6to4 WireGuard Tunnel on MikroTik with IPv4 & IPv6

Confirm WAN Status Link to heading

Before creating the tunnel, ensure that your MikroTik WAN supports both IPv4 and IPv6: Check IPv4 & IPv6 connectivity:

1/ip address print
2/ipv6 address print
3/ping 8.8.8.8
4/ping 2606:4700:4700::1111

Verify that your WAN interface has: Global IPv6 address Delegated IPv6 prefix (/56 or /64 from ISP) PPPoE client or DHCPv6 client should be functional.

Create WireGuard Interface on MikroTik Link to heading

Step 1: Add WireGuard interface

1/interface wireguard add name=wg0 listen-port=51820 private-key="<server_private_key>"

Step 2: Assign IPv4 & IPv6 addresses to the interface

• Pick a private IPv4 subnet for the tunnel (e.g., 192.168.2.0/24)
• Pick a /64 from your delegated prefix (e.g., /64)

  1/ip address add address=192.168.2.1/24 interface=wg0
  2/ipv6 address add address=<public>/64 interface=wg0 (Do not use "From Pool" as this will renew the ipv6 address)
  

⚠️ Ensure the chosen IPv6 is within your delegated prefix and not already in use.

Define Peers and Allowed IPs Link to heading

Step 1: Add a peer on the MikroTik server

1/interface wireguard peers add interface=wg0 public-key="<client_public_key>" \
2	allowed-address=192.168.2.4/32,<client ipv6>/128 \
3	persistent-keepalive=25

• Allowed IPs include both IPv4 and IPv6 addresses of the peer.
• PersistentKeepalive is optional but recommended for clients behind NAT. Step 2: Client AllowedIPs For full tunnel:

1AllowedIPs = 0.0.0.0/0, ::/0

For split tunnel:

1AllowedIPs = 192.168.2.0/24, <ipv6 from address interface>/64

Client Configuration (wg0.conf) Link to heading

• Create a dual-stack WireGuard config on the client:

 1[Interface]
 2PrivateKey = <client_private_key>
 3Address = 192.168.2.4/24
 4Address = <choosen ipv6 for peer>/64
 5ListenPort = 51820
 6DNS = 1.1.1.1, 2606:4700:4700::1111
 7
 8[Peer]
 9PublicKey = <server_public_key>
10PresharedKey = <preshared_key_optional>
11AllowedIPs = 0.0.0.0/0, ::/0
12Endpoint = <server_public_ip>:51820
13PersistentKeepAlive = 25

Replace the <…> placeholders with actual keys and addresses.

Firewall & NAT Link to heading

• Allow WireGuard traffic (UDP 51820):

1/ip firewall filter add chain=input protocol=udp dst-port=51820 action=accept comment="Allow WG"
2/ip firewall filter add chain=input connection-state=established,related action=accept

• NAT for IPv4 Internet access through tunnel:

1/ip firewall nat add chain=srcnat src-address=192.168.2.0/24 action=masquerade

• IPv6 NAT is generally not required; routing will handle it.

Test and Verify Link to heading

Step 1: Bring up interfaces

1/interface wireguard print

• Check that wireguard interface is running. Step 2: Ping across IPv4

1ping 192.168.2.1   # From client
2ping 192.168.2.4   # From server

Step 3: Ping across IPv6

1/ipv6 ping <client ipv6>   # From client
2/ipv6 ping <server ipv6>   # From server

Step 4: Verify DNS & Internet

1ping google.com
2ping ipv6.google.com

Notes Link to heading

• Assign fixed IPv6 addresses to each peer from your WireGuard /64.

• Keep AllowedIPs consistent for routing.

• PersistentKeepAlive ensures clients behind NAT stay reachable.