I’ve submitted a PR to GL.iNet’s gl-feeds repository that adds full support for automatically enforcing IPv4‑only WireGuard operation whenever the router’s global IPv6 toggle is turned off. This is designed for users who want to avoid IPv6 leaks, simplify configuration, or run WireGuard in IPv4‑only environments without manually editing every peer.
PR: https://github.com/gl-inet/gl-feeds/pull/20
---
Why This Feature Matters
Many GL.iNet users want WireGuard to operate strictly over IPv4—especially when:
-
Their ISP or VPN setup doesn’t support IPv6.
-
They want to avoid IPv6 traffic leaks.
-
They rely on the router’s global IPv6 toggle as the single source of truth.
-
They don’t want to manually strip IPv6 addresses from every WireGuard peer or interface.
This package solves all of that automatically.
---
What the New Package Does
A new package, gl-sdk4-wireguard-ipv4-only, automatically enforces IPv4‑only behavior for all WireGuard server and client interfaces whenever global IPv6 is disabled. No new GUI options are added—the existing IPv6 ON/OFF toggle controls everything.
When IPv6 is OFF, the package:
-
Removes all IPv6 addresses from:
-
WireGuard server sections
-
netifd WireGuard interfaces
-
Peer allowed_ips and client_ip fields
-
-
Applies IPv4‑only AllowedIPs directly to the live kernel device
-
Disables IPv6 per‑interface using sysctl drop‑ins
-
Installs firewall rules (fw4/nft or fw3/ip6tables depending on firmware)
-
Saves snapshots of all removed IPv6 configuration so it can be restored later
When IPv6 is ON again:
-
Restores all original IPv6 configuration from snapshots
-
Removes sysctl and firewall drop‑ins
-
Re‑programs WireGuard peers to restore IPv6 support
Everything is reversible and safe.
---
How It Detects IPv6 State
Because IPv6 behavior varies across firmware versions, the package uses a 5‑step detection chain to determine whether IPv6 is truly enabled or disabled. It also listens to multiple system triggers to ensure changes are applied reliably:
-
procd reload events (network, firewall, glconfig, wireguard_server)
-
iface hotplug events (including wan6)
-
net hotplug events
-
a once‑per‑minute cron tick that only acts when IPv6 state changes
This ensures enforcement works even on firmware versions where the GUI toggle doesn’t fire events.
---
CLI & JSON‑RPC Support
The package includes a full CLI tool:
/usr/sbin/wg-noipv6
Commands include:
-
sync — reconcile state immediately
-
apply — enforce IPv4‑only on a specific WG interface
-
clear — restore IPv6 for a specific interface
-
clear-all — restore everything
-
status — audit IPv6 presence in UCI + live kernel device
There is also a JSON‑RPC endpoint for automation:
/usr/lib/oui-httpd/rpc/wireguard_ipv4_only
with get_status and sync methods.
---
Safe Uninstall Behavior
Removing the package (opkg remove gl-sdk4-wireguard-ipv4-only) automatically:
-
Restores all saved IPv6 configuration
-
Removes all sysctl and firewall drop‑ins
-
Cleans up state directories and cron entries
-
Performs a safe, coalesced reload of firewall → WG server → network
(avoiding temporary traffic blackholes)
This ensures the router returns to its exact previous state.
---
Testing & Validation
According to the PR, the feature has been thoroughly validated:
-
Shell scripts lint‑clean (dash -n, shellcheck)
-
Lua RPC module validated (luac -p)
-
IPv6 detection tests: 13/13 passing
-
Cron state‑machine tests: 5/5 passing
-
Real‑device soak testing on GL‑AXT1800 with multiple IPv6 ON/OFF cycles and install/uninstall cycles
---
Who This Helps
This feature is ideal for:
-
Users who want IPv4‑only WireGuard without manual config edits
-
Users concerned about IPv6 leaks
-
Deployments where IPv6 is globally disabled
-
Anyone who wants WireGuard behavior to follow the router’s IPv6 toggle automatically
---
If you have feedback, want to test the package, or want to see this merged into future GL.iNet firmware, feel free to join the discussion!
For advanced users (use at your own risk):
I have pre-compiled this package as part of my tests (until GL-iNet reviews and hopefully approves for the mainline feed branches) and if you have access to your console on your own router and would like to test it out you can run the following commands:
Add the mirror:
For Mainline OpenWrt on Cortex-A53 (ipq60xx / ipq807x):
echo 'src/gz blackoutsecure https://openwrt.blackoutsecure.dev/23.05-SNAPSHOT/packages/aarch64_cortex-a53/blackoutsecure' >> /etc/opkg/customfeeds.conf
For GL.iNet ApNos firmware (AXT1800 / AX1800, 23.05-based)
echo 'src/gz blackoutsecure https://openwrt.blackoutsecure.dev/23.05-SNAPSHOT/packages/aarch64_cortex-a53_neon-vfpv4/blackoutsecure' >> /etc/opkg/customfeeds.conf
Then run the following commands:
opkg update
opkg install gl-sdk4-wireguard-ipv4-only
After, simply disable IPv6 globally (Network > IPv6) and the script will take care of the rest with WireGuard. If you decide to enable IPv6 the script will allow for WireGuard to have IPv6 again. If you decide to remove this package
opkg remove gl-sdk4-wireguard-ipv4-only
It will take the settings back to before the package was installed.
Note: if for some reason anything goes wrong, please report here, and also to revert back to a good state, attempt to uninstall the package, and if that does not resolve, factory reset the router as a last resort, and you will be good to go.
I hope this helps the community!