[management, client] Add IPv6 overlay support (#5631)

2026-05-08 17:59:56 +00:00 · 2026-05-07 18:33:37 +09:00
parent f23aaa9ae7
commit 205ebcfda2
229 changed files with 10155 additions and 2816 deletions
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -5,7 +5,6 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
-	"net"
 	"net/netip"
 	"strconv"
 	"sync"
@@ -19,6 +18,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/shared/netiputil"
 )

 var ErrSourceRangesEmpty = errors.New("sources range is empty")
@@ -105,6 +105,10 @@ func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 	newRulePairs := make(map[id.RuleID][]firewall.Rule)
 	ipsetByRuleSelectors := make(map[string]string)

+	// TODO: deny rules should be fatal: if a deny rule fails to apply, we must
+	// roll back all allow rules to avoid a fail-open where allowed traffic bypasses
+	// the missing deny. Currently we accumulate errors and continue.
+	var merr *multierror.Error
 	for _, r := range rules {
 		// if this rule is member of rule selection with more than DefaultIPsCountForSet
 		// it's IP address can be used in the ipset for firewall manager which supports it
@@ -117,9 +121,8 @@ func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 		}
 		pairID, rulePair, err := d.protoRuleToFirewallRule(r, ipsetName)
 		if err != nil {
-			log.Errorf("failed to apply firewall rule: %+v, %v", r, err)
-			d.rollBack(newRulePairs)
-			break
+			merr = multierror.Append(merr, fmt.Errorf("apply firewall rule: %w", err))
+			continue
 		}
 		if len(rulePair) > 0 {
 			d.peerRulesPairs[pairID] = rulePair
@@ -127,6 +130,10 @@ func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 		}
 	}

+	if merr != nil {
+		log.Errorf("failed to apply %d peer ACL rule(s): %v", merr.Len(), nberrors.FormatErrorOrNil(merr))
+	}
+
 	for pairID, rules := range d.peerRulesPairs {
 		if _, ok := newRulePairs[pairID]; !ok {
 			for _, rule := range rules {
@@ -216,9 +223,9 @@ func (d *DefaultManager) protoRuleToFirewallRule(
 	r *mgmProto.FirewallRule,
 	ipsetName string,
 ) (id.RuleID, []firewall.Rule, error) {
-	ip := net.ParseIP(r.PeerIP)
-	if ip == nil {
-		return "", nil, fmt.Errorf("invalid IP address, skipping firewall rule")
+	ip, err := extractRuleIP(r)
+	if err != nil {
+		return "", nil, err
 	}

 	protocol, err := convertToFirewallProtocol(r.Protocol)
@@ -289,13 +296,13 @@ func portInfoEmpty(portInfo *mgmProto.PortInfo) bool {

 func (d *DefaultManager) addInRules(
 	id []byte,
-	ip net.IP,
+	ip netip.Addr,
 	protocol firewall.Protocol,
 	port *firewall.Port,
 	action firewall.Action,
 	ipsetName string,
 ) ([]firewall.Rule, error) {
-	rule, err := d.firewall.AddPeerFiltering(id, ip, protocol, nil, port, action, ipsetName)
+	rule, err := d.firewall.AddPeerFiltering(id, ip.AsSlice(), protocol, nil, port, action, ipsetName)
 	if err != nil {
 		return nil, fmt.Errorf("add firewall rule: %w", err)
 	}
@@ -305,7 +312,7 @@ func (d *DefaultManager) addInRules(

 func (d *DefaultManager) addOutRules(
 	id []byte,
-	ip net.IP,
+	ip netip.Addr,
 	protocol firewall.Protocol,
 	port *firewall.Port,
 	action firewall.Action,
@@ -315,7 +322,7 @@ func (d *DefaultManager) addOutRules(
 		return nil, nil
 	}

-	rule, err := d.firewall.AddPeerFiltering(id, ip, protocol, port, nil, action, ipsetName)
+	rule, err := d.firewall.AddPeerFiltering(id, ip.AsSlice(), protocol, port, nil, action, ipsetName)
 	if err != nil {
 		return nil, fmt.Errorf("add firewall rule: %w", err)
 	}
@@ -323,9 +330,9 @@ func (d *DefaultManager) addOutRules(
 	return rule, nil
 }

-// getPeerRuleID() returns unique ID for the rule based on its parameters.
+// getPeerRuleID returns unique ID for the rule based on its parameters.
 func (d *DefaultManager) getPeerRuleID(
-	ip net.IP,
+	ip netip.Addr,
 	proto firewall.Protocol,
 	direction int,
 	port *firewall.Port,
@@ -344,15 +351,25 @@ func (d *DefaultManager) getRuleGroupingSelector(rule *mgmProto.FirewallRule) st
 	return fmt.Sprintf("%v:%v:%v:%s:%v", strconv.Itoa(int(rule.Direction)), rule.Action, rule.Protocol, rule.Port, rule.PortInfo)
 }

-func (d *DefaultManager) rollBack(newRulePairs map[id.RuleID][]firewall.Rule) {
-	log.Debugf("rollback ACL to previous state")
-	for _, rules := range newRulePairs {
-		for _, rule := range rules {
-			if err := d.firewall.DeletePeerRule(rule); err != nil {
-				log.Errorf("failed to delete new firewall rule (id: %v) during rollback: %v", rule.ID(), err)
-			}
+
+// extractRuleIP extracts the peer IP from a firewall rule.
+// If sourcePrefixes is populated (new management), decode the first entry and use its address.
+// Otherwise fall back to the deprecated PeerIP string field (old management).
+func extractRuleIP(r *mgmProto.FirewallRule) (netip.Addr, error) {
+	if len(r.SourcePrefixes) > 0 {
+		addr, err := netiputil.DecodeAddr(r.SourcePrefixes[0])
+		if err != nil {
+			return netip.Addr{}, fmt.Errorf("decode source prefix: %w", err)
 		}
+		return addr.Unmap(), nil
 	}
+
+	//nolint:staticcheck // PeerIP used for backward compatibility with old management
+	addr, err := netip.ParseAddr(r.PeerIP)
+	if err != nil {
+		return netip.Addr{}, fmt.Errorf("invalid IP address, skipping firewall rule")
+	}
+	return addr.Unmap(), nil
 }

 func convertToFirewallProtocol(protocol mgmProto.RuleProtocol) (firewall.Protocol, error) {
--- a/client/internal/auth/auth.go
+++ b/client/internal/auth/auth.go
@@ -321,6 +321,7 @@ func (a *Auth) setSystemInfoFlags(info *system.Info) {
 		a.config.DisableFirewall,
 		a.config.BlockLANAccess,
 		a.config.BlockInbound,
+		a.config.DisableIPv6,
 		a.config.LazyConnectionEnabled,
 		a.config.EnableSSHRoot,
 		a.config.EnableSSHSFTP,
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -14,10 +14,13 @@ import (

 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
+
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"

+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/netstack"
@@ -536,9 +539,20 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 	if config.NetworkMonitor != nil {
 		nm = *config.NetworkMonitor
 	}
+	wgAddr, err := wgaddr.ParseWGAddress(peerConfig.Address)
+	if err != nil {
+		return nil, fmt.Errorf("parse overlay address %q: %w", peerConfig.Address, err)
+	}
+
+	if !config.DisableIPv6 {
+		if err := wgAddr.SetIPv6FromCompact(peerConfig.GetAddressV6()); err != nil {
+			log.Warn(err)
+		}
+	}
+
 	engineConf := &EngineConfig{
 		WgIfaceName:                   config.WgIface,
-		WgAddr:                        peerConfig.Address,
+		WgAddr:                        wgAddr,
 		IFaceBlackList:                config.IFaceBlackList,
 		DisableIPv6Discovery:          config.DisableIPv6Discovery,
 		WgPrivateKey:                  key,
@@ -563,6 +577,7 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		DisableFirewall:     config.DisableFirewall,
 		BlockLANAccess:      config.BlockLANAccess,
 		BlockInbound:        config.BlockInbound,
+		DisableIPv6:         config.DisableIPv6,

 		LazyConnectionEnabled: config.LazyConnectionEnabled,

@@ -637,6 +652,7 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.DisableFirewall,
 		config.BlockLANAccess,
 		config.BlockInbound,
+		config.DisableIPv6,
 		config.LazyConnectionEnabled,
 		config.EnableSSHRoot,
 		config.EnableSSHSFTP,
--- a/client/internal/connect_android_default.go
+++ b/client/internal/connect_android_default.go
@@ -40,6 +40,10 @@ func (noopNetworkChangeListener) SetInterfaceIP(string) {
 	// network stack, not by OS-level interface configuration.
 }

+func (noopNetworkChangeListener) SetInterfaceIPv6(string) {
+	// No-op: same as SetInterfaceIP, IPv6 overlay is managed by userspace stack.
+}
+
 // noopDnsReadyListener is a stub for embed.Client on Android.
 // DNS readiness notifications are not needed in netstack/embed mode
 // since system DNS is disabled and DNS resolution happens externally.
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -31,6 +31,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/updater/installer"
 	nbstatus "github.com/netbirdio/netbird/client/status"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/shared/netiputil"
 )

 const readmeContent = `Netbird debug bundle
@@ -624,6 +625,7 @@ func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder)
 	configContent.WriteString(fmt.Sprintf("DisableFirewall: %v\n", g.internalConfig.DisableFirewall))
 	configContent.WriteString(fmt.Sprintf("BlockLANAccess: %v\n", g.internalConfig.BlockLANAccess))
 	configContent.WriteString(fmt.Sprintf("BlockInbound: %v\n", g.internalConfig.BlockInbound))
+	configContent.WriteString(fmt.Sprintf("DisableIPv6: %v\n", g.internalConfig.DisableIPv6))

 	if g.internalConfig.DisableNotifications != nil {
 		configContent.WriteString(fmt.Sprintf("DisableNotifications: %v\n", *g.internalConfig.DisableNotifications))
@@ -1294,6 +1296,21 @@ func anonymizePeerConfig(config *mgmProto.PeerConfig, anonymizer *anonymize.Anon
 		config.Address = anonymizer.AnonymizeIP(addr).String()
 	}

+	if len(config.GetAddressV6()) > 0 {
+		v6Prefix, err := netiputil.DecodePrefix(config.GetAddressV6())
+		if err != nil {
+			config.AddressV6 = nil
+		} else {
+			anonV6 := anonymizer.AnonymizeIP(v6Prefix.Addr())
+			b, err := netiputil.EncodePrefix(netip.PrefixFrom(anonV6, v6Prefix.Bits()))
+			if err != nil {
+				config.AddressV6 = nil
+			} else {
+				config.AddressV6 = b
+			}
+		}
+	}
+
 	anonymizeSSHConfig(config.SshConfig)

 	config.Dns = anonymizer.AnonymizeString(config.Dns)
@@ -1396,8 +1413,20 @@ func anonymizeFirewallRule(rule *mgmProto.FirewallRule, anonymizer *anonymize.An
 		return
 	}

+	//nolint:staticcheck // PeerIP used for backward compatibility
 	if addr, err := netip.ParseAddr(rule.PeerIP); err == nil {
-		rule.PeerIP = anonymizer.AnonymizeIP(addr).String()
+		rule.PeerIP = anonymizer.AnonymizeIP(addr).String() //nolint:staticcheck
+	}
+
+	for i, raw := range rule.GetSourcePrefixes() {
+		p, err := netiputil.DecodePrefix(raw)
+		if err != nil {
+			continue
+		}
+		anonAddr := anonymizer.AnonymizeIP(p.Addr())
+		if b, err := netiputil.EncodePrefix(netip.PrefixFrom(anonAddr, p.Bits())); err == nil {
+			rule.SourcePrefixes[i] = b
+		}
 	}
 }

--- a/client/internal/debug/debug_test.go
+++ b/client/internal/debug/debug_test.go
@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"net"
+	"net/netip"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -21,8 +22,16 @@ import (
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/shared/netiputil"
 )

+func mustEncodePrefix(t *testing.T, p netip.Prefix) []byte {
+	t.Helper()
+	b, err := netiputil.EncodePrefix(p)
+	require.NoError(t, err)
+	return b
+}
+
 func TestAnonymizeStateFile(t *testing.T) {
 	testState := map[string]json.RawMessage{
 		"null_state": json.RawMessage("null"),
@@ -173,7 +182,7 @@ func TestAnonymizeStateFile(t *testing.T) {
 	assert.Equal(t, "100.64.0.1", state["protected_ip"]) // Protected IP unchanged
 	assert.Equal(t, "8.8.8.8", state["well_known_ip"])   // Well-known IP unchanged
 	assert.NotEqual(t, "2001:db8::1", state["ipv6_addr"])
-	assert.Equal(t, "fd00::1", state["private_ipv6"]) // Private IPv6 unchanged
+	assert.NotEqual(t, "fd00::1", state["private_ipv6"]) // ULA IPv6 anonymized (global ID is a fingerprint)
 	assert.NotEqual(t, "test.example.com", state["domain"])
 	assert.True(t, strings.HasSuffix(state["domain"].(string), ".domain"))
 	assert.Equal(t, "device.netbird.cloud", state["netbird_domain"]) // Netbird domain unchanged
@@ -277,11 +286,13 @@ func mustMarshal(v any) json.RawMessage {
 }

 func TestAnonymizeNetworkMap(t *testing.T) {
+	origV6Prefix := netip.MustParsePrefix("2001:db8:abcd::5/64")
 	networkMap := &mgmProto.NetworkMap{
 		PeerConfig: &mgmProto.PeerConfig{
-			Address: "203.0.113.5",
-			Dns:     "1.2.3.4",
-			Fqdn:    "peer1.corp.example.com",
+			Address:   "203.0.113.5",
+			AddressV6: mustEncodePrefix(t, origV6Prefix),
+			Dns:       "1.2.3.4",
+			Fqdn:      "peer1.corp.example.com",
 			SshConfig: &mgmProto.SSHConfig{
 				SshPubKey: []byte("ssh-rsa AAAAB3NzaC1..."),
 			},
@@ -355,6 +366,12 @@ func TestAnonymizeNetworkMap(t *testing.T) {
 	require.NotEqual(t, "peer1.corp.example.com", peerCfg.Fqdn)
 	require.True(t, strings.HasSuffix(peerCfg.Fqdn, ".domain"))

+	// Verify AddressV6 is anonymized but preserves prefix length
+	anonV6Prefix, err := netiputil.DecodePrefix(peerCfg.AddressV6)
+	require.NoError(t, err)
+	assert.Equal(t, origV6Prefix.Bits(), anonV6Prefix.Bits(), "prefix length must be preserved")
+	assert.NotEqual(t, origV6Prefix.Addr(), anonV6Prefix.Addr(), "IPv6 address must be anonymized")
+
 	// Verify SSH key is replaced
 	require.Equal(t, []byte("ssh-placeholder-key"), peerCfg.SshConfig.SshPubKey)

@@ -660,8 +677,6 @@ func isInCGNATRange(ip net.IP) bool {
 }

 func TestAnonymizeFirewallRules(t *testing.T) {
-	// TODO: Add ipv6
-
 	// Example iptables-save output
 	iptablesSave := `# Generated by iptables-save v1.8.7 on Thu Dec 19 10:00:00 2024
 *filter
@@ -697,17 +712,31 @@ Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination`

-	// Example nftables output
+	// Example ip6tables-save output
+	ip6tablesSave := `# Generated by ip6tables-save v1.8.7 on Thu Dec 19 10:00:00 2024
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -s fd00:1234::1/128 -j ACCEPT
+-A INPUT -s 2607:f8b0:4005::1/128 -j DROP
+-A FORWARD -s 2001:db8::/32 -d 2607:f8b0:4005::200e/128 -j ACCEPT
+COMMIT`
+
+	// Example nftables output with IPv6
 	nftablesRules := `table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
                ip saddr 192.168.1.1 accept
                ip saddr 44.192.140.1 drop
+                ip6 saddr 2607:f8b0:4005::1 drop
+                ip6 saddr fd00:1234::1 accept
        }
        chain forward {
                type filter hook forward priority filter; policy accept;
                ip saddr 10.0.0.0/8 drop
                ip saddr 44.192.140.0/24 ip daddr 52.84.12.34/24 accept
+                ip6 saddr 2001:db8::/32 ip6 daddr 2607:f8b0:4005::200e/128 accept
        }
    }`

@@ -770,6 +799,37 @@ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 	assert.Contains(t, anonNftables, "table inet filter {")
 	assert.Contains(t, anonNftables, "chain input {")
 	assert.Contains(t, anonNftables, "type filter hook input priority filter; policy accept;")
+
+	// IPv6 public addresses in nftables should be anonymized
+	assert.NotContains(t, anonNftables, "2607:f8b0:4005::1")
+	assert.NotContains(t, anonNftables, "2607:f8b0:4005::200e")
+	assert.NotContains(t, anonNftables, "2001:db8::")
+	assert.Contains(t, anonNftables, "2001:db8:ffff::") // Default anonymous v6 range
+
+	// ULA addresses in nftables should be anonymized (global ID is a fingerprint)
+	assert.NotContains(t, anonNftables, "fd00:1234::1")
+
+	// IPv6 nftables structure preserved
+	assert.Contains(t, anonNftables, "ip6 saddr")
+	assert.Contains(t, anonNftables, "ip6 daddr")
+
+	// Test ip6tables-save anonymization
+	anonIp6tablesSave := anonymizer.AnonymizeString(ip6tablesSave)
+
+	// ULA IPv6 should be anonymized (global ID is a fingerprint)
+	assert.NotContains(t, anonIp6tablesSave, "fd00:1234::1/128")
+
+	// Public IPv6 addresses should be anonymized
+	assert.NotContains(t, anonIp6tablesSave, "2607:f8b0:4005::1")
+	assert.NotContains(t, anonIp6tablesSave, "2607:f8b0:4005::200e")
+	assert.NotContains(t, anonIp6tablesSave, "2001:db8::")
+	assert.Contains(t, anonIp6tablesSave, "2001:db8:ffff::") // Default anonymous v6 range
+
+	// Structure should be preserved
+	assert.Contains(t, anonIp6tablesSave, "*filter")
+	assert.Contains(t, anonIp6tablesSave, "COMMIT")
+	assert.Contains(t, anonIp6tablesSave, "-j DROP")
+	assert.Contains(t, anonIp6tablesSave, "-j ACCEPT")
 }

