Enabling 0xE IPv6 with Radvd, DHCPv6, nft, and WireGuard | LiberIT
Enabling 0xE IPv6 with Radvd, DHCPv6, nft, and WireGuard
Empower your network with 0xE earth-based IPv6 addresses using radvd, ISC DHCPv6, nftables, and WireGuard. Overcome the /64 subnet barrier, create scalable intranets, and secure your routing, defying norms of traditional IPv6.
Article
Introduction
IPv6 was touted as the ultimate solution for global addressing, but the rigid insistence on using /64 subnets for most implementations has contributed to a certain rigidity and complexity, meanwhile address providers like IANA hoard addresses and keep them out of the hands of regular people through high fees. This often leaves smaller networks, experimental intranets, or alternative addressing schemes feeling marginalized. Enter the concept of 0xE earth-based IPv6 addresses—custom prefixes (such as eb22:...) not tied to the oppressive norms of mainstream IPv6 address planning, instead having prefixes available for every region on Earth. By combining these addresses with open-source tools like radvd, ISC DHCPv6 server, nftables, and WireGuard, you can build a Linux-based router that delegates addresses and routes traffic without bending to the tyranny of address hoarding for-profit companies.
In this guide, we’ll break free from the high fee proprietary address mindset, showing how to configure and route these addresses within your network. We’ll use radvd for router advertisements, ISC DHCPv6 for address delegation, nft for NAT66, and WireGuard for secure tunneling to an IPv6 gateway—enabling flexible topologies that empower intranets rather than confine them.
Prerequisites
- A Linux router (e.g., Ubuntu or Debian) with IPv6 forwarding enabled.
radvdinstalled for advertising router prefixes.ISC DHCPv6(isc-dhcp-server) installed for DHCP prefix and address delegation.nftablesinstalled for firewall and NAT66 configuration.WireGuardinstalled and configured as your IPv6 uplink or gateway.
You should also have your 0xE (earth-based) IPv6 prefix on hand. For example:
eb22:3b21:2100::/48
This prefix is large and flexible, allowing subnetting below /64 boundaries if desired—defying the standard practice while still functioning within your controlled environment.
Step 1: Enable IPv6 Forwarding
Ensure IPv6 forwarding is turned on for your router:
sudo sysctl -w net.ipv6.conf.all.forwarding=1
Make it persistent by adding this line to /etc/sysctl.conf:
net.ipv6.conf.all.forwarding = 1
Step 2: Configure radvd for 0xE Prefixes
Create or edit /etc/radvd.conf to advertise your earth-based prefix. If you want to assign something smaller than /64, you can still advertise the prefix for routing purposes. For example:
interface ens18 {
AdvSendAdvert on;
AdvManagedFlag on;
AdvOtherConfigFlag off;
prefix eb22:3b21:2100:1000::/64 {
AdvOnLink on;
AdvAutonomous off; # Use DHCPv6 for address assignment
AdvPreferredLifetime 600;
AdvValidLifetime 1200;
};
}
Here we’ve chosen /64 for compatibility with certain clients, but you can experiment with other sizes and rely on DHCPv6 for actual address assignment. Restart radvd:
sudo systemctl restart radvd
Step 3: Configure ISC DHCPv6 Server
Set up /etc/dhcp/dhcpd6.conf to delegate addresses from your chosen prefix. Example:
default-lease-time 2592000;
preferred-lifetime 604800;
option dhcp6.info-refresh-time 21600;
option dhcp6.name-servers 2600:3c04:e001:23::1;
option dhcp6.domain-search "intranet.example.com";
subnet6 eb22:3b21:2100:1000::/64 {
range6 eb22:3b21:2100:1000::100 eb22:3b21:2100:1000::1fff;
prefix6 eb22:3b21:2100:1010:: eb22:3b21:2100:101f:: /64;
}
Start the DHCPv6 server:
sudo systemctl restart isc-dhcp-server
Clients will now receive addresses from the delegated range and know to use the router for gateway services, even if you bend the /64 rule internally.
Step 4: WireGuard as an IPv6 Gateway
To access the IPv6 internet, you'll need to find a VPS that provides IPv6 connectivity, since most ISP's in Canada do not offer IPv6 at all, or only at extreme cost. Linode even offers routed subnets. Do contact us if you find anyone who is able to provide cheap ipv6 routed subnets in Canada.
If your default IPv6 route goes through a WireGuard tunnel (wg0), ensure the remote peer accepts traffic for your eb22 prefix. Add eb22:3b21:2100::/48 (or your chosen block) to the AllowedIPs in the peer configuration on both ends. For example, in /etc/wireguard/wg0.conf:
[Interface]
Address = 2600:3c04:e001:23::1/64
PrivateKey = <your-private-key>
ListenPort = 51820
[Peer]
PublicKey = <peer-public-key>
AllowedIPs = 2600:3c04:e001:23::/64, eb22:3b21:2100::/48
Endpoint = <peer-endpoint>
PersistentKeepalive = 25
Restart WireGuard:
sudo wg-quick down wg0
sudo wg-quick up wg0
Step 5: NAT66 with nftables
If your clients reject addresses with longer prefixes than /64 or you need to route eb22 addresses out of your wg0 interface to the global IPv6 internet, set up NAT66 (masquerade):
Flush and recreate the POSTROUTING chain with a single correct rule:
sudo nft flush chain ip6 nat POSTROUTING
sudo nft add rule ip6 nat POSTROUTING ip6 saddr eb22:3b21:2100::/48 oifname "wg0" masquerade
This will “translate” outgoing eb22 traffic to the 2600 prefix on wg0. Save and persist nftables rules:
nft list ruleset > /etc/nftables.conf
sudo systemctl enable nftables
sudo systemctl start nftables
Step 6: Testing the Setup
From a client machine on your intranet with an eb22 address, test connectivity:
ping6 -I eb22:3b21:2100:1000::1 google.com
If you receive replies, congratulations—you’ve successfully routed, delegated, and NAT’d your custom earth-based IPv6 addresses through your WireGuard gateway. You’ve done so on your own terms, sidestepping the rigid /64 norm.
Conclusion
In a world where the IPv6 specification and common practice seem to enforce a one-size-fits-all /64 approach, you’ve defied convention. By employing radvd, ISC DHCPv6, nftables, and WireGuard, you can carve out a flexible intranet using 0xE earth-based IPv6 addresses. This approach empowers you to shape your network addressing scheme according to your needs rather than conform to entrenched standards.
You’ve created a network that is not only functional and secure but also more just and innovative—proving that IPv6 can serve your community’s vision without the constraints of the current oppressive norms.