... for OpenBSD here' if hosts[myself]['os'] == 'OpenBSD'
 
-    "Address = #{hosts[myself]['wg0']['ip']}"
+    ipv4 = hosts[myself]['wg0']['ip']
+    ipv6 = hosts[myself]['wg0']['ipv6']
+
+    # WireGuard supports multiple Address directives for dual-stack
+    if ipv6
+      "Address = #{ipv4}\nAddress = #{ipv6}/64"
+    else
+      "Address = #{ipv4}"
+    end
   end
 
   # Generates DNS configuration for roaming clients.
@@ -185,9 +194,17 @@ WireguardConfig = Struct.new(:myself, :hosts) do
 
       # Set keepalive: LAN hosts connecting to internet hosts, OR roaming clients connecting to anyone.
       keepalive = is_roaming || (in_lan && !peer_in_lan)
-      # For roaming clients, route all traffic through VPN (0.0.0.0/0).
-      # For regular mesh peers, only route their specific IP.
-      allowed_ips = is_roaming ? '0.0.0.0/0, ::/0' : data['wg0']['ip']
+      # For roaming clients, route all traffic through VPN (0.0.0.0/0, ::/0).
+      # For regular mesh peers, route their specific IPv4 (and IPv6 if present).
+      # Dual-stack peers get both addresses in AllowedIPs.
+      if is_roaming
+        allowed_ips = '0.0.0.0/0, ::/0'
+      else
+        # For mesh peers, allow both IPv4 and IPv6 if present
+        ipv4 = data['wg0']['ip']
+        ipv6 = data['wg0']['ipv6']
+        allowed_ips = ipv6 ? "#{ipv4}/32, #{ipv6}/128" : "#{ipv4}/32"
+      end
       PeerSnippet.new(peer, myself, reach['domain'], data['wg0']['domain'],
                       allowed_ips, endpoint, keepalive)
     end
diff --git a/wireguardmeshgenerator.yaml b/wireguardmeshgenerator.yaml
index 020854f..a39b2ed 100644
--- a/wireguardmeshgenerator.yaml
+++ b/wireguardmeshgenerator.yaml
@@ -13,6 +13,7 @@ hosts:
     wg0:
       domain: 'wg0.wan.buetow.org'
       ip: '192.168.2.130'
+      ipv6: 'fd42:beef:cafe:2::130'
     exclude_peers:
       - earth
       - pixel7pro
@@ -29,6 +30,7 @@ hosts:
     wg0:
       domain: 'wg0.wan.buetow.org'
       ip: '192.168.2.131'
+      ipv6: 'fd42:beef:cafe:2::131'
     exclude_peers:
       - earth
       - pixel7pro
@@ -45,6 +47,7 @@ hosts:
     wg0:
       domain: 'wg0.wan.buetow.org'
       ip: '192.168.2.132'
+      ipv6: 'fd42:beef:cafe:2::132'
     exclude_peers:
       - earth
       - pixel7pro
@@ -61,6 +64,7 @@ hosts:
     wg0:
       domain: 'wg0.wan.buetow.org'
       ip: '192.168.2.120'
+      ipv6: 'fd42:beef:cafe:2::120'
     exclude_peers:
       - earth
       - pixel7pro
@@ -77,6 +81,7 @@ hosts:
     wg0:
       domain: 'wg0.wan.buetow.org'
       ip: '192.168.2.121'
+      ipv6: 'fd42:beef:cafe:2::121'
     exclude_peers:
       - earth
       - pixel7pro
@@ -93,6 +98,7 @@ hosts:
     wg0:
       domain: 'wg0.wan.buetow.org'
       ip: '192.168.2.122'
+      ipv6: 'fd42:beef:cafe:2::122'
     exclude_peers:
       - earth
       - pixel7pro
@@ -110,6 +116,7 @@ hosts:
     wg0:
       domain: 'wg0.wan.buetow.org'
       ip: '192.168.2.110'
+      ipv6: 'fd42:beef:cafe:2::110'
   fishfinger:
     os: OpenBSD
     ssh:
@@ -124,11 +131,13 @@ hosts:
     wg0:
       domain: 'wg0.wan.buetow.org'
       ip: '192.168.2.111'
+      ipv6: 'fd42:beef:cafe:2::111'
   earth:
     os: Linux
     wg0:
       domain: 'wg0.wan.buetow.org'
       ip: '192.168.2.200'
+      ipv6: 'fd42:beef:cafe:2::200'
     exclude_peers:
       - f0
       - f1
@@ -145,6 +154,7 @@ hosts:
     wg0:
       domain: 'wg0.wan.buetow.org'
       ip: '192.168.2.201'
+      ipv6: 'fd42:beef:cafe:2::201'
     exclude_peers:
       - f0
       - f1
author	Paul Buetow <paul@buetow.org>	2026-01-15 19:31:07 +0200
committer	Paul Buetow <paul@buetow.org>	2026-01-15 19:31:07 +0200
commit	c87af70ba1fc2d79cbcb3284bd274c9cd3bd78dd (patch)
tree	3814848e88774827d7caa7c72f3889dac4fda709
parent	a6984e1a9c59f19444bbc9013c59604e48cbf371 (diff)