 // TestAddConfig_AllFieldsCovered uses reflection to ensure every field in
--- a/client/internal/dns.go
+++ b/client/internal/dns.go
@@ -12,52 +12,83 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 )

-func createPTRRecord(aRecord nbdns.SimpleRecord, prefix netip.Prefix) (nbdns.SimpleRecord, bool) {
-	ip, err := netip.ParseAddr(aRecord.RData)
+func createPTRRecord(record nbdns.SimpleRecord, prefix netip.Prefix) (nbdns.SimpleRecord, bool) {
+	ip, err := netip.ParseAddr(record.RData)
 	if err != nil {
-		log.Warnf("failed to parse IP address %s: %v", aRecord.RData, err)
+		log.Warnf("failed to parse IP address %s: %v", record.RData, err)
 		return nbdns.SimpleRecord{}, false
 	}

+	ip = ip.Unmap()
 	if !prefix.Contains(ip) {
 		return nbdns.SimpleRecord{}, false
 	}

-	ipOctets := strings.Split(ip.String(), ".")
-	slices.Reverse(ipOctets)
-	rdnsName := dns.Fqdn(strings.Join(ipOctets, ".") + ".in-addr.arpa")
+	var rdnsName string
+	if ip.Is4() {
+		octets := strings.Split(ip.String(), ".")
+		slices.Reverse(octets)
+		rdnsName = dns.Fqdn(strings.Join(octets, ".") + ".in-addr.arpa")
+	} else {
+		// Expand to full 32 nibbles in reverse order (LSB first) per RFC 3596.
+		raw := ip.As16()
+		nibbles := make([]string, 32)
+		for i := 0; i < 16; i++ {
+			nibbles[31-i*2] = fmt.Sprintf("%x", raw[i]>>4)
+			nibbles[31-i*2-1] = fmt.Sprintf("%x", raw[i]&0x0f)
+		}
+		rdnsName = dns.Fqdn(strings.Join(nibbles, ".") + ".ip6.arpa")
+	}

 	return nbdns.SimpleRecord{
 		Name:  rdnsName,
 		Type:  int(dns.TypePTR),
-		Class: aRecord.Class,
-		TTL:   aRecord.TTL,
-		RData: dns.Fqdn(aRecord.Name),
+		Class: record.Class,
+		TTL:   record.TTL,
+		RData: dns.Fqdn(record.Name),
 	}, true
 }

-// generateReverseZoneName creates the reverse DNS zone name for a given network
+// generateReverseZoneName creates the reverse DNS zone name for a given network.
+// For IPv4 it produces an in-addr.arpa name, for IPv6 an ip6.arpa name.
 func generateReverseZoneName(network netip.Prefix) (string, error) {
-	networkIP := network.Masked().Addr()
+	networkIP := network.Masked().Addr().Unmap()
+	bits := network.Bits()

-	if !networkIP.Is4() {
-		return "", fmt.Errorf("reverse DNS is only supported for IPv4 networks, got: %s", networkIP)
+	if networkIP.Is4() {
+		// Round up to nearest byte.
+		octetsToUse := (bits + 7) / 8
+
+		octets := strings.Split(networkIP.String(), ".")
+		if octetsToUse > len(octets) {
+			return "", fmt.Errorf("invalid network mask size for reverse DNS: %d", bits)
+		}
+
+		reverseOctets := make([]string, octetsToUse)
+		for i := 0; i < octetsToUse; i++ {
+			reverseOctets[octetsToUse-1-i] = octets[i]
+		}
+
+		return dns.Fqdn(strings.Join(reverseOctets, ".") + ".in-addr.arpa"), nil
 	}

-	// round up to nearest byte
-	octetsToUse := (network.Bits() + 7) / 8
+	// IPv6: round up to nearest nibble (4-bit boundary).
+	nibblesToUse := (bits + 3) / 4

-	octets := strings.Split(networkIP.String(), ".")
-	if octetsToUse > len(octets) {
-		return "", fmt.Errorf("invalid network mask size for reverse DNS: %d", network.Bits())
+	raw := networkIP.As16()
+	allNibbles := make([]string, 32)
+	for i := 0; i < 16; i++ {
+		allNibbles[i*2] = fmt.Sprintf("%x", raw[i]>>4)
+		allNibbles[i*2+1] = fmt.Sprintf("%x", raw[i]&0x0f)
 	}

-	reverseOctets := make([]string, octetsToUse)
-	for i := 0; i < octetsToUse; i++ {
-		reverseOctets[octetsToUse-1-i] = octets[i]
+	// Take the first nibblesToUse nibbles (network portion), reverse them.
+	used := make([]string, nibblesToUse)
+	for i := 0; i < nibblesToUse; i++ {
+		used[nibblesToUse-1-i] = allNibbles[i]
 	}

-	return dns.Fqdn(strings.Join(reverseOctets, ".") + ".in-addr.arpa"), nil
+	return dns.Fqdn(strings.Join(used, ".") + ".ip6.arpa"), nil
 }

 // zoneExists checks if a zone with the given name already exists in the configuration
@@ -71,7 +102,7 @@ func zoneExists(config *nbdns.Config, zoneName string) bool {
 	return false
 }

-// collectPTRRecords gathers all PTR records for the given network from A records
+// collectPTRRecords gathers all PTR records for the given network from A and AAAA records.
 func collectPTRRecords(config *nbdns.Config, prefix netip.Prefix) []nbdns.SimpleRecord {
 	var records []nbdns.SimpleRecord

@@ -80,7 +111,7 @@ func collectPTRRecords(config *nbdns.Config, prefix netip.Prefix) []nbdns.Simple
 			continue
 		}
 		for _, record := range zone.Records {
-			if record.Type != int(dns.TypeA) {
+			if record.Type != int(dns.TypeA) && record.Type != int(dns.TypeAAAA) {
 				continue
 			}

--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -298,6 +298,7 @@ func (s *systemConfigurator) getSystemDNSSettings() (SystemDNSSettings, error) {
 			if ip, err := netip.ParseAddr(address); err == nil && !ip.IsUnspecified() {
 				ip = ip.Unmap()
 				serverAddresses = append(serverAddresses, ip)
+				// Prefer the first IPv4 server as ServerIP since our DNS listener is IPv4.
 				if !dnsSettings.ServerIP.IsValid() && ip.Is4() {
 					dnsSettings.ServerIP = ip
 				}
--- a/client/internal/dns/local/local.go
+++ b/client/internal/dns/local/local.go
@@ -13,7 +13,6 @@ import (

 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/exp/maps"

 	"github.com/netbirdio/netbird/client/internal/dns/resutil"
 	"github.com/netbirdio/netbird/client/internal/dns/types"
@@ -67,9 +66,9 @@ func (d *Resolver) Stop() {
 	d.mu.Lock()
 	defer d.mu.Unlock()

-	maps.Clear(d.records)
-	maps.Clear(d.domains)
-	maps.Clear(d.zones)
+	clear(d.records)
+	clear(d.domains)
+	clear(d.zones)
 }

 // ID returns the unique handler ID
@@ -444,9 +443,9 @@ func (d *Resolver) Update(customZones []nbdns.CustomZone) {
 	d.mu.Lock()
 	defer d.mu.Unlock()

-	maps.Clear(d.records)
-	maps.Clear(d.domains)
-	maps.Clear(d.zones)
+	clear(d.records)
+	clear(d.domains)
+	clear(d.zones)

 	for _, zone := range customZones {
 		zoneDomain := domain.Domain(strings.ToLower(dns.Fqdn(zone.Domain)))
--- a/client/internal/dns/network_manager_unix.go
+++ b/client/internal/dns/network_manager_unix.go
@@ -110,8 +110,25 @@ func (n *networkManagerDbusConfigurator) applyDNSConfig(config HostDNSConfig, st

 	connSettings.cleanDeprecatedSettings()

-	convDNSIP := binary.LittleEndian.Uint32(config.ServerIP.AsSlice())
-	connSettings[networkManagerDbusIPv4Key][networkManagerDbusDNSKey] = dbus.MakeVariant([]uint32{convDNSIP})
+	ipKey := networkManagerDbusIPv4Key
+	staleKey := networkManagerDbusIPv6Key
+	if config.ServerIP.Is6() {
+		ipKey = networkManagerDbusIPv6Key
+		staleKey = networkManagerDbusIPv4Key
+		raw := config.ServerIP.As16()
+		connSettings[ipKey][networkManagerDbusDNSKey] = dbus.MakeVariant([][]byte{raw[:]})
+	} else {
+		convDNSIP := binary.LittleEndian.Uint32(config.ServerIP.AsSlice())
+		connSettings[ipKey][networkManagerDbusDNSKey] = dbus.MakeVariant([]uint32{convDNSIP})
+	}
+
+	// Clear stale DNS settings from the opposite address family to avoid
+	// leftover entries if the server IP family changed.
+	if staleSettings, ok := connSettings[staleKey]; ok {
+		delete(staleSettings, networkManagerDbusDNSKey)
+		delete(staleSettings, networkManagerDbusDNSPriorityKey)
+		delete(staleSettings, networkManagerDbusDNSSearchKey)
+	}
 	var (
 		searchDomains []string
 		matchDomains  []string
@@ -146,8 +163,8 @@ func (n *networkManagerDbusConfigurator) applyDNSConfig(config HostDNSConfig, st
 		n.routingAll = false
 	}

-	connSettings[networkManagerDbusIPv4Key][networkManagerDbusDNSPriorityKey] = dbus.MakeVariant(priority)
-	connSettings[networkManagerDbusIPv4Key][networkManagerDbusDNSSearchKey] = dbus.MakeVariant(newDomainList)
+	connSettings[ipKey][networkManagerDbusDNSPriorityKey] = dbus.MakeVariant(priority)
+	connSettings[ipKey][networkManagerDbusDNSSearchKey] = dbus.MakeVariant(newDomainList)

 	state := &ShutdownState{
 		ManagerType: networkManager,
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -410,7 +410,7 @@ func (s *DefaultServer) Stop() {
 		log.Errorf("failed to disable DNS: %v", err)
 	}

-	maps.Clear(s.extraDomains)
+	clear(s.extraDomains)
 }

 func (s *DefaultServer) disableDNS() (retErr error) {
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -347,7 +347,7 @@ func TestUpdateDNSServer(t *testing.T) {

 			opts := iface.WGIFaceOpts{
 				IFaceName:    fmt.Sprintf("utun230%d", n),
-				Address:      fmt.Sprintf("100.66.100.%d/32", n+1),
+				Address:      wgaddr.MustParseWGAddress(fmt.Sprintf("100.66.100.%d/32", n+1)),
 				WGPort:       33100,
 				WGPrivKey:    privKey.String(),
 				MTU:          iface.DefaultMTU,
@@ -448,7 +448,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	privKey, _ := wgtypes.GeneratePrivateKey()
 	opts := iface.WGIFaceOpts{
 		IFaceName:    "utun2301",
-		Address:      "100.66.100.1/32",
+		Address:      wgaddr.MustParseWGAddress("100.66.100.1/32"),
 		WGPort:       33100,
 		WGPrivKey:    privKey.String(),
 		MTU:          iface.DefaultMTU,
@@ -929,7 +929,7 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {

 	opts := iface.WGIFaceOpts{
 		IFaceName:    "utun2301",
-		Address:      "100.66.100.2/24",
+		Address:      wgaddr.MustParseWGAddress("100.66.100.2/24"),
 		WGPort:       33100,
 		WGPrivKey:    privKey.String(),
 		MTU:          iface.DefaultMTU,
--- a/client/internal/dns/service.go
+++ b/client/internal/dns/service.go
@@ -16,8 +16,8 @@ const (
 // This is used when the DNS server cannot bind port 53 directly
 // and needs firewall rules to redirect traffic.
 type Firewall interface {
-	AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error
-	RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error
+	AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error
+	RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error
 }

 type service interface {
--- a/client/internal/dns/service_listener.go
+++ b/client/internal/dns/service_listener.go
@@ -188,11 +188,10 @@ func (s *serviceViaListener) RuntimeIP() netip.Addr {
 	return s.listenIP
 }

-
-// evalListenAddress figure out the listen address for the DNS server
-// first check the 53 port availability on WG interface or lo, if not success
-// pick a random port on WG interface for eBPF, if not success
-// check the 5053 port availability on WG interface or lo without eBPF usage,
+// evalListenAddress figures out the listen address for the DNS server.
+// IPv4-only: all peers have a v4 overlay address, and DNS config points to v4.
+// First checks port 53 on WG interface or lo, then tries eBPF on a random port,
+// then falls back to port 5053.
 func (s *serviceViaListener) evalListenAddress() (netip.Addr, uint16, error) {
 	if s.customAddr != nil {
 		return s.customAddr.Addr(), s.customAddr.Port(), nil
@@ -278,7 +277,7 @@ func (s *serviceViaListener) tryToUseeBPF() (ebpfMgr.Manager, uint16, bool) {
 	}

 	ebpfSrv := ebpf.GetEbpfManagerInstance()
-	err = ebpfSrv.LoadDNSFwd(s.wgInterface.Address().IP.String(), int(port))
+	err = ebpfSrv.LoadDNSFwd(s.wgInterface.Address().IP, int(port))
 	if err != nil {
 		log.Warnf("failed to load DNS forwarder eBPF program, error: %s", err)
 		return nil, 0, false
--- a/client/internal/dns/systemd_linux.go
+++ b/client/internal/dns/systemd_linux.go
@@ -90,8 +90,12 @@ func (s *systemdDbusConfigurator) supportCustomPort() bool {
 }

 func (s *systemdDbusConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
+	family := int32(unix.AF_INET)
+	if config.ServerIP.Is6() {
+		family = unix.AF_INET6
+	}
 	defaultLinkInput := systemdDbusDNSInput{
-		Family:  unix.AF_INET,
+		Family:  family,
 		Address: config.ServerIP.AsSlice(),
 	}
 	if err := s.callLinkMethod(systemdDbusSetDNSMethodSuffix, []systemdDbusDNSInput{defaultLinkInput}); err != nil {
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -21,6 +21,7 @@ import (
 	"golang.zx2c4.com/wireguard/tun/netstack"

 	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/dns/resutil"
 	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -29,6 +30,12 @@ import (

 var currentMTU uint16 = iface.DefaultMTU

+// privateClientIface is the subset of the WireGuard interface needed by GetClientPrivate.
+type privateClientIface interface {
+	Name() string
+	Address() wgaddr.Address
+}
+
 func SetCurrentMTU(mtu uint16) {
 	currentMTU = mtu
 }
--- a/client/internal/dns/upstream_android.go
+++ b/client/internal/dns/upstream_android.go
@@ -86,7 +86,7 @@ func (u *upstreamResolver) isLocalResolver(upstream string) bool {
 	return false
 }

-func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
+func GetClientPrivate(_ privateClientIface, _ netip.Addr, dialTimeout time.Duration) (*dns.Client, error) {
 	return &dns.Client{
 		Timeout: dialTimeout,
 		Net:     "udp",
--- a/client/internal/dns/upstream_general.go
+++ b/client/internal/dns/upstream_general.go
@@ -52,7 +52,7 @@ func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns
 	return ExchangeWithFallback(ctx, client, r, upstream)
 }

-func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
+func GetClientPrivate(_ privateClientIface, _ netip.Addr, dialTimeout time.Duration) (*dns.Client, error) {
 	return &dns.Client{
 		Timeout: dialTimeout,
 		Net:     "udp",
--- a/client/internal/dns/upstream_ios.go
+++ b/client/internal/dns/upstream_ios.go
@@ -19,9 +19,7 @@ import (

 type upstreamResolverIOS struct {
 	*upstreamResolverBase
-	lIP           netip.Addr
-	lNet          netip.Prefix
-	interfaceName string
+	wgIface WGIface
 }

 func newUpstreamResolver(
@@ -35,9 +33,7 @@ func newUpstreamResolver(

 	ios := &upstreamResolverIOS{
 		upstreamResolverBase: upstreamResolverBase,
-		lIP:                  wgIface.Address().IP,
-		lNet:                 wgIface.Address().Network,
-		interfaceName:        wgIface.Name(),
+		wgIface:              wgIface,
 	}
 	ios.upstreamClient = ios

@@ -65,11 +61,13 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 	} else {
 		upstreamIP = upstreamIP.Unmap()
 	}
-	needsPrivate := u.lNet.Contains(upstreamIP) ||
+	addr := u.wgIface.Address()
+	needsPrivate := addr.Network.Contains(upstreamIP) ||
+		addr.IPv6Net.Contains(upstreamIP) ||
 		(u.routeMatch != nil && u.routeMatch(upstreamIP))
 	if needsPrivate {
 		log.Debugf("using private client to query %s via upstream %s", r.Question[0].Name, upstream)
-		client, err = GetClientPrivate(u.lIP, u.interfaceName, timeout)
+		client, err = GetClientPrivate(u.wgIface, upstreamIP, timeout)
 		if err != nil {
 			return nil, 0, fmt.Errorf("create private client: %s", err)
 		}
@@ -79,25 +77,33 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 	return ExchangeWithFallback(nil, client, r, upstream)
 }

