A lingering problem I had was my Wireguard tunnel for client devices.
I have multiple times added some subnet and then had to individually add it to the allowed IPs on each device. I didn't want to just preemptively forward the entire 10.0.0.0/8 block, because that would be asking for trouble.
Now it just dawned on me that if I only use IPv6, that problem is gone. Not once did I have to change the v6 prefix, because I can easily leave enough room to grow.
@jana That's the primary reason my tunnel is v6-only (it runs as a split-tunnel, so no legacy IP traffic needs to traverse it) along with the rest of my lab.
Also, at least in the linux implementation, "allowed IPs" is equivalent to an iptables filter, while the actual routing of traffic to peers occurs via the normal routing tables. the routes look like [dest] via [peer's on-link IP] which means it also works with route-distribution protocols like OSPF and BGP.
@becomethewaifu @jana Plus, if you actually needed to reach something over the tunnel that's stuck IPv4-only, there's always NAT64. 😀
(And here we hint at the only context in which I like DoH: the ability to make one browser use DNS64, but not force the rest of the operating system to also use it.)
#HowIPv6HelpedMeThisWeek (but it was a different week)
Jana
Emelia/Emi
Jima 