🚀 Tailscale Trick: True IPv6-Only VPN with NAT64/DNS64! Ready to ditch IPv4 and solve mobile VPN IP Overlap Frustration? I built an innovative IPv6-only VPN with Tailscale that forces all traffic over IPv6, leveraging DNS64/NAT64 to handle the legacy IPv4 world.

✅ Solving the IP Overlap Challenge This architecture eliminates the persistent problem of IP address overlap in IPv4 VPNs: • The Problem: Tailscale’s default IPv4 uses the CGNAT range (100.64.0.0/10), which conflicts with many cell carriers/ISPs and public networks. This overlap causes VPN failure when you move networks. • The IPv6 Solution: We force the tunnel to use IPv6-only Unique Local Addresses (ULA) (fd7a:115c:a1e0::/48). These addresses are unique to the overlay, guaranteeing connectivity anywhere.

⚙️ The Architecture & Configuration

  1. Exit Node: Acts as the gateway.
  2. NAT64 with Tayga: The Exit Node runs Tayga, which maps outgoing IPv6 traffic to IPv4. This requires NAT66 to translate the client’s internal ULA before NAT64 to IPv4.
  3. DNS64 with BIND: A BIND server on the tailnet synthesizes AAAA records for IPv4 domains.

🔒 Making it IPv6-Only • ACL Modification: Crucially, modify the Tailscale ACL to explicitly disable IPv4 for the clients. This removes the IPv4 stack from the VPN connection. • DNS Setting: Set Tailscale DNS to the IPv6 address of your BIND server. (Tailscale warns you, but it works perfectly since the server is on the IPv6-only tailnet.)

If you want a robust, clean exit node solution and true network modernization, this is a great project to tackle!