IPv6 network for WireGuard VPN

I am currently migrating a company-internal VPN from OpenVPN to WireGuard. While at it, I want to migrate it from IPv4 to IPv6. The infrastructure currently consists of one server and ~1200 clients behind DSL connections of several ISPs (customer-dependent). The amount is expected to grow and the network will be clustered at some point. I have read about ULAs and SLAAC, but I am not sure how to pick an IPv6 network that is unlikely to collide with existing IPv6 networks of the respective ISPs or with the networks of our customers. What is the recommended way to select an IPv6 network for such a VPN scenario?


Get an IPv6 allocation from your ISP or RIR.

Define an address plan to cover the number of /64s you need, as far forward as you can project. The smallest you should ask for is a /48, a typical size given to one "site". Plan out all your needs, external services, VPNs, LAN, and test networks, across multiple sites if you plan to grow.

Your prefix is to with as you wish, as your ISP routes it to you. If you want to use a few /64s for VPNs, route those to the VPN server.


Unique local address is not for internet access. While ULA can be useful for LAN only resources and labs, you really want a globally routable prefix.

Generate a ULA /48 with "fd" plus 40 random bits. This is extremely likely to be unique with any other networks you may encounter. One easy way: install subnetcalc (it has a Debian package) and

subnetcalc fd00:: 48 -uniquelocal

Well if you want to test IPv6, then I would say go get a /48 subnet from https://Tunnelbroker.net/. It is by far the easiest way to get actual experience with IPv6.

You can get up to 4 x /48 subnets while still being free, though a single /48 subnet will work for most people - like for instance me.

They even have guides for multiple routers and servers on how to forward the IPv6 addresses from your network to the IPv6 Internet.

It is up to you how to subnet the network, but the general rule is that the smallest subnet is a /64 due to the way SLAAC and EUI-64 works.

That means a /48 can potentially be split into 65536 subnets.

For splitting subnets and finding address range I tend to use http://www.gestioip.net/cgi-bin/subnet_calculator.cgi.

What I did was I split my subnet into 256 /56 subnets, as I provide IPv6 to multiple physical locations via VPN. That way I can support 256 different locations, which is more than enough for me.

At each of my locations I can split the /56 into another 256 × /64 subnets, which can be assigned to different VLANs.

If 256 subnets isn't enough for one location, then you can always route another /56 subnet to the same location from your available address pool.