Using your /124, /120, … or /64
How to actually use every address in your tier once the wayangi agent has the tunnel up. AnyIP routing, Caddy/nginx examples, common gotchas.
What the agent does for you
When you bootstrap on Linux, the agent runs (paraphrased):
ip addr add <your_prefix> dev wayangi0 # binds the anchor
ip route add local <your_prefix> dev wayangi0 # AnyIP — kernel accepts
# any address in the prefix
# as localThat second line is the important one. It tells the kernel that every address in your prefix is a valid local destination on wayangi0. bind() to any of them works and inbound packets to any of them are delivered to local sockets.
Only the prefix anchor is bound on macOS today. For full prefix-delegation use, run on Linux.
/124 (16 IPs) — worked example
You bought the /124 tier and your dashboard shows your prefix as 2001:df6:d2c0:1400:1::10/124. That gives you these 16 addresses:
2001:df6:d2c0:1400:1::10 .. 2001:df6:d2c0:1400:1::1fPick any of them and bind a service to it. With Caddy:
http://[2001:df6:d2c0:1400:1::11]:80 {
respond "service A"
}
http://[2001:df6:d2c0:1400:1::12]:80 {
respond "service B"
}Or nginx:
server {
listen [2001:df6:d2c0:1400:1::13]:80;
server_name _;
location / { return 200 "service C\n"; }
}No extra setup needed — the AnyIP route handles it. Confirm with a quick self-test from the device:
curl -6 http://[2001:df6:d2c0:1400:1::11]//120 (256) through /96 (4.3 B)
Same idea, more addresses. Common patterns:
- 256 sub-services on /120 — bind a different micro-service to each IP.
- 4 096 on /116 — multi-tenant dev/test, one IP per isolated tenant.
- 65 536 on /112 — small-business SaaS that hands out an IP per customer.
- /104, /96 — pre-enterprise platforms with their own internal IPAM, picking specific addresses from the routed prefix.
Two caveats at scale
- Don't try to bind every address up front. The kernel routes everything in the prefix to
wayangi0via AnyIP; you only need tobind()the IPs that have a real listener. - Reverse DNS is your responsibility. Wayangi delivers a routed prefix; delegating
<prefix>.ip6.arpato your own DNS server is a separate task (open a support ticket).
/64 — full subnet (sub-leasing tier)
The /64 tier is the ISP/reseller shape. You get an entire /64 routed to your device. Typical setups:
- Sub-allocate to downstream clients. Pass a /128 (or smaller subnet) to each downstream client over your own routing protocol — static, DHCPv6-PD, OSPFv3, BGP. The wayangi tunnel just delivers the /64; what you do with it is yours.
- Run an internal IPAM. Use the /64 as a flat space for thousands of containers / VMs / tenants. With AnyIP set up by the agent, the kernel accepts any of the 2⁶⁴ addresses without per-address binding.
Verifying the AnyIP route is installed
$ ip -6 route show table local | grep wayangi0
local 2001:df6:d2c0:1400:1::10/124 dev wayangi0 metric 1024 pref mediumIf that line is missing for a non-/128 tier, your agent is out of date. Re-run the installer for your OS:
# Linux / macOS
curl -fsSL https://wayangi.dalang.io/install.sh | sudo sh -s -- --token=<YOUR_TOKEN>
# Windows (PowerShell)
irm https://wayangi.dalang.io/install.ps1 | iex
wayangi --token=<YOUR_TOKEN>Common gotchas
Caddy binding to :80 wildcard vs [v6]:80
Wildcard works but Caddy matches sites by both listen address AND Host: header. If you bind to :80 and the request has Host: [2001:…:11], Caddy only matches a site with that exact Host. Either declare per-IP sites or use a wildcard site that routes by path.
Firewall
The wayangi tunnel is inbound-only by design — your outbound stays on your ISP. If you also run a local firewall (ufw, nftables), open the ports you actually want to expose; the agent doesn't touch your firewall.
macOS
Only the anchor /128 is bound today. For real prefix-delegation use, run on Linux.
Next up
- Test that your tunnel works — a 5-minute walkthrough to confirm inbound traffic really arrives.
- Pricing & tiers — IP-count breakdown per tier.