How do I convert a /128 IPv6 address to /64 or /48 for accessing myself through a VPN?
After connecting to a WireGuard VPN, I gained IPv6 access even though my ISP doesn’t provide IPv6 directly (I’m using a free VPN server).
In my WireGuard configuration, besides Address = 10.2.0.3/32, I added Address = 2a07:b944::2:3/128, and IPv6 started working through the VPN.
At the same time:
- nslookup for the VPN server returns an address ending with :0:39f::10
- When I connect through this server, other sites show my IPv6 address ending with :0:39f::14
My goal is to add an “external” IPv6 address to my WireGuard configuration to fully utilize IPv6, particularly for accessing myself from outside.
Question: knowing the full “external” IPv6 address (ending with :0:39f::14), how can I create a “virtual” address that will follow the same prefix (:0:39f::14)?
Converting /128 IPv6 Address to /64 or /48 for Self-Access Through VPN
Converting a /128 IPv6 address to /64 or /48 for self-access through VPN is possible by determining the VPN network prefix and creating an appropriate virtual address. For this, you need to analyze your IPv6 address structure, extract the network prefix, and add an address with the appropriate subnet mask to your WireGuard configuration.
Table of Contents
- IPv6 Addressing Basics
- /128 to /64 Conversion
- VPN Address Planning
- WireGuard Configuration
- Practical Examples
IPv6 Addressing Basics
IPv6 uses 128-bit addresses, which is fundamentally different from 32-bit IPv4 addresses. The structure of an IPv6 address consists of two main parts: the network prefix and the interface identifier.
Your address 2a07:b944::2:3/128 has a /128 prefix, which means it’s a single address without a subnet. According to IPv6 standards, /64 is the standard subnet size for local networks.
Important:
/128is a single address,/64is a subnet with 2^64 addresses,/48is a subnet with 2^48 addresses
In your case, the VPN server address ends with :0:39f::10, and your external address is :0:39f::14. This indicates that you are both in the same subnet with a prefix that includes the :0:39f:: part.
/128 to /64 Conversion
To convert a /128 address to /64, you need to determine the network prefix. Here’s the step-by-step process:
-
Determine the network prefix
- Your address:
2a07:b944::2:3/128 - External address:
2a07:b944::0:39f::14 - Network prefix:
2a07:b944::/48(the first 48 bits)
- Your address:
-
Create a /64 subnet
- Prefix:
2a07:b944::/64 - This will give you a subnet with 18,446,744,073,709,551,616 addresses
- Prefix:
As explained in the pfSense documentation, to create larger or smaller subnets, you need to adjust the prefix in multiples of four. In this case, /48 → /64 follows this rule.
VPN Address Planning
When planning addresses in a VPN environment, it’s important to consider:
- Subnet size:
/64for standard LANs,/56for smaller sites,/48for large organizations - Hierarchy: allocate
/48for customers,/64for environments - Uniqueness: ensure addresses don’t overlap
According to the IPv6 planning guide, you can allocate a /64 subnet for each customer or isolated hosting environment, while a /48 provides flexibility for assigning different subnets.
For your situation:
- VPN prefix:
2a07:b944::/48 - Your subnet:
2a07:b944::/64 - Your addresses in this subnet can be any, for example:
2a07:b944::1:1/64
WireGuard Configuration
To add an “external” IPv6 address to your WireGuard configuration:
- Determine your network prefix
- Add an address with the appropriate mask to the
[Interface]section
Example configuration:
[Interface]
PrivateKey = <your_private_key>
Address = 10.2.0.3/32
Address = 2a07:b944::1:1/64 # /64 address in VPN subnet
DNS = 8.8.8.8, 2001:4860:4860::8888
[Peer]
PublicKey = <server_public_key>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
As noted in the ipSpace.net blog, for point-to-point connections, different subnet sizes can be used, but /64 remains the standard.
Practical Examples
Example 1: Creating a /64 address
Your address: 2a07:b944::2:3/128
External address: 2a07:b944::0:39f::14
Network prefix: 2a07:b944::/48
New /64 address: 2a07:b944::1:1/64
Example 2: Checking connectivity
After adding the address to the configuration:
- Restart WireGuard
- Check connectivity:bash
ping6 2a07:b944::1:1
- Check external IP:bash
curl -6 ifconfig.co
Example 3: Accessing yourself
To access your device from outside:
- Set up port forwarding on the VPN server
- Use your /64 address to access
- Make sure the firewall allows incoming connections
According to RFC 5375, you should not use subnets smaller than /64, as SLAAC will not work with smaller subnets.
Sources
- IPv6 Subnetting Explained - subnettingpractice.com
- IPv6 Subnets | pfSense Documentation
- IPv6 Address Planning HOWTO - IPv6 Forum
- IPv6 Subnet Calculator - Vultr
- IPv6 Addressing on Point-to-Point Links - ipSpace.net
- IPv6 Subnetting a /64 - what will break, and how to work around it? - Server Fault
Conclusion
- Converting
/128to/64requires determining the network prefix and creating the appropriate subnet - For your situation with the
2a07:b944::/48prefix, you should add an address like2a07:b944::1:1/64 - WireGuard supports multiple addresses in a single
[Interface]section - The
/64standard ensures compatibility with SLAAC and other IPv6 features - Always check connectivity after changing the configuration
For full implementation of self-access through VPN, in addition to adding a /64 address, you will need to configure appropriate firewall rules and port forwarding on the VPN server.