Tailscale and WireGuard® fully support IPv6.
Private IPv6 (“IPv6 inside the tunnel”)
IPv6 connectivity always works on your private Tailscale network, even if your ISP does not support IPv6.
Private IPv6 packets are encrypted and sent between Tailscale nodes through a WireGuard tunnel, even when that WireGuard tunnel must traverse IPv4 networks.
Every Tailscale node is always assigned an IPv6 private address from our ULA.
Subnet routes can be IPv4 or IPv6, or both.
Exit nodes fully support IPv6. You can exit through an IPv6-supporting exit node even if your client device’s ISP doesn’t have IPv6.
Ephemeral nodes use only IPv6, not IPv4, to avoid IPv4 address exhaustion.
Userspace networking mode supports IPv6 through emulation, even if it is completely disabled in your kernel.
Public IPv6 (“IPv6 outside the tunnel”)
Tailscale can make use of your ISP’s public IPv6 connection, if available, when negotiating connections between nodes. This only works when both nodes have an IPv6 address. Otherwise we fall back to IPv4.
IPv6 sometimes helps make NAT traversal work more efficiently, or removes the need for NAT traversal entirely. However, Tailscale also works fine over IPv4, if a public IPv6 connection is not available on both ends. IPv6 continues to work inside the tunnel in either case.