-// GetClientPrivate returns a new DNS client bound to the local IP address of the Netbird interface
-// This method is needed for iOS
-func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
-	index, err := getInterfaceIndex(interfaceName)
+// GetClientPrivate returns a new DNS client bound to the local IP of the Netbird interface.
+// It selects the v6 bind address when the upstream is IPv6 and the interface has one, otherwise v4.
+func GetClientPrivate(iface privateClientIface, upstreamIP netip.Addr, dialTimeout time.Duration) (*dns.Client, error) {
+	index, err := getInterfaceIndex(iface.Name())
 	if err != nil {
-		log.Debugf("unable to get interface index for %s: %s", interfaceName, err)
+		log.Debugf("unable to get interface index for %s: %s", iface.Name(), err)
 		return nil, err
 	}

+	addr := iface.Address()
+	bindIP := addr.IP
+	if upstreamIP.Is6() && addr.HasIPv6() {
+		bindIP = addr.IPv6
+	}
+
+	proto, opt := unix.IPPROTO_IP, unix.IP_BOUND_IF
+	if bindIP.Is6() {
+		proto, opt = unix.IPPROTO_IPV6, unix.IPV6_BOUND_IF
+	}
+
 	dialer := &net.Dialer{
-		LocalAddr: &net.UDPAddr{
-			IP:   ip.AsSlice(),
-			Port: 0, // Let the OS pick a free port
-		},
-		Timeout: dialTimeout,
+		LocalAddr: net.UDPAddrFromAddrPort(netip.AddrPortFrom(bindIP, 0)),
+		Timeout:   dialTimeout,
 		Control: func(network, address string, c syscall.RawConn) error {
 			var operr error
 			fn := func(s uintptr) {
-				operr = unix.SetsockoptInt(int(s), unix.IPPROTO_IP, unix.IP_BOUND_IF, index)
+				operr = unix.SetsockoptInt(int(s), proto, opt, index)
 			}

 			if err := c.Control(fn); err != nil {
--- a/client/internal/dns_test.go
+++ b/client/internal/dns_test.go
@@ -0,0 +1,138 @@
+package internal
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+)
+
+func TestCreatePTRRecord_IPv4(t *testing.T) {
+	record := nbdns.SimpleRecord{
+		Name:  "peer1.netbird.cloud.",
+		Type:  int(dns.TypeA),
+		Class: nbdns.DefaultClass,
+		TTL:   300,
+		RData: "100.64.0.5",
+	}
+	prefix := netip.MustParsePrefix("100.64.0.0/16")
+
+	ptr, ok := createPTRRecord(record, prefix)
+	require.True(t, ok)
+	assert.Equal(t, "5.0.64.100.in-addr.arpa.", ptr.Name)
+	assert.Equal(t, int(dns.TypePTR), ptr.Type)
+	assert.Equal(t, "peer1.netbird.cloud.", ptr.RData)
+}
+
+func TestCreatePTRRecord_IPv6(t *testing.T) {
+	record := nbdns.SimpleRecord{
+		Name:  "peer1.netbird.cloud.",
+		Type:  int(dns.TypeAAAA),
+		Class: nbdns.DefaultClass,
+		TTL:   300,
+		RData: "fd00:1234:5678::1",
+	}
+	prefix := netip.MustParsePrefix("fd00:1234:5678::/48")
+
+	ptr, ok := createPTRRecord(record, prefix)
+	require.True(t, ok)
+	assert.Equal(t, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.7.6.5.4.3.2.1.0.0.d.f.ip6.arpa.", ptr.Name)
+	assert.Equal(t, int(dns.TypePTR), ptr.Type)
+	assert.Equal(t, "peer1.netbird.cloud.", ptr.RData)
+}
+
+func TestCreatePTRRecord_OutOfRange(t *testing.T) {
+	record := nbdns.SimpleRecord{
+		Name:  "peer1.netbird.cloud.",
+		Type:  int(dns.TypeA),
+		RData: "10.0.0.1",
+	}
+	prefix := netip.MustParsePrefix("100.64.0.0/16")
+
+	_, ok := createPTRRecord(record, prefix)
+	assert.False(t, ok)
+}
+
+func TestGenerateReverseZoneName_IPv4(t *testing.T) {
+	tests := []struct {
+		prefix   string
+		expected string
+	}{
+		{"100.64.0.0/16", "64.100.in-addr.arpa."},
+		{"10.0.0.0/8", "10.in-addr.arpa."},
+		{"192.168.1.0/24", "1.168.192.in-addr.arpa."},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.prefix, func(t *testing.T) {
+			zone, err := generateReverseZoneName(netip.MustParsePrefix(tt.prefix))
+			require.NoError(t, err)
+			assert.Equal(t, tt.expected, zone)
+		})
+	}
+}
+
+func TestGenerateReverseZoneName_IPv6(t *testing.T) {
+	tests := []struct {
+		prefix   string
+		expected string
+	}{
+		{"fd00:1234:5678::/48", "8.7.6.5.4.3.2.1.0.0.d.f.ip6.arpa."},
+		{"fd00::/16", "0.0.d.f.ip6.arpa."},
+		{"fd12:3456:789a:bcde::/64", "e.d.c.b.a.9.8.7.6.5.4.3.2.1.d.f.ip6.arpa."},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.prefix, func(t *testing.T) {
+			zone, err := generateReverseZoneName(netip.MustParsePrefix(tt.prefix))
+			require.NoError(t, err)
+			assert.Equal(t, tt.expected, zone)
+		})
+	}
+}
+
+func TestCollectPTRRecords_BothFamilies(t *testing.T) {
+	config := &nbdns.Config{
+		CustomZones: []nbdns.CustomZone{
+			{
+				Domain: "netbird.cloud.",
+				Records: []nbdns.SimpleRecord{
+					{Name: "peer1.netbird.cloud.", Type: int(dns.TypeA), RData: "100.64.0.1"},
+					{Name: "peer1.netbird.cloud.", Type: int(dns.TypeAAAA), RData: "fd00::1"},
+					{Name: "peer2.netbird.cloud.", Type: int(dns.TypeA), RData: "100.64.0.2"},
+				},
+			},
+		},
+	}
+
+	v4Records := collectPTRRecords(config, netip.MustParsePrefix("100.64.0.0/16"))
+	assert.Len(t, v4Records, 2, "should collect 2 A record PTRs for the v4 prefix")
+
+	v6Records := collectPTRRecords(config, netip.MustParsePrefix("fd00::/64"))
+	assert.Len(t, v6Records, 1, "should collect 1 AAAA record PTR for the v6 prefix")
+}
+
+func TestAddReverseZone_IPv6(t *testing.T) {
+	config := &nbdns.Config{
+		CustomZones: []nbdns.CustomZone{
+			{
+				Domain: "netbird.cloud.",
+				Records: []nbdns.SimpleRecord{
+					{Name: "peer1.netbird.cloud.", Type: int(dns.TypeAAAA), RData: "fd00:1234:5678::1"},
+				},
+			},
+		},
+	}
+
+	addReverseZone(config, netip.MustParsePrefix("fd00:1234:5678::/48"))
+
+	require.Len(t, config.CustomZones, 2)
+	reverseZone := config.CustomZones[1]
+	assert.Equal(t, "8.7.6.5.4.3.2.1.0.0.d.f.ip6.arpa.", reverseZone.Domain)
+	assert.Len(t, reverseZone.Records, 1)
+	assert.Equal(t, int(dns.TypePTR), reverseZone.Records[0].Type)
+}
--- a/client/internal/dnsfwd/manager.go
+++ b/client/internal/dnsfwd/manager.go
@@ -80,6 +80,7 @@ func (m *Manager) Start(fwdEntries []*ForwarderEntry) error {
 		return err
 	}

+	// IPv4-only: peers reach the forwarder via its v4 overlay address.
 	localAddr := m.wgIface.Address().IP

 	if localAddr.IsValid() && m.firewall != nil {
--- a/client/internal/ebpf/ebpf/dns_fwd_linux.go
+++ b/client/internal/ebpf/ebpf/dns_fwd_linux.go
@@ -2,7 +2,8 @@ package ebpf

 import (
 	"encoding/binary"
-	"net"
+	"fmt"
+	"net/netip"

 	log "github.com/sirupsen/logrus"
 )
@@ -12,7 +13,7 @@ const (
 	mapKeyDNSPort uint32 = 1
 )

-func (tf *GeneralManager) LoadDNSFwd(ip string, dnsPort int) error {
+func (tf *GeneralManager) LoadDNSFwd(ip netip.Addr, dnsPort int) error {
 	log.Debugf("load eBPF DNS forwarder, watching addr: %s:53, redirect to port: %d", ip, dnsPort)
 	tf.lock.Lock()
 	defer tf.lock.Unlock()
@@ -22,7 +23,11 @@ func (tf *GeneralManager) LoadDNSFwd(ip string, dnsPort int) error {
 		return err
 	}

-	err = tf.bpfObjs.NbMapDnsIp.Put(mapKeyDNSIP, ip2int(ip))
+	if !ip.Is4() {
+		return fmt.Errorf("eBPF DNS forwarder only supports IPv4, got %s", ip)
+	}
+	ip4 := ip.As4()
+	err = tf.bpfObjs.NbMapDnsIp.Put(mapKeyDNSIP, binary.BigEndian.Uint32(ip4[:]))
 	if err != nil {
 		return err
 	}
@@ -45,7 +50,3 @@ func (tf *GeneralManager) FreeDNSFwd() error {
 	return tf.unsetFeatureFlag(featureFlagDnsForwarder)
 }

-func ip2int(ipString string) uint32 {
-	ip := net.ParseIP(ipString)
-	return binary.BigEndian.Uint32(ip.To4())
-}
--- a/client/internal/ebpf/manager/manager.go
+++ b/client/internal/ebpf/manager/manager.go
@@ -1,8 +1,10 @@
 package manager

+import "net/netip"
+
 // Manager is used to load multiple eBPF programs. E.g., current DNS programs and WireGuard proxy
 type Manager interface {
-	LoadDNSFwd(ip string, dnsPort int) error
+	LoadDNSFwd(ip netip.Addr, dnsPort int) error
 	FreeDNSFwd() error
 	LoadWgProxy(proxyPort, wgPort int) error
 	FreeWGProxy() error
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -33,6 +33,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
@@ -64,6 +65,7 @@ import (
 	mgm "github.com/netbirdio/netbird/shared/management/client"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/shared/netiputil"
 	auth "github.com/netbirdio/netbird/shared/relay/auth/hmac"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
@@ -88,8 +90,9 @@ type EngineConfig struct {
 	WgPort      int
 	WgIfaceName string

-	// WgAddr is a Wireguard local address (Netbird Network IP)
-	WgAddr string
+	// WgAddr is the Wireguard local address (Netbird Network IP).
+	// Contains both v4 and optional v6 overlay addresses.
+	WgAddr wgaddr.Address

 	// WgPrivateKey is a Wireguard private key of our peer (it MUST never leave the machine)
 	WgPrivateKey wgtypes.Key
@@ -134,6 +137,7 @@ type EngineConfig struct {
 	DisableFirewall     bool
 	BlockLANAccess      bool
 	BlockInbound        bool
+	DisableIPv6         bool

 	LazyConnectionEnabled bool

@@ -644,7 +648,7 @@ func (e *Engine) initFirewall() error {
 	rosenpassPort := e.rpManager.GetAddress().Port
 	port := firewallManager.Port{Values: []uint16{uint16(rosenpassPort)}}

-	// this rule is static and will be torn down on engine down by the firewall manager
+	// IPv4-only: rosenpass peers connect via AllowedIps[0] which is always v4.
 	if _, err := e.firewall.AddPeerFiltering(
 		nil,
 		net.IP{0, 0, 0, 0},
@@ -696,10 +700,15 @@ func (e *Engine) blockLanAccess() {

 	log.Infof("blocking route LAN access for networks: %v", toBlock)
 	v4 := netip.PrefixFrom(netip.IPv4Unspecified(), 0)
+	v6 := netip.PrefixFrom(netip.IPv6Unspecified(), 0)
 	for _, network := range toBlock {
+		source := v4
+		if network.Addr().Is6() {
+			source = v6
+		}
 		if _, err := e.firewall.AddRouteFiltering(
 			nil,
-			[]netip.Prefix{v4},
+			[]netip.Prefix{source},
 			firewallManager.Network{Prefix: network},
 			firewallManager.ProtocolALL,
 			nil,
@@ -737,7 +746,7 @@ func (e *Engine) modifyPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 		if !ok {
 			continue
 		}
-		if !compareNetIPLists(allowedIPs, p.GetAllowedIps()) {
+		if !compareNetIPLists(allowedIPs, e.filterAllowedIPs(p.GetAllowedIps())) {
 			modified = append(modified, p)
 			continue
 		}
@@ -1016,6 +1025,7 @@ func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 		e.config.DisableFirewall,
 		e.config.BlockLANAccess,
 		e.config.BlockInbound,
+		e.config.DisableIPv6,
 		e.config.LazyConnectionEnabled,
 		e.config.EnableSSHRoot,
 		e.config.EnableSSHSFTP,
@@ -1043,6 +1053,13 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 		return ErrResetConnection
 	}

+	if !e.config.DisableIPv6 && e.hasIPv6Changed(conf) {
+		log.Infof("peer IPv6 address changed, restarting client")
+		_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
+		e.clientCancel()
+		return ErrResetConnection
+	}
+
 	if conf.GetSshConfig() != nil {
 		if err := e.updateSSH(conf.GetSshConfig()); err != nil {
 			log.Warnf("failed handling SSH server setup: %v", err)
@@ -1051,6 +1068,7 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {

 	state := e.statusRecorder.GetLocalPeerState()
 	state.IP = e.wgInterface.Address().String()
+	state.IPv6 = e.wgInterface.Address().IPv6String()
 	state.PubKey = e.config.WgPrivateKey.PublicKey().String()
 	state.KernelInterface = !e.wgInterface.IsUserspaceBind()
 	state.FQDN = conf.GetFqdn()
@@ -1059,6 +1077,28 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {

 	return nil
 }
+
+// hasIPv6Changed reports whether the IPv6 overlay address in the peer config
+// differs from the configured address (added, removed, or changed).
+// Compares against e.config.WgAddr (not the interface address, which may have
+// been cleared by ClearIPv6 if OS assignment failed).
+func (e *Engine) hasIPv6Changed(conf *mgmProto.PeerConfig) bool {
+	current := e.config.WgAddr
+	raw := conf.GetAddressV6()
+
+	if len(raw) == 0 {
+		return current.HasIPv6()
+	}
+
+	prefix, err := netiputil.DecodePrefix(raw)
+	if err != nil {
+		log.Errorf("decode v6 overlay address: %v", err)
+		return false
+	}
+
+	return !current.HasIPv6() || current.IPv6 != prefix.Addr() || current.IPv6Net != prefix.Masked()
+}
+
 func (e *Engine) receiveJobEvents() {
 	e.jobExecutorWG.Add(1)
 	go func() {
@@ -1157,6 +1197,7 @@ func (e *Engine) receiveManagementEvents() {
 			e.config.DisableFirewall,
 			e.config.BlockLANAccess,
 			e.config.BlockInbound,
+			e.config.DisableIPv6,
 			e.config.LazyConnectionEnabled,
 			e.config.EnableSSHRoot,
 			e.config.EnableSSHSFTP,
@@ -1256,7 +1297,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		protoDNSConfig = &mgmProto.DNSConfig{}
 	}

-	dnsConfig := toDNSConfig(protoDNSConfig, e.wgInterface.Address().Network)
+	dnsConfig := toDNSConfig(protoDNSConfig, e.wgInterface.Address())

 	if err := e.dnsServer.UpdateDNSServer(serial, dnsConfig); err != nil {
 		log.Errorf("failed to update dns server, err: %v", err)
@@ -1411,7 +1452,9 @@ func toRouteDomains(myPubKey string, routes []*route.Route) []*dnsfwd.ForwarderE
 	return entries
 }

-func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network netip.Prefix) nbdns.Config {
+func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, addr wgaddr.Address) nbdns.Config {
+	network := addr.Network
+	networkV6 := addr.IPv6Net
 	//nolint
 	forwarderPort := uint16(protoDNSConfig.GetForwarderPort())
 	if forwarderPort == 0 {
@@ -1468,6 +1511,9 @@ func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network netip.Prefix) nbdns

 	if len(dnsUpdate.CustomZones) > 0 {
 		addReverseZone(&dnsUpdate, network)
+		if networkV6.IsValid() {
+			addReverseZone(&dnsUpdate, networkV6)
+		}
 	}

 	return dnsUpdate
@@ -1477,8 +1523,10 @@ func (e *Engine) updateOfflinePeers(offlinePeers []*mgmProto.RemotePeerConfig) {
 	replacement := make([]peer.State, len(offlinePeers))
 	for i, offlinePeer := range offlinePeers {
 		log.Debugf("added offline peer %s", offlinePeer.Fqdn)
+		v4, v6 := overlayAddrsFromAllowedIPs(offlinePeer.GetAllowedIps(), e.wgInterface.Address().IPv6Net)
 		replacement[i] = peer.State{
-			IP:               strings.Join(offlinePeer.GetAllowedIps(), ","),
+			IP:               addrToString(v4),
+			IPv6:             addrToString(v6),
 			PubKey:           offlinePeer.GetWgPubKey(),
 			FQDN:             offlinePeer.GetFqdn(),
 			ConnStatus:       peer.StatusIdle,
@@ -1489,6 +1537,37 @@ func (e *Engine) updateOfflinePeers(offlinePeers []*mgmProto.RemotePeerConfig) {
 	e.statusRecorder.ReplaceOfflinePeers(replacement)
 }

