feat: Add support for dual-stack IPv4/IPv6 configurations#2609
Open
farhadh wants to merge 7 commits into
Open
Conversation
Add optional WG/AWG JSON fields for client and server IPv6 addresses, and teach native WireGuard import to parse dual-stack Address, DNS, AllowedIPs, and bracketed IPv6 Endpoint values.
Configure WG/AWG server templates with IPv6 interface addresses, allocate IPv6 peer addresses from existing AllowedIPs, and only issue IPv6 client routes when container IPv6 egress is available.
Split WG/AWG client addresses and endpoints by address family, pass real IPv6 tunnel addresses through activation JSON, and avoid the legacy fake IPv6 ULA route when no client IPv6 exists.
Accept IPv6 split-tunnel routes and AAAA resolutions, preserve IPv6 include/exclude routing, handle IPv6 DNS rules, and keep IPv6 blocked unless a real IPv6 tunnel route is configured.
Pass combined IPv4/IPv6 WG/AWG addresses to mobile clients, filter IPv6 routes when no IPv6 tunnel address exists, and format IPv6 WireGuard endpoints with brackets for Apple NetworkExtension.
Add coverage for bracketed IPv6 endpoints, dual-stack native Address/DNS/AllowedIPs parsing, new JSON field round-trips, and desktop activation JSON IPv6 fields.
Replace newly added IPv6 memcpy calls with explicit fixed-size byte copies and compile-time buffer size checks.
This was referenced May 16, 2026
Author
Collaborator
|
Hi @farhadh |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds dual-stack IPv6 support for WireGuard and AmneziaWG across config parsing/generation, self-hosted setup, desktop activation, platform routing/firewall handling, Android, and Apple NetworkExtension paths.
IPv6 client routing is generated only when WG/AWG has a real client IPv6 address and self-hosted container IPv6 egress is available. Otherwise generated configs remain IPv4-only to avoid IPv6 leaks or the previous fake ULA behavior.
Changes
client_ipv6subnet_ipv6_addresssubnet_ipv6_cidrAddressAllowedIPsDNSEndpointip6tablesNAT/forwarding rulesTesting
Passed:
test_multiple_importsMultipleImportsTest:protocolApi:compileDebugKotlin:wireguard:compileDebugKotlinWGConfig.swiftPacketTunnelProvider+WireGuard.swiftgit diff --check HEAD~6..HEADNotes
Full iOS/macOS NetworkExtension
xcodebuildwas not run because this host only has Command Line Tools installed, without full Xcode or iOS SDKs. OpenVPN, Xray, and IKEv2 IPv6 behavior is intentionally unchanged in this pass. WireGuard and AmneziaWG/AWG, including direct Amnezia tunnels, gain dual-stack support when a real client IPv6 address and server/container IPv6 egress are available.ETA: some clarity to avoid confusion.