A WireGuard relay server that enables IPv4 clients to connect to a FritzBox router's IPv6-only WireGuard endpoint.
Designed for Linux, tested on Debian 12.
Your FritzBox can run a WireGuard server, but it may only have an IPv6 address (based on ISP and contract). When you're on an IPv4-only network (some mobile networks, hotel wifi, etc.), you will not be able to reach the FritzBox.
This tool helps set up a VPS as a relay. A cheap (or even free) VPS will most likely be enough, as long as it has both, an IPv4 and IPv6 address. The relay accepts IPv4 connections from your devices (wg0) and forwards traffic to your FritzBox over IPv6 (wg1).
The tool checks the following requirements before starting:
| Package | Required For | Install |
|---|---|---|
| wireguard-tools | wg, wg-quick commands | apt install wireguard-tools |
| iptables | Packet forwarding/NAT | apt install iptables |
| dnsmasq | Split tunnel DNS | apt install dnsmasq |
Kernel requirements:
- Linux 5.6+ (WireGuard built-in) OR
- wireguard kernel module (
modprobe wireguard)
Download from releases.
Warning: Back up your system before running. This tool modifies system configurations and may break existing setups. Use at your own risk.
./wg-relay setupOptions:
-public-dns <ip,ip>- Two public DNS servers for split tunnel dnsmasq (default: Quad9)
Or build manually:
git clone https://github.com/ByteSizedMarius/fritzbox-wireguard-relay.git
cd fritzbox-wireguard-relay
go build -o wg-relay ./cmd/wg-relayPerforms:
- Prerequisite checks (root, wireguard-tools, iptables, kernel module)
- Network interface detection
- FritzBox config import (paste the downloaded .conf)
- Key generation (wg0 keys, client keys, PSKs)
- Config file generation and deployment
- Interface startup and enablement
- If split tunnel: dnsmasq configuration
The setup wizard offers two routing modes. Full tunnel routes all traffic through the VPN, while split tunnel only routes traffic destined for your home network.
| Aspect | Full Tunnel | Split Tunnel |
|---|---|---|
| Client AllowedIPs | 0.0.0.0/0, ::/0 |
192.168.178.0/24, 10.0.1.1/32 |
| Client DNS | FritzBox (192.168.178.1) | Relay dnsmasq (10.0.1.1) |
| Internet traffic route | Client → Relay → Internet | Direct (bypasses VPN) |
| Home LAN traffic route | Client → Relay → FritzBox | Client → Relay → FritzBox |
| Your public IP (internet) | Relay's IP | Your real IP |
| Relay bandwidth usage | All traffic | Only home LAN traffic |
| Additional software | None | dnsmasq |
| DNS for external domains | Via FritzBox | Via Quad9, configurable (dnsmasq) |
| DNS for fritz.box | Via FritzBox | Via FritzBox (through dnsmasq) |
The setup wizard prompts for initial clients, but you can add more afterwards:
./wg-relay add-client -name "phone"Options:
-name <name>- Client name (required)-endpoint <ip:port>- Relay endpoint (required if no existing clients)-dns <servers>- Comma-separated DNS servers (overrides default Quad9)
Performs:
- Parses existing
/etc/wireguard/wg0.conf - Reads RoutingMode from config metadata
- Calculates next available IP (10.0.1.3, 10.0.1.4, ...)
- Generates client keypair and PSK
- Appends
[Peer]section to wg0.conf - Hot-reloads wg0 interface
- Generates client config with appropriate AllowedIPs/DNS for routing mode
- Outputs config file path
Some VPS providers assign an IPv6 address via DHCPv6 but it expires or isn't requested on boot. If your relay can't reach the FritzBox's IPv6 endpoint, add this to /etc/wireguard/wg1.conf:
PostUp = if ! ip -6 addr show scope global | grep -q inet6; then dhclient -6 eth0 && sleep 2; fiReplace eth0 with your actual network interface (check with ip link).
This requests an IPv6 address via DHCPv6 before WireGuard tries to connect.