One of the biggest headaches in VPN design today isn’t encryption, throughput, or even endpoint security—it’s address conflicts. If you’ve ever merged networks over a VPN, you’ve probably run into overlapping RFC1918 IPv4 space. Two sites both using 10.0.0.0/8? That’s a recipe for NAT gymnastics, subnet renumbering, and a whole lot of late nights.

Some try to avoid conflicts by using Carrier-Grade NAT (CGNAT) address space from RFC 6598 (100.64.0.0/10). Unfortunately, this is no silver bullet. With more ISPs running CGNAT internally, you can still end up overlapping the provider’s network—especially if you route VPN traffic through multiple ISPs.

With IPv6, that problem simply goes away.

IPv6 gives you a vast address space—enough to assign globally unique addresses to every device across every VPN-connected site. The beauty? They can be globally routable without being publicly accessible. With proper firewall rules, they stay just as private as your RFC1918 IPv4 ranges, but without the risk of overlap.

This also means you can design VPN topologies without worrying about “will these two networks collide?” You just pick your IPv6 prefixes, assign them, and get on with business.

The Next Step: Ditch IPv4 Entirely

For some organizations, the cleanest solution isn’t just “dual-stack with IPv6”—it’s going all-in.

By pairing IPv6 with DNS64 and a NAT64 gateway, IPv6-only clients can still reach IPv4-only servers without ever needing an IPv4 address themselves. Your VPN becomes an IPv6-only transport, reducing complexity and freeing you from the constant IPv4 scarcity problem.

This isn’t theory—it’s being done today by large-scale ISPs, mobile carriers, and forward-thinking enterprises. The benefits are real: • No overlapping address issues (including CGNAT space) • Simplified routing • Future-proof network design • Less time spent managing IPv4 address plans

IPv4’s limitations were never meant to last this long. With IPv6, especially when combined with DNS64/NAT64, we can finally design networks the way they were meant to be—simple, scalable, and free from the constraints of the past.

Question for you: Is your VPN still fighting RFC1918 and CGNAT collisions, or have you made the leap to an IPv6-first design?