+// overlayAddrsFromAllowedIPs extracts the peer's v4 and v6 overlay addresses
+// from AllowedIPs strings. Only host routes (/32, /128) are considered; v6 must
+// fall within ourV6Net to distinguish overlay addresses from routed prefixes.
+func overlayAddrsFromAllowedIPs(allowedIPs []string, ourV6Net netip.Prefix) (v4, v6 netip.Addr) {
+	for _, cidr := range allowedIPs {
+		prefix, err := netip.ParsePrefix(cidr)
+		if err != nil {
+			log.Warnf("failed to parse AllowedIP %q: %v", cidr, err)
+			continue
+		}
+		addr := prefix.Addr().Unmap()
+		switch {
+		case addr.Is4() && prefix.Bits() == 32 && !v4.IsValid():
+			v4 = addr
+		case addr.Is6() && prefix.Bits() == 128 && ourV6Net.Contains(addr) && !v6.IsValid():
+			v6 = addr
+		}
+		if v4.IsValid() && v6.IsValid() {
+			break
+		}
+	}
+	return
+}
+
+func addrToString(addr netip.Addr) string {
+	if !addr.IsValid() {
+		return ""
+	}
+	return addr.String()
+}
+
 // addNewPeers adds peers that were not know before but arrived from the Management service with the update
 func (e *Engine) addNewPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 	for _, p := range peersUpdate {
@@ -1514,15 +1593,23 @@ func (e *Engine) addNewPeer(peerConfig *mgmProto.RemotePeerConfig) error {
 			log.Errorf("failed to parse allowedIPS: %v", err)
 			return err
 		}
+		if allowedNetIP.Addr().Is6() && !e.wgInterface.Address().HasIPv6() {
+			continue
+		}
 		peerIPs = append(peerIPs, allowedNetIP)
 	}

+	if len(peerIPs) == 0 {
+		return fmt.Errorf("peer %s has no usable AllowedIPs", peerKey)
+	}
+
 	conn, err := e.createPeerConn(peerKey, peerIPs, peerConfig.AgentVersion)
 	if err != nil {
 		return fmt.Errorf("create peer connection: %w", err)
 	}

-	err = e.statusRecorder.AddPeer(peerKey, peerConfig.Fqdn, peerIPs[0].Addr().String())
+	peerV4, peerV6 := overlayAddrsFromAllowedIPs(peerConfig.GetAllowedIps(), e.wgInterface.Address().IPv6Net)
+	err = e.statusRecorder.AddPeer(peerKey, peerConfig.Fqdn, addrToString(peerV4), addrToString(peerV6))
 	if err != nil {
 		log.Warnf("error adding peer %s to status recorder, got error: %v", peerKey, err)
 	}
@@ -1757,6 +1844,7 @@ func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, err
 		e.config.DisableFirewall,
 		e.config.BlockLANAccess,
 		e.config.BlockInbound,
+		e.config.DisableIPv6,
 		e.config.LazyConnectionEnabled,
 		e.config.EnableSSHRoot,
 		e.config.EnableSSHSFTP,
@@ -1770,7 +1858,7 @@ func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, err
 		return nil, nil, false, err
 	}
 	routes := toRoutes(netMap.GetRoutes())
-	dnsCfg := toDNSConfig(netMap.GetDNSConfig(), e.wgInterface.Address().Network)
+	dnsCfg := toDNSConfig(netMap.GetDNSConfig(), e.wgInterface.Address())
 	dnsFeatureFlag := toDNSFeatureFlag(netMap)
 	return routes, &dnsCfg, dnsFeatureFlag, nil
 }
@@ -1812,7 +1900,10 @@ func (e *Engine) wgInterfaceCreate() (err error) {
 	case "android":
 		err = e.wgInterface.CreateOnAndroid(e.routeManager.InitialRouteRange(), e.dnsServer.DnsIP().String(), e.dnsServer.SearchDomains())
 	case "ios":
-		e.mobileDep.NetworkChangeListener.SetInterfaceIP(e.config.WgAddr)
+		e.mobileDep.NetworkChangeListener.SetInterfaceIP(e.config.WgAddr.String())
+		if e.config.WgAddr.HasIPv6() {
+			e.mobileDep.NetworkChangeListener.SetInterfaceIPv6(e.config.WgAddr.IPv6String())
+		}
 		err = e.wgInterface.Create()
 	default:
 		err = e.wgInterface.Create()
@@ -2089,6 +2180,14 @@ func (e *Engine) GetWgAddr() netip.Addr {
 	return e.wgInterface.Address().IP
 }

+// GetWgV6Addr returns the IPv6 overlay address of the WireGuard interface.
+func (e *Engine) GetWgV6Addr() netip.Addr {
+	if e.wgInterface == nil {
+		return netip.Addr{}
+	}
+	return e.wgInterface.Address().IPv6
+}
+
 func (e *Engine) RenewTun(fd int) error {
 	e.syncMsgMux.Lock()
 	wgInterface := e.wgInterface
@@ -2370,8 +2469,7 @@ func getInterfacePrefixes() ([]netip.Prefix, error) {
 			prefix := netip.PrefixFrom(addr.Unmap(), ones).Masked()
 			ip := prefix.Addr()

-			// TODO: add IPv6
-			if !ip.Is4() || ip.IsLoopback() || ip.IsMulticast() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+			if ip.IsLoopback() || ip.IsMulticast() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
 				continue
 			}

@@ -2382,6 +2480,24 @@ func getInterfacePrefixes() ([]netip.Prefix, error) {
 	return prefixes, nberrors.FormatErrorOrNil(merr)
 }

+// filterAllowedIPs strips IPv6 entries when the local interface has no v6 address.
+// This covers both the explicit --disable-ipv6 flag (v6 never assigned) and the
+// case where OS v6 assignment failed (ClearIPv6). Without this, WireGuard would
+// accept v6 traffic that the native firewall cannot filter.
+func (e *Engine) filterAllowedIPs(ips []string) []string {
+	if e.wgInterface.Address().HasIPv6() {
+		return ips
+	}
+	filtered := make([]string, 0, len(ips))
+	for _, s := range ips {
+		p, err := netip.ParsePrefix(s)
+		if err != nil || !p.Addr().Is6() {
+			filtered = append(filtered, s)
+		}
+	}
+	return filtered
+}
+
 // compareNetIPLists compares a list of netip.Prefix with a list of strings.
 // return true if both lists are equal, false otherwise.
 func compareNetIPLists(list1 []netip.Prefix, list2 []string) bool {
--- a/client/internal/engine_ssh.go
+++ b/client/internal/engine_ssh.go
@@ -41,6 +41,14 @@ func (e *Engine) setupSSHPortRedirection() error {
 	}
 	log.Infof("SSH port redirection enabled: %s:22 -> %s:22022", localAddr, localAddr)

+	if v6 := e.wgInterface.Address().IPv6; v6.IsValid() {
+		if err := e.firewall.AddInboundDNAT(v6, firewallManager.ProtocolTCP, 22, 22022); err != nil {
+			log.Warnf("failed to add IPv6 SSH port redirection: %v", err)
+		} else {
+			log.Infof("SSH port redirection enabled: [%s]:22 -> [%s]:22022", v6, v6)
+		}
+	}
+
 	return nil
 }

@@ -137,12 +145,13 @@ func (e *Engine) extractPeerSSHInfo(remotePeers []*mgmProto.RemotePeerConfig) []
 			continue
 		}

-		peerIP := e.extractPeerIP(peerConfig)
+		peerV4, peerV6 := overlayAddrsFromAllowedIPs(peerConfig.GetAllowedIps(), e.wgInterface.Address().IPv6Net)
 		hostname := e.extractHostname(peerConfig)

 		peerInfo = append(peerInfo, sshconfig.PeerSSHInfo{
 			Hostname: hostname,
-			IP:       peerIP,
+			IP:       peerV4,
+			IPv6:     peerV6,
 			FQDN:     peerConfig.GetFqdn(),
 		})
 	}
@@ -150,18 +159,6 @@ func (e *Engine) extractPeerSSHInfo(remotePeers []*mgmProto.RemotePeerConfig) []
 	return peerInfo
 }

-// extractPeerIP extracts IP address from peer's allowed IPs
-func (e *Engine) extractPeerIP(peerConfig *mgmProto.RemotePeerConfig) string {
-	if len(peerConfig.GetAllowedIps()) == 0 {
-		return ""
-	}
-
-	if prefix, err := netip.ParsePrefix(peerConfig.GetAllowedIps()[0]); err == nil {
-		return prefix.Addr().String()
-	}
-	return ""
-}
-
 // extractHostname extracts short hostname from FQDN
 func (e *Engine) extractHostname(peerConfig *mgmProto.RemotePeerConfig) string {
 	fqdn := peerConfig.GetFqdn()
@@ -208,7 +205,7 @@ func (e *Engine) GetPeerSSHKey(peerAddress string) ([]byte, bool) {

 	fullStatus := statusRecorder.GetFullStatus()
 	for _, peerState := range fullStatus.Peers {
-		if peerState.IP == peerAddress || peerState.FQDN == peerAddress {
+		if peerState.IP == peerAddress || peerState.FQDN == peerAddress || peerState.IPv6 == peerAddress {
 			if len(peerState.SSHHostKey) > 0 {
 				return peerState.SSHHostKey, true
 			}
@@ -262,6 +259,13 @@ func (e *Engine) startSSHServer(jwtConfig *sshserver.JWTConfig) error {
 		return fmt.Errorf("start SSH server: %w", err)
 	}

+	if v6 := wgAddr.IPv6; v6.IsValid() {
+		v6Addr := netip.AddrPortFrom(v6, sshserver.InternalSSHPort)
+		if err := server.AddListener(e.ctx, v6Addr); err != nil {
+			log.Warnf("failed to add IPv6 SSH listener: %v", err)
+		}
+	}
+
 	e.sshServer = server

 	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
@@ -330,6 +334,12 @@ func (e *Engine) cleanupSSHPortRedirection() error {
 	}
 	log.Debugf("SSH port redirection removed: %s:22 -> %s:22022", localAddr, localAddr)

+	if v6 := e.wgInterface.Address().IPv6; v6.IsValid() {
+		if err := e.firewall.RemoveInboundDNAT(v6, firewallManager.ProtocolTCP, 22, 22022); err != nil {
+			log.Debugf("failed to remove IPv6 SSH port redirection: %v", err)
+		}
+	}
+
 	return nil
 }

--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -67,6 +67,7 @@ import (
 	mgmt "github.com/netbirdio/netbird/shared/management/client"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
+	"github.com/netbirdio/netbird/shared/netiputil"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	"github.com/netbirdio/netbird/shared/signal/proto"
 	signalServer "github.com/netbirdio/netbird/signal/server"
@@ -95,7 +96,7 @@ type MockWGIface struct {
 	AddressFunc                func() wgaddr.Address
 	ToInterfaceFunc            func() *net.Interface
 	UpFunc                     func() (*udpmux.UniversalUDPMuxDefault, error)
-	UpdateAddrFunc             func(newAddr string) error
+	UpdateAddrFunc             func(newAddr wgaddr.Address) error
 	UpdatePeerFunc             func(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
 	RemovePeerFunc             func(peerKey string) error
 	AddAllowedIPFunc           func(peerKey string, allowedIP netip.Prefix) error
@@ -157,7 +158,7 @@ func (m *MockWGIface) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	return m.UpFunc()
 }

-func (m *MockWGIface) UpdateAddr(newAddr string) error {
+func (m *MockWGIface) UpdateAddr(newAddr wgaddr.Address) error {
 	return m.UpdateAddrFunc(newAddr)
 }

@@ -254,7 +255,7 @@ func TestEngine_SSH(t *testing.T) {
 		ctx, cancel,
 		&EngineConfig{
 			WgIfaceName:      "utun101",
-			WgAddr:           "100.64.0.1/24",
+			WgAddr:           wgaddr.MustParseWGAddress("100.64.0.1/24"),
 			WgPrivateKey:     key,
 			WgPort:           33100,
 			ServerSSHAllowed: true,
@@ -431,7 +432,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
 	engine := NewEngine(ctx, cancel, &EngineConfig{
 		WgIfaceName:  "utun102",
-		WgAddr:       "100.64.0.1/24",
+		WgAddr:       wgaddr.MustParseWGAddress("100.64.0.1/24"),
 		WgPrivateKey: key,
 		WgPort:       33100,
 		MTU:          iface.DefaultMTU,
@@ -655,7 +656,7 @@ func TestEngine_Sync(t *testing.T) {
 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
 	engine := NewEngine(ctx, cancel, &EngineConfig{
 		WgIfaceName:  "utun103",
-		WgAddr:       "100.64.0.1/24",
+		WgAddr:       wgaddr.MustParseWGAddress("100.64.0.1/24"),
 		WgPrivateKey: key,
 		WgPort:       33100,
 		MTU:          iface.DefaultMTU,
@@ -825,7 +826,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 			relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
 			engine := NewEngine(ctx, cancel, &EngineConfig{
 				WgIfaceName:  wgIfaceName,
-				WgAddr:       wgAddr,
+				WgAddr:       wgaddr.MustParseWGAddress(wgAddr),
 				WgPrivateKey: key,
 				WgPort:       33100,
 				MTU:          iface.DefaultMTU,
@@ -843,7 +844,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {

 			opts := iface.WGIFaceOpts{
 				IFaceName:    wgIfaceName,
-				Address:      wgAddr,
+				Address:      wgaddr.MustParseWGAddress(wgAddr),
 				WGPort:       engine.config.WgPort,
 				WGPrivKey:    key.String(),
 				MTU:          iface.DefaultMTU,
@@ -1032,7 +1033,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
 			engine := NewEngine(ctx, cancel, &EngineConfig{
 				WgIfaceName:  wgIfaceName,
-				WgAddr:       wgAddr,
+				WgAddr:       wgaddr.MustParseWGAddress(wgAddr),
 				WgPrivateKey: key,
 				WgPort:       33100,
 				MTU:          iface.DefaultMTU,
@@ -1050,7 +1051,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			}
 			opts := iface.WGIFaceOpts{
 				IFaceName:    wgIfaceName,
-				Address:      wgAddr,
+				Address:      wgaddr.MustParseWGAddress(wgAddr),
 				WGPort:       33100,
 				WGPrivKey:    key.String(),
 				MTU:          iface.DefaultMTU,
@@ -1555,7 +1556,7 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 	wgPort := 33100 + i
 	conf := &EngineConfig{
 		WgIfaceName:  ifaceName,
-		WgAddr:       resp.PeerConfig.Address,
+		WgAddr:       wgaddr.MustParseWGAddress(resp.PeerConfig.Address),
 		WgPrivateKey: key,
 		WgPort:       wgPort,
 		MTU:          iface.DefaultMTU,
@@ -1705,3 +1706,224 @@ func getPeers(e *Engine) int {

