How to Set Up an IPv6-Only Server and Tunnel IPv4 Traffic

Introduction

As IPv6 adoption grows, hosting servers with only IPv6 connectivity is becoming more common. However, many clients and services still rely on IPv4. This guide will show you how to set up an IPv6-only server and tunnel IPv4 traffic using NAT64, 464XLAT, or a VPN tunnel.

Step 1: Set Up an IPv6-Only Server

  1. Ensure Your Server Has an IPv6 Address

  • Verify that your server has an assigned IPv6 address:

    ip -6 addr show

  • If needed, manually assign an IPv6 address in /etc/network/interfaces:

    auto eth0

    iface eth0 inet6 static

    address 2001:db8::1/64

    gateway 2001:db8::fffe

  1. Disable IPv4 (Optional)

  • If you want to enforce an IPv6-only setup, disable IPv4:

    sudo sysctl -w net.ipv4.conf.all.disable_ipv4=1

    sudo sysctl -w net.ipv4.conf.default.disable_ipv4=1

Step 2: Configure NAT64 and DNS64 for IPv4 Compatibility

  1. Install Tayga (NAT64)

  • NAT64 allows IPv6-only clients to communicate with IPv4 networks.

  • Install Tayga on your server:

    sudo apt install tayga -y

  1. Configure Tayga

  • Edit the configuration file:

    sudo nano /etc/tayga.conf

  • Add the following settings:

    prefix 64:ff9b::/96

    ipv4-addr 192.168.255.1

    dynamic-pool 192.168.255.0/24

  1. Start Tayga

  • Enable and start the service:

    sudo systemctl enable tayga

    sudo systemctl start tayga

  1. Install DNS64

  • Install BIND9 or another DNS resolver that supports DNS64:

    sudo apt install bind9 -y

  • Configure DNS64 by adding the following to /etc/bind/named.conf.options:

    options {

      listen-on-v6 { any; };

  dns64 64:ff9b::/96 {

  	clients { any; };
  	mapped { any; };
  };

    };

  1. Restart BIND9

  • Apply the changes:

    sudo systemctl restart bind9

Step 3: Use 464XLAT for Full IPv4 Compatibility (Optional)

  1. Install Jool

  • Jool provides a CLAT (Client-side translation) for 464XLAT:

    sudo apt install jool -y

  1. Configure Jool

  • Enable SIIT (Stateless IP/ICMP Translation):

    sudo jool instance add “default” –netfilter –pool6 64:ff9b::/96

  1. Start Jool

  • Apply the configuration:

    sudo systemctl enable jool

    sudo systemctl start jool

Step 4: Set Up an IPv4 Tunnel with a VPN (Alternative Method)

  1. Install WireGuard

  • If NAT64/464XLAT does not meet your needs, use WireGuard to tunnel IPv4:

    sudo apt install wireguard -y

  1. Configure WireGuard

  • Generate keys and create a VPN tunnel to an external IPv4 server:

    umask 077

    wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey

  • Create a WireGuard config file:

    nano /etc/wireguard/wg0.conf

  • Add the following:

    [Interface]

      `PrivateKey = `*`YOUR_PRIVATE_KEY`*

  Address = 192.168.100.2/24

    [Peer]

      PublicKey = `*`VPN_SERVER_PUBLIC_KEY`*

  Endpoint = vpn-server-ip:51820

  AllowedIPs = 0.0.0.0/0
  1. Start WireGuard

  • Enable and start the service:

    sudo systemctl enable wg-quick@wg0

    sudo systemctl start wg-quick@wg0

Conclusion

By following this guide, you now have an IPv6-only server that can handle IPv4 traffic via NAT64, 464XLAT, or a VPN tunnel. These methods ensure compatibility while keeping your setup future-proof.