A lingering problem I had was my Wireguard tunnel for client devices.
I have multiple times added some subnet and then had to individually add it to the allowed IPs on each device. I didn't want to just preemptively forward the entire 10.0.0.0/8 block, because that would be asking for trouble.
Now it just dawned on me that if I only use IPv6, that problem is gone. Not once did I have to change the v6 prefix, because I can easily leave enough room to grow.
@jana That's the primary reason my tunnel is v6-only (it runs as a split-tunnel, so no legacy IP traffic needs to traverse it) along with the rest of my lab.
Also, at least in the linux implementation, "allowed IPs" is equivalent to an iptables filter, while the actual routing of traffic to peers occurs via the normal routing tables. the routes look like [dest] via [peer's on-link IP] which means it also works with route-distribution protocols like OSPF and BGP.
@becomethewaifu Yup, I'm already running BGP over Wireguard for my core network. And those links are v6 only LLAa and v4 is using a v6 next hop.
I just never thought to also do it for my end clients, that network was still plain dual stack.
Jana
Emelia/Emi