 	return len(e.peerStore.PeersPubKey())
 }
+
+func mustEncodePrefix(t *testing.T, p netip.Prefix) []byte {
+	t.Helper()
+	b, err := netiputil.EncodePrefix(p)
+	require.NoError(t, err)
+	return b
+}
+
+func TestEngine_hasIPv6Changed(t *testing.T) {
+	v4Only := wgaddr.MustParseWGAddress("100.64.0.1/16")
+
+	v4v6 := wgaddr.MustParseWGAddress("100.64.0.1/16")
+	v4v6.IPv6 = netip.MustParseAddr("fd00::1")
+	v4v6.IPv6Net = netip.MustParsePrefix("fd00::1/64").Masked()
+
+	tests := []struct {
+		name     string
+		current  wgaddr.Address
+		confV6   []byte
+		expected bool
+	}{
+		{
+			name:     "no v6 before, no v6 now",
+			current:  v4Only,
+			confV6:   nil,
+			expected: false,
+		},
+		{
+			name:     "no v6 before, v6 added",
+			current:  v4Only,
+			confV6:   mustEncodePrefix(t, netip.MustParsePrefix("fd00::1/64")),
+			expected: true,
+		},
+		{
+			name:     "had v6, now removed",
+			current:  v4v6,
+			confV6:   nil,
+			expected: true,
+		},
+		{
+			name:     "had v6, same v6",
+			current:  v4v6,
+			confV6:   mustEncodePrefix(t, netip.MustParsePrefix("fd00::1/64")),
+			expected: false,
+		},
+		{
+			name:     "had v6, different v6",
+			current:  v4v6,
+			confV6:   mustEncodePrefix(t, netip.MustParsePrefix("fd00::2/64")),
+			expected: true,
+		},
+		{
+			name:     "same v6 addr, different prefix length",
+			current:  v4v6,
+			confV6:   mustEncodePrefix(t, netip.MustParsePrefix("fd00::1/80")),
+			expected: true,
+		},
+		{
+			name:     "decode error keeps status quo",
+			current:  v4Only,
+			confV6:   []byte{1, 2, 3},
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			engine := &Engine{
+				config: &EngineConfig{WgAddr: tt.current},
+			}
+			conf := &mgmtProto.PeerConfig{
+				AddressV6: tt.confV6,
+			}
+			assert.Equal(t, tt.expected, engine.hasIPv6Changed(conf))
+		})
+	}
+}
+
+func TestFilterAllowedIPs(t *testing.T) {
+	v4v6Addr := wgaddr.MustParseWGAddress("100.64.0.1/16")
+	v4v6Addr.IPv6 = netip.MustParseAddr("fd00::1")
+	v4v6Addr.IPv6Net = netip.MustParsePrefix("fd00::1/64").Masked()
+
+	v4OnlyAddr := wgaddr.MustParseWGAddress("100.64.0.1/16")
+
+	tests := []struct {
+		name     string
+		addr     wgaddr.Address
+		input    []string
+		expected []string
+	}{
+		{
+			name:     "interface has v6, keep all",
+			addr:     v4v6Addr,
+			input:    []string{"100.64.0.1/32", "fd00::1/128"},
+			expected: []string{"100.64.0.1/32", "fd00::1/128"},
+		},
+		{
+			name:     "no v6, strip v6",
+			addr:     v4OnlyAddr,
+			input:    []string{"100.64.0.1/32", "fd00::1/128"},
+			expected: []string{"100.64.0.1/32"},
+		},
+		{
+			name:     "no v6, only v4",
+			addr:     v4OnlyAddr,
+			input:    []string{"100.64.0.1/32", "10.0.0.0/8"},
+			expected: []string{"100.64.0.1/32", "10.0.0.0/8"},
+		},
+		{
+			name:     "no v6, only v6 input",
+			addr:     v4OnlyAddr,
+			input:    []string{"fd00::1/128", "::/0"},
+			expected: []string{},
+		},
+		{
+			name:     "no v6, invalid prefix preserved",
+			addr:     v4OnlyAddr,
+			input:    []string{"100.64.0.1/32", "garbage"},
+			expected: []string{"100.64.0.1/32", "garbage"},
+		},
+		{
+			name:     "no v6, empty input",
+			addr:     v4OnlyAddr,
+			input:    []string{},
+			expected: []string{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			addr := tt.addr
+			engine := &Engine{
+				config: &EngineConfig{},
+				wgInterface: &MockWGIface{
+					AddressFunc: func() wgaddr.Address { return addr },
+				},
+			}
+			result := engine.filterAllowedIPs(tt.input)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+func TestOverlayAddrsFromAllowedIPs(t *testing.T) {
+	ourV6Net := netip.MustParsePrefix("fd00:1234:5678:abcd::/64")
+
+	tests := []struct {
+		name       string
+		allowedIPs []string
+		ourV6Net   netip.Prefix
+		wantV4     string
+		wantV6     string
+	}{
+		{
+			name:       "v4 only",
+			allowedIPs: []string{"100.64.0.1/32"},
+			ourV6Net:   ourV6Net,
+			wantV4:     "100.64.0.1",
+			wantV6:     "",
+		},
+		{
+			name:       "v4 and v6 overlay",
+			allowedIPs: []string{"100.64.0.1/32", "fd00:1234:5678:abcd::1/128"},
+			ourV6Net:   ourV6Net,
+			wantV4:     "100.64.0.1",
+			wantV6:     "fd00:1234:5678:abcd::1",
+		},
+		{
+			name:       "v4, routed v6, overlay v6",
+			allowedIPs: []string{"100.64.0.1/32", "2001:db8::1/128", "fd00:1234:5678:abcd::1/128"},
+			ourV6Net:   ourV6Net,
+			wantV4:     "100.64.0.1",
+			wantV6:     "fd00:1234:5678:abcd::1",
+		},
+		{
+			name:       "routed v6 /128 outside our subnet is ignored",
+			allowedIPs: []string{"100.64.0.1/32", "2001:db8::1/128"},
+			ourV6Net:   ourV6Net,
+			wantV4:     "100.64.0.1",
+			wantV6:     "",
+		},
+		{
+			name:       "routed v6 prefix is ignored",
+			allowedIPs: []string{"100.64.0.1/32", "fd00:1234:5678:abcd::/64"},
+			ourV6Net:   ourV6Net,
+			wantV4:     "100.64.0.1",
+			wantV6:     "",
+		},
+		{
+			name:       "no v6 subnet configured",
+			allowedIPs: []string{"100.64.0.1/32", "fd00:1234:5678:abcd::1/128"},
+			ourV6Net:   netip.Prefix{},
+			wantV4:     "100.64.0.1",
+			wantV6:     "",
+		},
+		{
+			name:       "v4 /24 route is ignored",
+			allowedIPs: []string{"100.64.0.0/24", "100.64.0.1/32"},
+			ourV6Net:   ourV6Net,
+			wantV4:     "100.64.0.1",
+			wantV6:     "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			v4, v6 := overlayAddrsFromAllowedIPs(tt.allowedIPs, tt.ourV6Net)
+			if tt.wantV4 == "" {
+				assert.False(t, v4.IsValid(), "expected no v4")
+			} else {
+				assert.Equal(t, tt.wantV4, v4.String(), "v4")
+			}
+			if tt.wantV6 == "" {
+				assert.False(t, v6.IsValid(), "expected no v6")
+			} else {
+				assert.Equal(t, tt.wantV6, v6.String(), "v6")
+			}
+		})
+	}
+}
--- a/client/internal/iface_common.go
+++ b/client/internal/iface_common.go
@@ -26,7 +26,7 @@ type wgIfaceBase interface {
 	Address() wgaddr.Address
 	ToInterface() *net.Interface
 	Up() (*udpmux.UniversalUDPMuxDefault, error)
-	UpdateAddr(newAddr string) error
+	UpdateAddr(newAddr wgaddr.Address) error
 	GetProxy() wgproxy.Proxy
 	GetProxyPort() uint16
 	UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
--- a/client/internal/lazyconn/activity/listener_bind.go
+++ b/client/internal/lazyconn/activity/listener_bind.go
@@ -57,6 +57,7 @@ func NewBindListener(wgIface WgInterface, bind device.EndpointManager, cfg lazyc
 // deriveFakeIP creates a deterministic fake IP for bind mode based on peer's NetBird IP.
 // Maps peer IP 100.64.x.y to fake IP 127.2.x.y (similar to relay proxy using 127.1.x.y).
 // It finds the peer's actual NetBird IP by checking which allowedIP is in the same subnet as our WG interface.
+// For IPv6-only peers, the last two bytes of the v6 address are used.
 func deriveFakeIP(wgIface WgInterface, allowedIPs []netip.Prefix) (netip.Addr, error) {
 	if len(allowedIPs) == 0 {
 		return netip.Addr{}, fmt.Errorf("no allowed IPs for peer")
@@ -64,6 +65,7 @@ func deriveFakeIP(wgIface WgInterface, allowedIPs []netip.Prefix) (netip.Addr, e

 	ourNetwork := wgIface.Address().Network

+	// Try v4 first (preferred: deterministic from overlay IP)
 	var peerIP netip.Addr
 	for _, allowedIP := range allowedIPs {
 		ip := allowedIP.Addr()
@@ -76,13 +78,24 @@ func deriveFakeIP(wgIface WgInterface, allowedIPs []netip.Prefix) (netip.Addr, e
 		}
 	}

-	if !peerIP.IsValid() {
-		return netip.Addr{}, fmt.Errorf("no peer NetBird IP found in allowed IPs")
+	if peerIP.IsValid() {
+		octets := peerIP.As4()
+		return netip.AddrFrom4([4]byte{127, 2, octets[2], octets[3]}), nil
 	}

-	octets := peerIP.As4()
-	fakeIP := netip.AddrFrom4([4]byte{127, 2, octets[2], octets[3]})
-	return fakeIP, nil
+	// Fallback: use last two bytes of first v6 overlay IP
+	addr := wgIface.Address()
+	if addr.IPv6Net.IsValid() {
+		for _, allowedIP := range allowedIPs {
+			ip := allowedIP.Addr()
+			if ip.Is6() && addr.IPv6Net.Contains(ip) {
+				raw := ip.As16()
+				return netip.AddrFrom4([4]byte{127, 2, raw[14], raw[15]}), nil
+			}
+		}
+	}
+
+	return netip.Addr{}, fmt.Errorf("no peer NetBird IP found in allowed IPs")
 }

 func (d *BindListener) setupLazyConn() error {
--- a/client/internal/listener/network_change.go
+++ b/client/internal/listener/network_change.go
@@ -5,4 +5,5 @@ type NetworkChangeListener interface {
 	// OnNetworkChanged invoke when network settings has been changed
 	OnNetworkChanged(string)
 	SetInterfaceIP(string)
+	SetInterfaceIPv6(string)
 }
--- a/client/internal/netflow/conntrack/conntrack.go
+++ b/client/internal/netflow/conntrack/conntrack.go
@@ -316,7 +316,7 @@ func (c *ConnTrack) handleEvent(event nfct.Event) {
 	case nftypes.TCP, nftypes.UDP, nftypes.SCTP:
 		srcPort = flow.TupleOrig.Proto.SourcePort
 		dstPort = flow.TupleOrig.Proto.DestinationPort
-	case nftypes.ICMP:
+	case nftypes.ICMP, nftypes.ICMPv6:
 		icmpType = flow.TupleOrig.Proto.ICMPType
 		icmpCode = flow.TupleOrig.Proto.ICMPCode
 	}
@@ -359,8 +359,14 @@ func (c *ConnTrack) relevantFlow(mark uint32, srcIP, dstIP netip.Addr) bool {
 	}

 	// fallback if mark rules are not in place
-	wgnet := c.iface.Address().Network
-	return wgnet.Contains(srcIP) || wgnet.Contains(dstIP)
+	addr := c.iface.Address()
+	if addr.Network.Contains(srcIP) || addr.Network.Contains(dstIP) {
+		return true
+	}
+	if addr.IPv6Net.IsValid() {
+		return addr.IPv6Net.Contains(srcIP) || addr.IPv6Net.Contains(dstIP)
+	}
+	return false
 }

 // mapRxPackets maps packet counts to RX based on flow direction
@@ -419,17 +425,16 @@ func (c *ConnTrack) inferDirection(mark uint32, srcIP, dstIP netip.Addr) nftypes
 	}

 	// fallback if marks are not set
-	wgaddr := c.iface.Address().IP
-	wgnetwork := c.iface.Address().Network
+	addr := c.iface.Address()
 	switch {
-	case wgaddr == srcIP:
+	case addr.IP == srcIP || (addr.IPv6.IsValid() && addr.IPv6 == srcIP):
 		return nftypes.Egress
-	case wgaddr == dstIP:
+	case addr.IP == dstIP || (addr.IPv6.IsValid() && addr.IPv6 == dstIP):
 		return nftypes.Ingress
-	case wgnetwork.Contains(srcIP):
+	case addr.Network.Contains(srcIP) || (addr.IPv6Net.IsValid() && addr.IPv6Net.Contains(srcIP)):
 		// netbird network -> resource network
 		return nftypes.Ingress
-	case wgnetwork.Contains(dstIP):
+	case addr.Network.Contains(dstIP) || (addr.IPv6Net.IsValid() && addr.IPv6Net.Contains(dstIP)):
 		// resource network -> netbird network
 		return nftypes.Egress
 	}
--- a/client/internal/netflow/logger/logger.go
+++ b/client/internal/netflow/logger/logger.go
@@ -24,15 +24,17 @@ type Logger struct {
 	cancel             context.CancelFunc
 	statusRecorder     *peer.Status
 	wgIfaceNet         netip.Prefix
+	wgIfaceNetV6       netip.Prefix
 	dnsCollection      atomic.Bool
 	exitNodeCollection atomic.Bool
 	Store              types.Store
 }

-func New(statusRecorder *peer.Status, wgIfaceIPNet netip.Prefix) *Logger {
+func New(statusRecorder *peer.Status, wgIfaceIPNet, wgIfaceIPNetV6 netip.Prefix) *Logger {
 	return &Logger{
 		statusRecorder: statusRecorder,
 		wgIfaceNet:     wgIfaceIPNet,
+		wgIfaceNetV6:   wgIfaceIPNetV6,
 		Store:          store.NewMemoryStore(),
 	}
 }
@@ -88,11 +90,11 @@ func (l *Logger) startReceiver() {
 			var isSrcExitNode bool
 			var isDestExitNode bool

-			if !l.wgIfaceNet.Contains(event.SourceIP) {
+			if !l.isOverlayIP(event.SourceIP) {
 				event.SourceResourceID, isSrcExitNode = l.statusRecorder.CheckRoutes(event.SourceIP)
 			}

-			if !l.wgIfaceNet.Contains(event.DestIP) {
+			if !l.isOverlayIP(event.DestIP) {
 				event.DestResourceID, isDestExitNode = l.statusRecorder.CheckRoutes(event.DestIP)
 			}

@@ -136,6 +138,10 @@ func (l *Logger) UpdateConfig(dnsCollection, exitNodeCollection bool) {
 	l.exitNodeCollection.Store(exitNodeCollection)
 }

+func (l *Logger) isOverlayIP(ip netip.Addr) bool {
+	return l.wgIfaceNet.Contains(ip) || (l.wgIfaceNetV6.IsValid() && l.wgIfaceNetV6.Contains(ip))
+}
+
 func (l *Logger) shouldStore(event *types.EventFields, isExitNode bool) bool {
 	// check dns collection
 	if !l.dnsCollection.Load() && event.Protocol == types.UDP &&
--- a/client/internal/netflow/logger/logger_test.go
+++ b/client/internal/netflow/logger/logger_test.go
@@ -12,7 +12,7 @@ import (
 )

 func TestStore(t *testing.T) {
-	logger := logger.New(nil, netip.Prefix{})
+	logger := logger.New(nil, netip.Prefix{}, netip.Prefix{})
 	logger.Enable()

 	event := types.EventFields{
--- a/client/internal/netflow/manager.go
+++ b/client/internal/netflow/manager.go
@@ -35,11 +35,12 @@ type Manager struct {

 // NewManager creates a new netflow manager
 func NewManager(iface nftypes.IFaceMapper, publicKey []byte, statusRecorder *peer.Status) *Manager {
-	var prefix netip.Prefix
+	var prefix, prefixV6 netip.Prefix
 	if iface != nil {
 		prefix = iface.Address().Network
+		prefixV6 = iface.Address().IPv6Net
 	}
-	flowLogger := logger.New(statusRecorder, prefix)
+	flowLogger := logger.New(statusRecorder, prefix, prefixV6)

 	var ct nftypes.ConnTracker
 	if runtime.GOOS == "linux" && iface != nil && !iface.IsUserspaceBind() {
@@ -269,7 +270,7 @@ func toProtoEvent(publicKey []byte, event *nftypes.Event) *proto.FlowEvent {
 		},
 	}

-	if event.Protocol == nftypes.ICMP {
+	if event.Protocol == nftypes.ICMP || event.Protocol == nftypes.ICMPv6 {
 		protoEvent.FlowFields.ConnectionInfo = &proto.FlowFields_IcmpInfo{
 			IcmpInfo: &proto.ICMPInfo{
 				IcmpType: uint32(event.ICMPType),
--- a/client/internal/netflow/types/types.go
+++ b/client/internal/netflow/types/types.go
@@ -19,6 +19,7 @@ const (
 	ICMP            = Protocol(1)
 	TCP             = Protocol(6)
 	UDP             = Protocol(17)
+	ICMPv6          = Protocol(58)
 	SCTP            = Protocol(132)
 )

@@ -30,6 +31,8 @@ func (p Protocol) String() string {
 		return "TCP"
 	case 17:
 		return "UDP"
+	case 58:
+		return "ICMPv6"
 	case 132:
 		return "SCTP"
 	default:
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -53,6 +53,7 @@ type RouterState struct {
 type State struct {
 	Mux                        *sync.RWMutex
 	IP                         string
+	IPv6                       string
 	PubKey                     string
 	FQDN                       string
 	ConnStatus                 ConnStatus
@@ -106,6 +107,7 @@ func (s *State) GetRoutes() map[string]struct{} {
 // LocalPeerState contains the latest state of the local peer
 type LocalPeerState struct {
 	IP              string
+	IPv6            string
 	PubKey          string
 	KernelInterface bool
 	FQDN            string
@@ -259,7 +261,7 @@ func (d *Status) ReplaceOfflinePeers(replacement []State) {
 }

 // AddPeer adds peer to Daemon status map
-func (d *Status) AddPeer(peerPubKey string, fqdn string, ip string) error {
+func (d *Status) AddPeer(peerPubKey string, fqdn string, ip string, ipv6 string) error {
 	d.mux.Lock()
 	defer d.mux.Unlock()

