The basic question is per the subject line, filling in the details here I have wireguard working with each peer having ipv4 and ipv6 addresses and all of them are able to ping each other and also to the WAN through the central peer. The central peer is a vultr VPS and has a /64 prefix ipv6. What I want to do: - give each peer their own global ipv6/128 address - use case anyone on those peers can host their own simple services e.g. nextcloud, syncthing, rubywarden, etc So currently my solution is to do a binat to each wireguard peer by using pf binat-to Given that one of the best uses ipv6 is to remove NAT, I'd like to know how to do this without using binat-to. I'm attaching my pf and wireguard configuration files /etc/pf.conf - ########## open_tcp="{ 80, 443 }" # 6942 is ssh port flood_tcp="{ 6942, 42069 }" open_udp="{ 161 }" # use 161 for wireguard # stop bruteforce attackers that try to hug of death table <bruteforce> persist table <pfbadhost> persist file "/etc/pf-badhost.txt" # options for pf performance set loginterface egress set block-policy drop set syncookies adaptive (start 25%, end 12%) set skip on {lo, wg0} block in quick on egress from <bruteforce> block out quick on egress from <bruteforce> block in quick on egress from <pfbadhost> block out quick on egress to <pfbadhost> block drop pass in on wg0 pass proto icmp pass proto icmp6 pass in on egress proto tcp from any to any port $flood_tcp \ flags S/SA keep state \ (max-src-conn-rate 1/3, \ overload <bruteforce> flush global) pass in on egress proto tcp from any to any port $open_tcp pass in on egress proto udp from any to any port $open_udp pass out pass out on egress inet from wg0:network to any nat-to vio0 # nat to wireguard peers anchor "wireguard/nat" load anchor "wireguard" from "/etc/pf.conf.anchor.wireguard" pf.conf.anchor.wireguard - ########## anchor "nat" { pass on egress inet6 from fc00::6942:1 to any binat-to 2001:19f0:5:5cd5::1 pass on egress inet6 from fc00::6942:2 to any binat-to 2001:19f0:5:5cd5::2 } /etc/hostname.wg0 - ########## inet alias 10.7.0.17 255.255.255.0 10.7.0.255 inet6 alias fc00::6942:17 112 inet6 alias 2001:19f0:5:5cd5::4269 64 mtu 1420 up !route -n add -inet6 fc00::6942:1/128 -iface fc00::6942:17 !route -n add -inet6 fc00::6942:2/128 -iface fc00::6942:17 /etc/hostname.vio0 - ########## dhcp inet6 autoconf -autoconfprivacy -soii inet6 alias 2001:19f0:5:5cd5::17 64 inet6 alias 2001:19f0:5:5cd5::1 64 inet6 alias 2001:19f0:5:5cd5::2 64 /etc/wireguard/bsdac-wg-central.conf (central peer file) - ########## [Interface] PrivateKey = MCdzcLt9EZ8ej5vQTHq9Ig6UM4L3C38aXgLebLIxyGw= #Address = 10.7.0.17/24,fc00::6942:17/112 ListenPort = 161 [Peer] PublicKey = <hidden> PresharedKey = <hidden> AllowedIps = 10.7.0.1/32,fc00::6942:1/128 [Peer] PublicKey = <hidden> PresharedKey = <hidden> AllowedIps = 10.7.0.2/32,fc00::6942:2/128 /etc/wireguard/bsdac-wg-peer.conf - ########## [Interface] PrivateKey = <hidden> Address = 10.7.0.1/32,fc00::6942:1/128 ListenPort = 161 [Peer] # WireGuard server public key PublicKey = <hidden> PresharedKey = <hidden> Endpoint = <hidden> AllowedIPs = 10.7.0.0/24,fc00::6942:0/112 PersistentKeepalive = 25