title: Proying IPv4 traffic via the ungleich VPN
---
pub_date: 2020-02-18
---
author: Timothée Floure
---
_hidden: no
---
_discoverable: yes
---
abstract:
DNS64 is now available for the ungleich VPN, allowing to reach the IPv4
world... on an IPv6-only VPN!

---
body:

We have been offering an [IPv6-capable VPN](https://ungleich.ch/ipv6/vpn/)
alongside our IPv6-only VPS hosting for a while in order to bring IPv6
connectivity to customers stuck in the IPv4 world. The service also allows you
to reach the IPv6-enabled side of global Internet but was not able to connect
to IPv4-only services (such as [github](https://github.com/)!), which can be
painful depending on your use-case.

This shortcoming is no more since we recently deployed two
[DNS64](https://en.wikipedia.org/wiki/IPv6_transition_mechanism#DNS64)
resolvers available to any VPN user. They will generate a synthetic IPv6
address for domains lacking an `AAAA` (i.e. IPv6) DNS record, which will in
turn be routed via our NAT64 gateway. You only have to configure
`2a0a:e5c0:2:12:0:f0ff:fea9:c451` and `2a0a:e5c0:2:12:0:f0ff:fea9:c45d` as DNS
servers when you are connected to the VPN: all the details and instructions are
available on [our
wiki](https://redmine.ungleich.ch/projects/open-infrastructure/wiki/Ungleich_IPv6_wireguard_VPN#Proxy-all-traffic-via-the-VPN), although it boils down to two lines in your wireguard configuration.

The above means that ungleich now provides a *fully-fledged* VPN! Note, however, that
direct IPv4 queries (i.e. requests 'bypassing' DNS resolution) won't be routed
though the VPN.  Full isolation can be achieved using network namespaces as
described in the [wireguard
documentation](https://www.wireguard.com/netns/#the-new-namespace-solution).
Feel free to [join our
chat](https://redmine.ungleich.ch/projects/open-infrastructure/wiki/CHATting_with_ungleich)
to discuss such (non-trivial) setup in details!