@@ -270,6 +272,7 @@ func (d *Status) AddPeer(peerPubKey string, fqdn string, ip string) error {
 	d.peers[peerPubKey] = State{
 		PubKey:     peerPubKey,
 		IP:         ip,
+		IPv6:       ipv6,
 		ConnStatus: StatusIdle,
 		FQDN:       fqdn,
 		Mux:        new(sync.RWMutex),
@@ -710,6 +713,9 @@ func (d *Status) UpdateLocalPeerState(localPeerState LocalPeerState) {
 	d.localPeer = localPeerState
 	fqdn := d.localPeer.FQDN
 	ip := d.localPeer.IP
+	if d.localPeer.IPv6 != "" {
+		ip = ip + "\n" + d.localPeer.IPv6
+	}
 	d.mux.Unlock()

 	d.notifier.localAddressChanged(fqdn, ip)
@@ -1316,6 +1322,7 @@ func (fs FullStatus) ToProto() *proto.FullStatus {
 	}

 	pbFullStatus.LocalPeerState.IP = fs.LocalPeerState.IP
+	pbFullStatus.LocalPeerState.Ipv6 = fs.LocalPeerState.IPv6
 	pbFullStatus.LocalPeerState.PubKey = fs.LocalPeerState.PubKey
 	pbFullStatus.LocalPeerState.KernelInterface = fs.LocalPeerState.KernelInterface
 	pbFullStatus.LocalPeerState.Fqdn = fs.LocalPeerState.FQDN
@@ -1331,6 +1338,7 @@ func (fs FullStatus) ToProto() *proto.FullStatus {

 		pbPeerState := &proto.PeerState{
 			IP:                         peerState.IP,
+			Ipv6:                       peerState.IPv6,
 			PubKey:                     peerState.PubKey,
 			ConnStatus:                 peerState.ConnStatus.String(),
 			ConnStatusUpdate:           timestamppb.New(peerState.ConnStatusUpdate),
--- a/client/internal/peer/status_test.go
+++ b/client/internal/peer/status_test.go
@@ -8,19 +8,20 @@ import (
 	"time"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestAddPeer(t *testing.T) {
 	key := "abc"
 	ip := "100.108.254.1"
 	status := NewRecorder("https://mgm")
-	err := status.AddPeer(key, "abc.netbird", ip)
+	err := status.AddPeer(key, "abc.netbird", ip, "")
 	assert.NoError(t, err, "shouldn't return error")

 	_, exists := status.peers[key]
 	assert.True(t, exists, "value was found")

-	err = status.AddPeer(key, "abc.netbird", ip)
+	err = status.AddPeer(key, "abc.netbird", ip, "")

 	assert.Error(t, err, "should return error on duplicate")
 }
@@ -29,7 +30,7 @@ func TestGetPeer(t *testing.T) {
 	key := "abc"
 	ip := "100.108.254.1"
 	status := NewRecorder("https://mgm")
-	err := status.AddPeer(key, "abc.netbird", ip)
+	err := status.AddPeer(key, "abc.netbird", ip, "")
 	assert.NoError(t, err, "shouldn't return error")

 	peerStatus, err := status.GetPeer(key)
@@ -46,7 +47,7 @@ func TestUpdatePeerState(t *testing.T) {
 	ip := "10.10.10.10"
 	fqdn := "peer-a.netbird.local"
 	status := NewRecorder("https://mgm")
-	_ = status.AddPeer(key, fqdn, ip)
+	require.NoError(t, status.AddPeer(key, fqdn, ip, ""))

 	peerState := State{
 		PubKey:           key,
@@ -85,7 +86,7 @@ func TestGetPeerStateChangeNotifierLogic(t *testing.T) {
 	key := "abc"
 	ip := "10.10.10.10"
 	status := NewRecorder("https://mgm")
-	_ = status.AddPeer(key, "abc.netbird", ip)
+	_ = status.AddPeer(key, "abc.netbird", ip, "")

 	sub := status.SubscribeToPeerStateChanges(context.Background(), key)
 	assert.NotNil(t, sub, "channel shouldn't be nil")
--- a/client/internal/profilemanager/config.go
+++ b/client/internal/profilemanager/config.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
+	"net"
 	"net/url"
 	"os"
 	"os/user"
@@ -89,6 +90,7 @@ type ConfigInput struct {
 	DisableFirewall     *bool
 	BlockLANAccess      *bool
 	BlockInbound        *bool
+	DisableIPv6         *bool

 	DisableNotifications *bool

@@ -127,6 +129,7 @@ type Config struct {
 	DisableFirewall     bool
 	BlockLANAccess      bool
 	BlockInbound        bool
+	DisableIPv6         bool

 	DisableNotifications *bool

@@ -542,6 +545,12 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}

+	if input.DisableIPv6 != nil && *input.DisableIPv6 != config.DisableIPv6 {
+		log.Infof("setting IPv6 overlay disabled=%v", *input.DisableIPv6)
+		config.DisableIPv6 = *input.DisableIPv6
+		updated = true
+	}
+
 	if input.DisableNotifications != nil && input.DisableNotifications != config.DisableNotifications {
 		if *input.DisableNotifications {
 			log.Infof("disabling notifications")
@@ -751,8 +760,7 @@ func UpdateOldManagementURL(ctx context.Context, config *Config, configPath stri
 		return config, nil
 	}

-	newURL, err := parseURL("Management URL", fmt.Sprintf("%s://%s:%d",
-		config.ManagementURL.Scheme, defaultManagementURL.Hostname(), 443))
+	newURL, err := parseURL("Management URL", fmt.Sprintf("%s://%s", config.ManagementURL.Scheme, net.JoinHostPort(defaultManagementURL.Hostname(), "443")))
 	if err != nil {
 		return nil, err
 	}
--- a/client/internal/relay/relay.go
+++ b/client/internal/relay/relay.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"strconv"
 	"sync"
 	"time"

@@ -257,7 +258,7 @@ func (p *StunTurnProbe) probeTURN(ctx context.Context, uri *stun.URI) (addr stri
 		}
 	}()

-	turnServerAddr := fmt.Sprintf("%s:%d", uri.Host, uri.Port)
+	turnServerAddr := net.JoinHostPort(uri.Host, strconv.Itoa(uri.Port))

 	var conn net.PacketConn
 	switch uri.Proto {
--- a/client/internal/rosenpass/manager.go
+++ b/client/internal/rosenpass/manager.go
@@ -75,7 +75,7 @@ func (m *Manager) addPeer(rosenpassPubKey []byte, rosenpassAddr string, wireGuar
 		if err != nil {
 			return fmt.Errorf("failed to parse rosenpass address: %w", err)
 		}
-		peerAddr := fmt.Sprintf("%s:%s", wireGuardIP, strPort)
+		peerAddr := net.JoinHostPort(wireGuardIP, strPort)
 		if pcfg.Endpoint, err = net.ResolveUDPAddr("udp", peerAddr); err != nil {
 			return fmt.Errorf("failed to resolve peer endpoint address: %w", err)
 		}
@@ -259,6 +259,9 @@ func findRandomAvailableUDPPort() (int, error) {
 	}
 	defer conn.Close()

-	splitAddress := strings.Split(conn.LocalAddr().String(), ":")
-	return strconv.Atoi(splitAddress[len(splitAddress)-1])
+	_, portStr, err := net.SplitHostPort(conn.LocalAddr().String())
+	if err != nil {
+		return 0, fmt.Errorf("parse local address %s: %w", conn.LocalAddr(), err)
+	}
+	return strconv.Atoi(portStr)
 }
--- a/client/internal/rosenpass/manager_test.go
+++ b/client/internal/rosenpass/manager_test.go
@@ -0,0 +1,14 @@
+package rosenpass
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestFindRandomAvailableUDPPort(t *testing.T) {
+	port, err := findRandomAvailableUDPPort()
+	require.NoError(t, err)
+	require.Greater(t, port, 0)
+	require.LessOrEqual(t, port, 65535)
+}
--- a/client/internal/routemanager/client/client.go
+++ b/client/internal/routemanager/client/client.go
@@ -3,9 +3,8 @@ package client
 import (
 	"context"
 	"fmt"
-	"net"
+	"net/netip"
 	"reflect"
-	"strconv"
 	"time"

 	log "github.com/sirupsen/logrus"
@@ -566,7 +565,7 @@ func HandlerFromRoute(params common.HandlerParams) RouteHandler {
 		return dnsinterceptor.New(params)
 	case handlerTypeDynamic:
 		dns := nbdns.NewServiceViaMemory(params.WgInterface)
-		dnsAddr := net.JoinHostPort(dns.RuntimeIP().String(), strconv.Itoa(dns.RuntimePort()))
+		dnsAddr := netip.AddrPortFrom(dns.RuntimeIP(), uint16(dns.RuntimePort()))
 		return dynamic.NewRoute(params, dnsAddr)
 	default:
 		return static.NewRoute(params)
--- a/client/internal/routemanager/client/client_bench_test.go
+++ b/client/internal/routemanager/client/client_bench_test.go
@@ -46,7 +46,7 @@ func generateBenchmarkData(tier benchmarkTier) (*peer.Status, map[route.ID]*rout
 		fqdn := fmt.Sprintf("peer-%d.example.com", i)
 		ip := fmt.Sprintf("10.0.%d.%d", i/256, i%256)

-		err := statusRecorder.AddPeer(peerKey, fqdn, ip)
+		err := statusRecorder.AddPeer(peerKey, fqdn, ip, "")
 		if err != nil {
 			panic(fmt.Sprintf("failed to add peer: %v", err))
 		}
--- a/client/internal/routemanager/dnsinterceptor/handler.go
+++ b/client/internal/routemanager/dnsinterceptor/handler.go
@@ -582,7 +582,7 @@ func (d *DnsInterceptor) queryUpstreamDNS(ctx context.Context, w dns.ResponseWri
 	if nsNet != nil {
 		reply, err = nbdns.ExchangeWithNetstack(ctx, nsNet, r, upstream)
 	} else {
-		client, clientErr := nbdns.GetClientPrivate(d.wgInterface.Address().IP, d.wgInterface.Name(), dnsTimeout)
+		client, clientErr := nbdns.GetClientPrivate(d.wgInterface, upstreamIP, dnsTimeout)
 		if clientErr != nil {
 			d.writeDNSError(w, r, logger, fmt.Sprintf("create DNS client: %v", clientErr))
 			return nil
--- a/client/internal/routemanager/dynamic/route.go
+++ b/client/internal/routemanager/dynamic/route.go
@@ -50,10 +50,10 @@ type Route struct {
 	cancel               context.CancelFunc
 	statusRecorder       *peer.Status
 	wgInterface          iface.WGIface
-	resolverAddr         string
+	resolverAddr         netip.AddrPort
 }

-func NewRoute(params common.HandlerParams, resolverAddr string) *Route {
+func NewRoute(params common.HandlerParams, resolverAddr netip.AddrPort) *Route {
 	return &Route{
 		route:                params.Route,
 		routeRefCounter:      params.RouteRefCounter,
--- a/client/internal/routemanager/dynamic/route_ios.go
+++ b/client/internal/routemanager/dynamic/route_ios.go
@@ -17,37 +17,47 @@ import (
 const dialTimeout = 10 * time.Second

 func (r *Route) getIPsFromResolver(domain domain.Domain) ([]net.IP, error) {
-	privateClient, err := nbdns.GetClientPrivate(r.wgInterface.Address().IP, r.wgInterface.Name(), dialTimeout)
+	privateClient, err := nbdns.GetClientPrivate(r.wgInterface, r.resolverAddr.Addr(), dialTimeout)
 	if err != nil {
 		return nil, fmt.Errorf("error while creating private client: %s", err)
 	}

-	msg := new(dns.Msg)
-	msg.SetQuestion(dns.Fqdn(domain.PunycodeString()), dns.TypeA)
-
+	fqdn := dns.Fqdn(domain.PunycodeString())
 	startTime := time.Now()

-	response, _, err := nbdns.ExchangeWithFallback(nil, privateClient, msg, r.resolverAddr)
-	if err != nil {
-		return nil, fmt.Errorf("DNS query for %s failed after %s: %s ", domain.SafeString(), time.Since(startTime), err)
-	}
+	var ips []net.IP
+	var queryErr error

-	if response.Rcode != dns.RcodeSuccess {
-		return nil, fmt.Errorf("dns response code: %s", dns.RcodeToString[response.Rcode])
-	}
+	for _, qtype := range []uint16{dns.TypeA, dns.TypeAAAA} {
+		msg := new(dns.Msg)
+		msg.SetQuestion(fqdn, qtype)

-	ips := make([]net.IP, 0)
-
-	for _, answ := range response.Answer {
-		if aRecord, ok := answ.(*dns.A); ok {
-			ips = append(ips, aRecord.A)
+		response, _, err := nbdns.ExchangeWithFallback(nil, privateClient, msg, r.resolverAddr.String())
+		if err != nil {
+			if queryErr == nil {
+				queryErr = fmt.Errorf("DNS query for %s (type %d) after %s: %w", domain.SafeString(), qtype, time.Since(startTime), err)
+			}
+			continue
 		}
-		if aaaaRecord, ok := answ.(*dns.AAAA); ok {
-			ips = append(ips, aaaaRecord.AAAA)
+
+		if response.Rcode != dns.RcodeSuccess {
+			continue
+		}
+
+		for _, answ := range response.Answer {
+			if aRecord, ok := answ.(*dns.A); ok {
+				ips = append(ips, aRecord.A)
+			}
+			if aaaaRecord, ok := answ.(*dns.AAAA); ok {
+				ips = append(ips, aaaaRecord.AAAA)
+			}
 		}
 	}

 	if len(ips) == 0 {
+		if queryErr != nil {
+			return nil, queryErr
+		}
 		return nil, fmt.Errorf("no A or AAAA records found for %s", domain.SafeString())
 	}

--- a/client/internal/routemanager/fakeip/fakeip.go
+++ b/client/internal/routemanager/fakeip/fakeip.go
@@ -1,93 +1,145 @@
 package fakeip

 import (
+	"errors"
 	"fmt"
 	"net/netip"
 	"sync"
 )

-// Manager manages allocation of fake IPs from the 240.0.0.0/8 block
-type Manager struct {
-	mu         sync.Mutex
-	nextIP     netip.Addr                // Next IP to allocate
+var (
+	// 240.0.0.1 - 240.255.255.254, block 240.0.0.0/8 (reserved, RFC 1112)
+	v4Base  = netip.AddrFrom4([4]byte{240, 0, 0, 1})
+	v4Max   = netip.AddrFrom4([4]byte{240, 255, 255, 254})
+	v4Block = netip.PrefixFrom(netip.AddrFrom4([4]byte{240, 0, 0, 0}), 8)
+
+	// 0100::1 - 0100::ffff:ffff:ffff:fffe, block 0100::/64 (discard, RFC 6666)
+	v6Base  = netip.AddrFrom16([16]byte{0x01, 0x00, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x01})
+	v6Max   = netip.AddrFrom16([16]byte{0x01, 0x00, 0, 0, 0, 0, 0, 0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe})
+	v6Block = netip.PrefixFrom(netip.AddrFrom16([16]byte{0x01, 0x00}), 64)
+)
+
+// fakeIPPool holds the allocation state for a single address family.
+type fakeIPPool struct {
+	nextIP     netip.Addr
+	baseIP     netip.Addr
+	maxIP      netip.Addr
+	block      netip.Prefix
 	allocated  map[netip.Addr]netip.Addr // real IP -> fake IP
 	fakeToReal map[netip.Addr]netip.Addr // fake IP -> real IP
-	baseIP     netip.Addr                // First usable IP: 240.0.0.1
-	maxIP      netip.Addr                // Last usable IP: 240.255.255.254
 }

-// NewManager creates a new fake IP manager using 240.0.0.0/8 block
-func NewManager() *Manager {
-	baseIP := netip.AddrFrom4([4]byte{240, 0, 0, 1})
-	maxIP := netip.AddrFrom4([4]byte{240, 255, 255, 254})
-
-	return &Manager{
-		nextIP:     baseIP,
+func newPool(base, maxAddr netip.Addr, block netip.Prefix) *fakeIPPool {
+	return &fakeIPPool{
+		nextIP:     base,
+		baseIP:     base,
+		maxIP:      maxAddr,
+		block:      block,
 		allocated:  make(map[netip.Addr]netip.Addr),
 		fakeToReal: make(map[netip.Addr]netip.Addr),
-		baseIP:     baseIP,
-		maxIP:      maxIP,
 	}
 }

-// AllocateFakeIP allocates a fake IP for the given real IP
-// Returns the fake IP, or existing fake IP if already allocated
-func (m *Manager) AllocateFakeIP(realIP netip.Addr) (netip.Addr, error) {
-	if !realIP.Is4() {
-		return netip.Addr{}, fmt.Errorf("only IPv4 addresses supported")
-	}
-
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	if fakeIP, exists := m.allocated[realIP]; exists {
+// allocate allocates a fake IP for the given real IP.
+// Returns the existing fake IP if already allocated.
+func (p *fakeIPPool) allocate(realIP netip.Addr) (netip.Addr, error) {
+	if fakeIP, exists := p.allocated[realIP]; exists {
 		return fakeIP, nil
 	}

-	startIP := m.nextIP
+	startIP := p.nextIP
 	for {
-		currentIP := m.nextIP
+		currentIP := p.nextIP

 		// Advance to next IP, wrapping at boundary
-		if m.nextIP.Compare(m.maxIP) >= 0 {
-			m.nextIP = m.baseIP
+		if p.nextIP.Compare(p.maxIP) >= 0 {
+			p.nextIP = p.baseIP
 		} else {
-			m.nextIP = m.nextIP.Next()
+			p.nextIP = p.nextIP.Next()
 		}

-		// Check if current IP is available
-		if _, inUse := m.fakeToReal[currentIP]; !inUse {
-			m.allocated[realIP] = currentIP
-			m.fakeToReal[currentIP] = realIP
+		if _, inUse := p.fakeToReal[currentIP]; !inUse {
+			p.allocated[realIP] = currentIP
+			p.fakeToReal[currentIP] = realIP
 			return currentIP, nil
 		}

-		// Prevent infinite loop if all IPs exhausted
-		if m.nextIP.Compare(startIP) == 0 {
-			return netip.Addr{}, fmt.Errorf("no more fake IPs available in 240.0.0.0/8 block")
+		if p.nextIP.Compare(startIP) == 0 {
+			return netip.Addr{}, fmt.Errorf("no more fake IPs available in %s block", p.block)
 		}
 	}
 }

-// GetFakeIP returns the fake IP for a real IP if it exists
+// Manager manages allocation of fake IPs for dynamic DNS routes.
+// IPv4 uses 240.0.0.0/8 (reserved), IPv6 uses 0100::/64 (discard, RFC 6666).
+type Manager struct {
+	mu sync.Mutex
+	v4 *fakeIPPool
+	v6 *fakeIPPool
+}
+
+// NewManager creates a new fake IP manager.
+func NewManager() *Manager {
+	return &Manager{
+		v4: newPool(v4Base, v4Max, v4Block),
+		v6: newPool(v6Base, v6Max, v6Block),
+	}
+}
+
+func (m *Manager) pool(ip netip.Addr) *fakeIPPool {
+	if ip.Is6() {
+		return m.v6
+	}
+	return m.v4
+}
+
+// AllocateFakeIP allocates a fake IP for the given real IP.
+func (m *Manager) AllocateFakeIP(realIP netip.Addr) (netip.Addr, error) {
+	realIP = realIP.Unmap()
+	if !realIP.IsValid() {
+		return netip.Addr{}, errors.New("invalid IP address")
+	}
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	return m.pool(realIP).allocate(realIP)
+}
+
+// GetFakeIP returns the fake IP for a real IP if it exists.
 func (m *Manager) GetFakeIP(realIP netip.Addr) (netip.Addr, bool) {
+	realIP = realIP.Unmap()
+	if !realIP.IsValid() {
+		return netip.Addr{}, false
+	}
+
 	m.mu.Lock()
 	defer m.mu.Unlock()

-	fakeIP, exists := m.allocated[realIP]
-	return fakeIP, exists
+	fakeIP, ok := m.pool(realIP).allocated[realIP]
+	return fakeIP, ok
 }

-// GetRealIP returns the real IP for a fake IP if it exists, otherwise false
+// GetRealIP returns the real IP for a fake IP if it exists.
 func (m *Manager) GetRealIP(fakeIP netip.Addr) (netip.Addr, bool) {
+	fakeIP = fakeIP.Unmap()
+	if !fakeIP.IsValid() {
+		return netip.Addr{}, false
+	}
+
 	m.mu.Lock()
 	defer m.mu.Unlock()

-	realIP, exists := m.fakeToReal[fakeIP]
-	return realIP, exists
+	realIP, ok := m.pool(fakeIP).fakeToReal[fakeIP]
+	return realIP, ok
 }

-// GetFakeIPBlock returns the fake IP block used by this manager
+// GetFakeIPBlock returns the v4 fake IP block used by this manager.
 func (m *Manager) GetFakeIPBlock() netip.Prefix {
-	return netip.MustParsePrefix("240.0.0.0/8")
+	return m.v4.block
+}
+
+// GetFakeIPv6Block returns the v6 fake IP block used by this manager.
+func (m *Manager) GetFakeIPv6Block() netip.Prefix {
+	return m.v6.block
 }
--- a/client/internal/routemanager/fakeip/fakeip_test.go
+++ b/client/internal/routemanager/fakeip/fakeip_test.go
@@ -9,16 +9,16 @@ import (
 func TestNewManager(t *testing.T) {
 	manager := NewManager()

-	if manager.baseIP.String() != "240.0.0.1" {
-		t.Errorf("Expected base IP 240.0.0.1, got %s", manager.baseIP.String())
+	if manager.v4.baseIP.String() != "240.0.0.1" {
+		t.Errorf("Expected v4 base IP 240.0.0.1, got %s", manager.v4.baseIP.String())
 	}

-	if manager.maxIP.String() != "240.255.255.254" {
-		t.Errorf("Expected max IP 240.255.255.254, got %s", manager.maxIP.String())
+	if manager.v4.maxIP.String() != "240.255.255.254" {
+		t.Errorf("Expected v4 max IP 240.255.255.254, got %s", manager.v4.maxIP.String())
 	}

-	if manager.nextIP.Compare(manager.baseIP) != 0 {
-		t.Errorf("Expected nextIP to start at baseIP")
+	if manager.v6.baseIP.String() != "100::1" {
+		t.Errorf("Expected v6 base IP 100::1, got %s", manager.v6.baseIP.String())
 	}
 }

@@ -35,7 +35,6 @@ func TestAllocateFakeIP(t *testing.T) {
 		t.Error("Fake IP should be IPv4")
 	}

-	// Check it's in the correct range
 	if fakeIP.As4()[0] != 240 {
 		t.Errorf("Fake IP should be in 240.0.0.0/8 range, got %s", fakeIP.String())
 	}
@@ -51,13 +50,31 @@ func TestAllocateFakeIP(t *testing.T) {
 	}
 }

-func TestAllocateFakeIPIPv6Rejection(t *testing.T) {
+func TestAllocateFakeIPv6(t *testing.T) {
 	manager := NewManager()
-	realIPv6 := netip.MustParseAddr("2001:db8::1")
+	realIP := netip.MustParseAddr("2001:db8::1")

-	_, err := manager.AllocateFakeIP(realIPv6)
-	if err == nil {
-		t.Error("Expected error for IPv6 address")
+	fakeIP, err := manager.AllocateFakeIP(realIP)
+	if err != nil {
+		t.Fatalf("Failed to allocate fake IPv6: %v", err)
+	}
+
+	if !fakeIP.Is6() {
+		t.Error("Fake IP should be IPv6")
+	}
+
+	if !netip.MustParsePrefix("100::/64").Contains(fakeIP) {
+		t.Errorf("Fake IP should be in 100::/64 range, got %s", fakeIP.String())
+	}
+
+	// Should return same fake IP for same real IP
+	fakeIP2, err := manager.AllocateFakeIP(realIP)
+	if err != nil {
+		t.Fatalf("Failed to get existing fake IPv6: %v", err)
+	}
+
+	if fakeIP.Compare(fakeIP2) != 0 {
+		t.Errorf("Expected same fake IP, got %s and %s", fakeIP.String(), fakeIP2.String())
 	}
 }

@@ -65,13 +82,11 @@ func TestGetFakeIP(t *testing.T) {
 	manager := NewManager()
 	realIP := netip.MustParseAddr("1.1.1.1")

-	// Should not exist initially
 	_, exists := manager.GetFakeIP(realIP)
 	if exists {
 		t.Error("Fake IP should not exist before allocation")
 	}

-	// Allocate and check
 	expectedFakeIP, err := manager.AllocateFakeIP(realIP)
 	if err != nil {
 		t.Fatalf("Failed to allocate: %v", err)
@@ -87,12 +102,30 @@ func TestGetFakeIP(t *testing.T) {
 	}
 }

+func TestGetRealIPv6(t *testing.T) {
+	manager := NewManager()
+	realIP := netip.MustParseAddr("2001:db8::1")
+
+	fakeIP, err := manager.AllocateFakeIP(realIP)
+	if err != nil {
+		t.Fatalf("Failed to allocate: %v", err)
+	}
+
+	gotReal, exists := manager.GetRealIP(fakeIP)
+	if !exists {
+		t.Error("Real IP should exist for allocated fake IP")
+	}
+
+	if gotReal.Compare(realIP) != 0 {
+		t.Errorf("Expected real IP %s, got %s", realIP, gotReal)
+	}
+}
+
 func TestMultipleAllocations(t *testing.T) {
 	manager := NewManager()

 	allocations := make(map[netip.Addr]netip.Addr)

-	// Allocate multiple IPs
 	for i := 1; i <= 100; i++ {
 		realIP := netip.AddrFrom4([4]byte{10, 0, byte(i / 256), byte(i % 256)})
 		fakeIP, err := manager.AllocateFakeIP(realIP)
@@ -100,7 +133,6 @@ func TestMultipleAllocations(t *testing.T) {
 			t.Fatalf("Failed to allocate fake IP for %s: %v", realIP.String(), err)
 		}

-		// Check for duplicates
 		for _, existingFake := range allocations {
 			if fakeIP.Compare(existingFake) == 0 {
 				t.Errorf("Duplicate fake IP allocated: %s", fakeIP.String())
@@ -110,7 +142,6 @@ func TestMultipleAllocations(t *testing.T) {
 		allocations[realIP] = fakeIP
 	}

-	// Verify all allocations can be retrieved
 	for realIP, expectedFake := range allocations {
 		actualFake, exists := manager.GetFakeIP(realIP)
 		if !exists {
@@ -124,11 +155,13 @@ func TestMultipleAllocations(t *testing.T) {

 func TestGetFakeIPBlock(t *testing.T) {
 	manager := NewManager()
-	block := manager.GetFakeIPBlock()

-	expected := "240.0.0.0/8"
-	if block.String() != expected {
-		t.Errorf("Expected %s, got %s", expected, block.String())
+	if block := manager.GetFakeIPBlock(); block.String() != "240.0.0.0/8" {
+		t.Errorf("Expected 240.0.0.0/8, got %s", block.String())
+	}
+
+	if block := manager.GetFakeIPv6Block(); block.String() != "100::/64" {
+		t.Errorf("Expected 100::/64, got %s", block.String())
 	}
 }

@@ -141,7 +174,6 @@ func TestConcurrentAccess(t *testing.T) {
 	var wg sync.WaitGroup
 	results := make(chan netip.Addr, numGoroutines*allocationsPerGoroutine)

-	// Concurrent allocations
 	for i := 0; i < numGoroutines; i++ {
 		wg.Add(1)
 		go func(goroutineID int) {
@@ -161,7 +193,6 @@ func TestConcurrentAccess(t *testing.T) {
 	wg.Wait()
 	close(results)

-	// Check for duplicates
 	seen := make(map[netip.Addr]bool)
 	count := 0
 	for fakeIP := range results {
@@ -178,47 +209,61 @@ func TestConcurrentAccess(t *testing.T) {
 }

 func TestIPExhaustion(t *testing.T) {
-	// Create a manager with limited range for testing
 	manager := &Manager{
-		nextIP:     netip.AddrFrom4([4]byte{240, 0, 0, 1}),
-		allocated:  make(map[netip.Addr]netip.Addr),
-		fakeToReal: make(map[netip.Addr]netip.Addr),
-		baseIP:     netip.AddrFrom4([4]byte{240, 0, 0, 1}),
-		maxIP:      netip.AddrFrom4([4]byte{240, 0, 0, 3}), // Only 3 IPs available
+		v4: newPool(
+			netip.AddrFrom4([4]byte{240, 0, 0, 1}),
+			netip.AddrFrom4([4]byte{240, 0, 0, 3}),
+			netip.MustParsePrefix("240.0.0.0/8"),
+		),
+		v6: newPool(
+			netip.MustParseAddr("100::1"),
+			netip.MustParseAddr("100::3"),
+			netip.MustParsePrefix("100::/64"),
+		),
 	}

-	// Allocate all available IPs
-	realIPs := []netip.Addr{
-		netip.MustParseAddr("1.0.0.1"),
-		netip.MustParseAddr("1.0.0.2"),
-		netip.MustParseAddr("1.0.0.3"),
-	}
-
-	for _, realIP := range realIPs {
-		_, err := manager.AllocateFakeIP(realIP)
+	for _, realIP := range []string{"1.0.0.1", "1.0.0.2", "1.0.0.3"} {
+		_, err := manager.AllocateFakeIP(netip.MustParseAddr(realIP))
 		if err != nil {
 			t.Fatalf("Failed to allocate fake IP: %v", err)
 		}
 	}

-	// Try to allocate one more - should fail
 	_, err := manager.AllocateFakeIP(netip.MustParseAddr("1.0.0.4"))
 	if err == nil {
-		t.Error("Expected exhaustion error")
+		t.Error("Expected v4 exhaustion error")
+	}
+
+	// Same for v6
+	for _, realIP := range []string{"2001:db8::1", "2001:db8::2", "2001:db8::3"} {
+		_, err := manager.AllocateFakeIP(netip.MustParseAddr(realIP))
+		if err != nil {
+			t.Fatalf("Failed to allocate fake IPv6: %v", err)
+		}
+	}
+
+	_, err = manager.AllocateFakeIP(netip.MustParseAddr("2001:db8::4"))
+	if err == nil {
+		t.Error("Expected v6 exhaustion error")
 	}
 }

 func TestWrapAround(t *testing.T) {
-	// Create manager starting near the end of range
 	manager := &Manager{
-		nextIP:     netip.AddrFrom4([4]byte{240, 0, 0, 254}),
-		allocated:  make(map[netip.Addr]netip.Addr),
-		fakeToReal: make(map[netip.Addr]netip.Addr),
-		baseIP:     netip.AddrFrom4([4]byte{240, 0, 0, 1}),
-		maxIP:      netip.AddrFrom4([4]byte{240, 0, 0, 254}),
+		v4: newPool(
+			netip.AddrFrom4([4]byte{240, 0, 0, 1}),
+			netip.AddrFrom4([4]byte{240, 0, 0, 254}),
+			netip.MustParsePrefix("240.0.0.0/8"),
+		),
+		v6: newPool(
+			netip.MustParseAddr("100::1"),
+			netip.MustParseAddr("100::ffff:ffff:ffff:fffe"),
+			netip.MustParsePrefix("100::/64"),
+		),
 	}
+	// Start near the end
+	manager.v4.nextIP = netip.AddrFrom4([4]byte{240, 0, 0, 254})

-	// Allocate the last IP
 	fakeIP1, err := manager.AllocateFakeIP(netip.MustParseAddr("1.0.0.1"))
 	if err != nil {
 		t.Fatalf("Failed to allocate first IP: %v", err)
@@ -228,7 +273,6 @@ func TestWrapAround(t *testing.T) {
 		t.Errorf("Expected 240.0.0.254, got %s", fakeIP1.String())
 	}

-	// Next allocation should wrap around to the beginning
 	fakeIP2, err := manager.AllocateFakeIP(netip.MustParseAddr("1.0.0.2"))
 	if err != nil {
 		t.Fatalf("Failed to allocate second IP: %v", err)
@@ -238,3 +282,32 @@ func TestWrapAround(t *testing.T) {
 		t.Errorf("Expected 240.0.0.1 after wrap, got %s", fakeIP2.String())
 	}
 }
+
+func TestMixedV4V6(t *testing.T) {
+	manager := NewManager()
+
+	v4Fake, err := manager.AllocateFakeIP(netip.MustParseAddr("8.8.8.8"))
+	if err != nil {
+		t.Fatalf("Failed to allocate v4: %v", err)
+	}
+
+	v6Fake, err := manager.AllocateFakeIP(netip.MustParseAddr("2001:db8::1"))
+	if err != nil {
+		t.Fatalf("Failed to allocate v6: %v", err)
+	}
+
+	if !v4Fake.Is4() || !v6Fake.Is6() {
+		t.Errorf("Wrong families: v4=%s v6=%s", v4Fake, v6Fake)
+	}
+
+	// Reverse lookups should work for both
+	gotV4, ok := manager.GetRealIP(v4Fake)
+	if !ok || gotV4.String() != "8.8.8.8" {
+		t.Errorf("v4 reverse lookup failed: got %s, ok=%v", gotV4, ok)
+	}
+
+	gotV6, ok := manager.GetRealIP(v6Fake)
+	if !ok || gotV6.String() != "2001:db8::1" {
+		t.Errorf("v6 reverse lookup failed: got %s, ok=%v", gotV6, ok)
+	}
+}
--- a/client/internal/routemanager/ipfwdstate/ipfwdstate.go
+++ b/client/internal/routemanager/ipfwdstate/ipfwdstate.go
@@ -9,7 +9,11 @@ import (
 )

 // IPForwardingState is a struct that keeps track of the IP forwarding state.
-// todo: read initial state of the IP forwarding from the system and reset the state based on it
+// todo: read initial state of the IP forwarding from the system and reset the state based on it.
+// todo: separate v4/v6 forwarding state, since the sysctls are independent
+// (net.ipv4.ip_forward vs net.ipv6.conf.all.forwarding). Currently the nftables
+// manager shares one instance between both routers, which works only because
+// EnableIPForwarding enables both sysctls in a single call.
 type IPForwardingState struct {
 	enabledCounter int
 }
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -159,16 +159,24 @@ func (m *DefaultManager) setupAndroidRoutes(config ManagerConfig) {
 	if config.DNSFeatureFlag {
 		m.fakeIPManager = fakeip.NewManager()

-		id := uuid.NewString()
+		v4ID := uuid.NewString()
 		fakeIPRoute := &route.Route{
-			ID:          route.ID(id),
+			ID:          route.ID(v4ID),
 			Network:     m.fakeIPManager.GetFakeIPBlock(),
-			NetID:       route.NetID(id),
+			NetID:       route.NetID(v4ID),
 			Peer:        m.pubKey,
 			NetworkType: route.IPv4Network,
 		}
-		cr = append(cr, fakeIPRoute)
-		m.notifier.SetFakeIPRoute(fakeIPRoute)
+		v6ID := uuid.NewString()
+		fakeIPv6Route := &route.Route{
+			ID:          route.ID(v6ID),
+			Network:     m.fakeIPManager.GetFakeIPv6Block(),
+			NetID:       route.NetID(v6ID),
+			Peer:        m.pubKey,
+			NetworkType: route.IPv6Network,
+		}
+		cr = append(cr, fakeIPRoute, fakeIPv6Route)
+		m.notifier.SetFakeIPRoutes([]*route.Route{fakeIPRoute, fakeIPv6Route})
 	}

 	m.notifier.SetInitialClientRoutes(cr, routesForComparison)
--- a/client/internal/routemanager/manager_test.go
+++ b/client/internal/routemanager/manager_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/route"
 )
@@ -409,7 +410,7 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			}
 			opts := iface.WGIFaceOpts{
 				IFaceName:    fmt.Sprintf("utun43%d", n),
-				Address:      "100.65.65.2/24",
+				Address:      wgaddr.MustParseWGAddress("100.65.65.2/24"),
 				WGPort:       33100,
 				WGPrivKey:    peerPrivateKey.String(),
 				MTU:          iface.DefaultMTU,
--- a/client/internal/routemanager/notifier/notifier_android.go
+++ b/client/internal/routemanager/notifier/notifier_android.go
@@ -16,7 +16,7 @@ import (
 type Notifier struct {
 	initialRoutes []*route.Route
 	currentRoutes []*route.Route
-	fakeIPRoute   *route.Route
+	fakeIPRoutes []*route.Route

 	listener    listener.NetworkChangeListener
 	listenerMux sync.Mutex
@@ -38,9 +38,9 @@ func (n *Notifier) SetInitialClientRoutes(initialRoutes []*route.Route, routesFo
 	n.currentRoutes = filterStatic(routesForComparison)
 }

-// SetFakeIPRoute stores the fake IP route to be included in every TUN rebuild.
-func (n *Notifier) SetFakeIPRoute(r *route.Route) {
-	n.fakeIPRoute = r
+// SetFakeIPRoutes stores the fake IP routes to be included in every TUN rebuild.
+func (n *Notifier) SetFakeIPRoutes(routes []*route.Route) {
+	n.fakeIPRoutes = routes
 }

 func (n *Notifier) OnNewRoutes(idMap route.HAMap) {
@@ -74,14 +74,12 @@ func (n *Notifier) notify() {
 	}

 	allRoutes := slices.Clone(n.currentRoutes)
-	if n.fakeIPRoute != nil {
-		allRoutes = append(allRoutes, n.fakeIPRoute)
-	}
+	allRoutes = append(allRoutes, n.fakeIPRoutes...)

 	routeStrings := n.routesToStrings(allRoutes)
 	sort.Strings(routeStrings)
 	go func(l listener.NetworkChangeListener) {
-		l.OnNetworkChanged(strings.Join(n.addIPv6RangeIfNeeded(routeStrings, allRoutes), ","))
+		l.OnNetworkChanged(strings.Join(routeStrings, ","))
 	}(n.listener)
 }

@@ -119,14 +117,5 @@ func (n *Notifier) hasRouteDiff(a []*route.Route, b []*route.Route) bool {
 func (n *Notifier) GetInitialRouteRanges() []string {
 	initialStrings := n.routesToStrings(n.initialRoutes)
 	sort.Strings(initialStrings)
-	return n.addIPv6RangeIfNeeded(initialStrings, n.initialRoutes)
-}
-
-func (n *Notifier) addIPv6RangeIfNeeded(inputRanges []string, routes []*route.Route) []string {
-	for _, r := range routes {
-		if r.Network.Addr().Is4() && r.Network.Bits() == 0 {
-			return append(slices.Clone(inputRanges), "::/0")
-		}
-	}
-	return inputRanges
+	return initialStrings
 }
--- a/client/internal/routemanager/notifier/notifier_ios.go
+++ b/client/internal/routemanager/notifier/notifier_ios.go
@@ -34,7 +34,7 @@ func (n *Notifier) SetInitialClientRoutes([]*route.Route, []*route.Route) {
 	// iOS doesn't care about initial routes
 }

-func (n *Notifier) SetFakeIPRoute(*route.Route) {
+func (n *Notifier) SetFakeIPRoutes([]*route.Route) {
 	// Not used on iOS
 }

@@ -65,19 +65,10 @@ func (n *Notifier) notify() {
 	}

 	go func(l listener.NetworkChangeListener) {
-		l.OnNetworkChanged(strings.Join(n.addIPv6RangeIfNeeded(n.currentPrefixes), ","))
+		l.OnNetworkChanged(strings.Join(n.currentPrefixes, ","))
 	}(n.listener)
 }

 func (n *Notifier) GetInitialRouteRanges() []string {
 	return nil
 }
-
-func (n *Notifier) addIPv6RangeIfNeeded(inputRanges []string) []string {
-	for _, r := range inputRanges {
-		if r == "0.0.0.0/0" {
-			return append(slices.Clone(inputRanges), "::/0")
-		}
-	}
-	return inputRanges
-}
--- a/client/internal/routemanager/notifier/notifier_other.go
+++ b/client/internal/routemanager/notifier/notifier_other.go
@@ -23,7 +23,7 @@ func (n *Notifier) SetInitialClientRoutes([]*route.Route, []*route.Route) {
 	// Not used on non-mobile platforms
 }

-func (n *Notifier) SetFakeIPRoute(*route.Route) {
+func (n *Notifier) SetFakeIPRoutes([]*route.Route) {
 	// Not used on non-mobile platforms
 }

--- a/client/internal/routemanager/server/server.go
+++ b/client/internal/routemanager/server/server.go
@@ -21,6 +21,7 @@ type Router struct {
 	firewall       firewall.Manager
 	wgInterface    iface.WGIface
 	statusRecorder *peer.Status
+	useNewDNSRoute bool
 }

 func NewRouter(ctx context.Context, wgInterface iface.WGIface, firewall firewall.Manager, statusRecorder *peer.Status) (*Router, error) {
@@ -37,6 +38,8 @@ func (r *Router) UpdateRoutes(routesMap map[route.ID]*route.Route, useNewDNSRout
 	r.mux.Lock()
 	defer r.mux.Unlock()

+	prevUseNewDNSRoute := r.useNewDNSRoute
+
 	serverRoutesToRemove := make([]route.ID, 0)

 	for routeID := range r.routes {
@@ -48,7 +51,7 @@ func (r *Router) UpdateRoutes(routesMap map[route.ID]*route.Route, useNewDNSRout

 	for _, routeID := range serverRoutesToRemove {
 		oldRoute := r.routes[routeID]
-		err := r.removeFromServerNetwork(oldRoute)
+		err := r.removeFromServerNetwork(oldRoute, prevUseNewDNSRoute)
 		if err != nil {
 			log.Errorf("Unable to remove route id: %s, network %s, from server, got: %v",
 				oldRoute.ID, oldRoute.Network, err)
@@ -56,6 +59,8 @@ func (r *Router) UpdateRoutes(routesMap map[route.ID]*route.Route, useNewDNSRout
 		delete(r.routes, routeID)
 	}

+	r.useNewDNSRoute = useNewDNSRoute
+
 	// If routing is to be disabled, do it after routes have been removed
 	// If routing is to be enabled, do it before adding new routes; addToServerNetwork needs routing to be enabled
 	if len(routesMap) > 0 {
@@ -85,13 +90,13 @@ func (r *Router) UpdateRoutes(routesMap map[route.ID]*route.Route, useNewDNSRout
 	return nil
 }

-func (r *Router) removeFromServerNetwork(route *route.Route) error {
+func (r *Router) removeFromServerNetwork(route *route.Route, useNewDNSRoute bool) error {
 	if r.ctx.Err() != nil {
 		log.Infof("Not removing from server network because context is done")
 		return r.ctx.Err()
 	}

-	routerPair := routeToRouterPair(route, false)
+	routerPair := routeToRouterPair(route, useNewDNSRoute)
 	if err := r.firewall.RemoveNatRule(routerPair); err != nil {
 		return fmt.Errorf("remove routing rules: %w", err)
 	}
@@ -124,7 +129,7 @@ func (r *Router) CleanUp() {
 	defer r.mux.Unlock()

 	for _, route := range r.routes {
-		routerPair := routeToRouterPair(route, false)
+		routerPair := routeToRouterPair(route, r.useNewDNSRoute)
 		if err := r.firewall.RemoveNatRule(routerPair); err != nil {
 			log.Errorf("Failed to remove cleanup route: %v", err)
 		}
@@ -146,8 +151,7 @@ func routeToRouterPair(route *route.Route, useNewDNSRoute bool) firewall.RouterP
 		if useNewDNSRoute {
 			destination.Set = firewall.NewDomainSet(route.Domains)
 		} else {
-			// TODO: add ipv6 additionally
-			destination = getDefaultPrefix(destination.Prefix)
+			destination = getDefaultPrefix(route.Network)
 		}
 	} else {
 		destination.Prefix = route.Network.Masked()
@@ -158,6 +162,7 @@ func routeToRouterPair(route *route.Route, useNewDNSRoute bool) firewall.RouterP
 		Source:      source,
 		Destination: destination,
 		Masquerade:  route.Masquerade,
+		Dynamic:     route.IsDynamic(),
 	}
 }

--- a/client/internal/routemanager/systemops/systemops.go
+++ b/client/internal/routemanager/systemops/systemops.go
@@ -107,8 +107,16 @@ func (r *SysOps) validateRoute(prefix netip.Prefix) error {
 		addr.IsInterfaceLocalMulticast(),
 		addr.IsMulticast(),
 		addr.IsUnspecified() && prefix.Bits() != 0,
-		r.wgInterface.Address().Network.Contains(addr):
+		r.isOwnAddress(addr):
 		return vars.ErrRouteNotAllowed
 	}
 	return nil
 }
+
+func (r *SysOps) isOwnAddress(addr netip.Addr) bool {
+	if r.wgInterface == nil {
+		return false
+	}
+	wgAddr := r.wgInterface.Address()
+	return wgAddr.Network.Contains(addr) || (wgAddr.IPv6Net.IsValid() && wgAddr.IPv6Net.Contains(addr))
+}
--- a/client/internal/routemanager/systemops/systemops_generic.go
+++ b/client/internal/routemanager/systemops/systemops_generic.go
@@ -221,30 +221,20 @@ func (r *SysOps) genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) er
 			return err
 		}

-		// TODO: remove once IPv6 is supported on the interface
-		if err := r.addToRouteTable(splitDefaultv6_1, nextHop); err != nil {
-			return fmt.Errorf("add unreachable route split 1: %w", err)
-		}
-		if err := r.addToRouteTable(splitDefaultv6_2, nextHop); err != nil {
-			if err2 := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err2 != nil {
-				log.Warnf("Failed to rollback route addition: %s", err2)
+		// When the interface has no v6, add v6 split-default as blackhole so
+		// unroutable v6 goes to WG (dropped, no AllowedIPs) instead of leaking
+		// to the system default route. When v6 is active, management sends ::/0
+		// as a separate route that the dedicated handler adds.
+		// Soft-fail: v6 blackhole is best-effort, don't abort v4 routing on failure.
+		if !r.wgInterface.Address().HasIPv6() {
+			if err := r.addV6SplitDefault(nextHop); err != nil {
+				log.Warnf("failed to add v6 split-default blackhole: %s", err)
 			}
-			return fmt.Errorf("add unreachable route split 2: %w", err)
 		}

 		return nil
 	case vars.Defaultv6:
-		if err := r.addToRouteTable(splitDefaultv6_1, nextHop); err != nil {
-			return fmt.Errorf("add unreachable route split 1: %w", err)
-		}
-		if err := r.addToRouteTable(splitDefaultv6_2, nextHop); err != nil {
-			if err2 := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err2 != nil {
-				log.Warnf("Failed to rollback route addition: %s", err2)
-			}
-			return fmt.Errorf("add unreachable route split 2: %w", err)
-		}
-
-		return nil
+		return r.addV6SplitDefault(nextHop)
 	}

 	return r.addToRouteTable(prefix, nextHop)
@@ -265,30 +255,42 @@ func (r *SysOps) genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface)
 			result = multierror.Append(result, err)
 		}

-		// TODO: remove once IPv6 is supported on the interface
-		if err := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err != nil {
-			result = multierror.Append(result, err)
-		}
-		if err := r.removeFromRouteTable(splitDefaultv6_2, nextHop); err != nil {
-			result = multierror.Append(result, err)
+		if !r.wgInterface.Address().HasIPv6() {
+			result = multierror.Append(result, r.removeV6SplitDefault(nextHop))
 		}

 		return nberrors.FormatErrorOrNil(result)
 	case vars.Defaultv6:
-		var result *multierror.Error
-		if err := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err != nil {
-			result = multierror.Append(result, err)
-		}
-		if err := r.removeFromRouteTable(splitDefaultv6_2, nextHop); err != nil {
-			result = multierror.Append(result, err)
-		}
-
-		return nberrors.FormatErrorOrNil(result)
+		return nberrors.FormatErrorOrNil(r.removeV6SplitDefault(nextHop))
 	default:
 		return r.removeFromRouteTable(prefix, nextHop)
 	}
 }

+func (r *SysOps) addV6SplitDefault(nextHop Nexthop) error {
+	if err := r.addToRouteTable(splitDefaultv6_1, nextHop); err != nil {
+		return fmt.Errorf("add split 1: %w", err)
+	}
+	if err := r.addToRouteTable(splitDefaultv6_2, nextHop); err != nil {
+		if err2 := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err2 != nil {
+			log.Warnf("Failed to rollback v6 split-default: %s", err2)
+		}
+		return fmt.Errorf("add split 2: %w", err)
+	}
+	return nil
+}
+
+func (r *SysOps) removeV6SplitDefault(nextHop Nexthop) *multierror.Error {
+	var result *multierror.Error
+	if err := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err != nil {
+		result = multierror.Append(result, err)
+	}
+	if err := r.removeFromRouteTable(splitDefaultv6_2, nextHop); err != nil {
+		result = multierror.Append(result, err)
+	}
+	return result
+}
+
 func (r *SysOps) setupHooks(initAddresses []net.IP, stateManager *statemanager.Manager) error {
 	beforeHook := func(connID hooks.ConnectionID, prefix netip.Prefix) error {
 		if _, err := r.refCounter.IncrementWithID(string(connID), prefix, struct{}{}); err != nil {
--- a/client/internal/routemanager/systemops/systemops_generic_test.go
+++ b/client/internal/routemanager/systemops/systemops_generic_test.go
@@ -21,6 +21,7 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

 	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/routemanager/vars"
 	nbnet "github.com/netbirdio/netbird/client/net"
 )
@@ -445,7 +446,7 @@ func createWGInterface(t *testing.T, interfaceName, ipAddressCIDR string, listen

 	opts := iface.WGIFaceOpts{
 		IFaceName:    interfaceName,
-		Address:      ipAddressCIDR,
+		Address:      wgaddr.MustParseWGAddress(ipAddressCIDR),
 		WGPrivKey:    peerPrivateKey.String(),
 		WGPort:       listenPort,
 		MTU:          iface.DefaultMTU,
--- a/client/internal/routemanager/systemops/systemops_linux.go
+++ b/client/internal/routemanager/systemops/systemops_linux.go
@@ -53,6 +53,8 @@ const (

 	// ipv4ForwardingPath is the path to the file containing the IP forwarding setting.
 	ipv4ForwardingPath = "net.ipv4.ip_forward"
+	// ipv6ForwardingPath is the path to the file containing the IPv6 forwarding setting.
+	ipv6ForwardingPath = "net.ipv6.conf.all.forwarding"
 )

 var ErrTableIDExists = errors.New("ID exists with different name")
@@ -185,10 +187,11 @@ func (r *SysOps) AddVPNRoute(prefix netip.Prefix, intf *net.Interface) error {

 	// No need to check if routes exist as main table takes precedence over the VPN table via Rule 1

-	// TODO remove this once we have ipv6 support
-	if prefix == vars.Defaultv4 {
+	// When the peer has no IPv6, blackhole v6 to prevent leaking.
+	// When IPv6 is enabled, management sends ::/0 as a separate route.
+	if prefix == vars.Defaultv4 && (r.wgInterface == nil || !r.wgInterface.Address().HasIPv6()) {
 		if err := addUnreachableRoute(vars.Defaultv6, NetbirdVPNTableID); err != nil {
-			return fmt.Errorf("add blackhole: %w", err)
+			return fmt.Errorf("add v6 blackhole: %w", err)
 		}
 	}
 	if err := addRoute(prefix, Nexthop{netip.Addr{}, intf}, NetbirdVPNTableID); err != nil {
@@ -206,10 +209,9 @@ func (r *SysOps) RemoveVPNRoute(prefix netip.Prefix, intf *net.Interface) error
 		return r.genericRemoveVPNRoute(prefix, intf)
 	}

-	// TODO remove this once we have ipv6 support
-	if prefix == vars.Defaultv4 {
+	if prefix == vars.Defaultv4 && (r.wgInterface == nil || !r.wgInterface.Address().HasIPv6()) {
 		if err := removeUnreachableRoute(vars.Defaultv6, NetbirdVPNTableID); err != nil {
-			return fmt.Errorf("remove unreachable route: %w", err)
+			log.Debugf("remove v6 blackhole: %v", err)
 		}
 	}
 	if err := removeRoute(prefix, Nexthop{netip.Addr{}, intf}, NetbirdVPNTableID); err != nil {
@@ -762,8 +764,13 @@ func flushRoutes(tableID, family int) error {
 }

 func EnableIPForwarding() error {
-	_, err := sysctl.Set(ipv4ForwardingPath, 1, false)
-	return err
+	if _, err := sysctl.Set(ipv4ForwardingPath, 1, false); err != nil {
+		return err
+	}
+	if _, err := sysctl.Set(ipv6ForwardingPath, 1, false); err != nil {
+		log.Warnf("failed to enable IPv6 forwarding: %v", err)
+	}
+	return nil
 }

 // entryExists checks if the specified ID or name already exists in the rt_tables file