Is there any way to make Wireguard connect over IPv6 to the VPN endpoint if A and AAAA records are available?
At the time, it will always connect to the v4 address, even if a v6 is available. Only way to make it connect to a v6 endpoint is an AAAA-only DNS record.
Any ideas, maybe custom Wireguard builds?
Have many legacy IPv4-only devices, and an IPv6-only upstream. Looking for an implementation of, or way to implement, NAT46+DNS46. Right now it seems Fortinet are shipping something packaged (the only ones in fact), but I'm looking for something I can set up on generic linux/FreeBSD.
CLAT/464xlat is explicitly out of scope because it requires cooperation on the PLAT side. Actual NAT46 translation is vastly preferable and would enable connections over IPv6 directly to IPv6-only hosts. To the rest of the world the network appears IPv6-capable, or at worst like a NAT66, and everyone can get on with their lives.
For those unfamiliar, NAT46/DNS46 is where DNS queries are received from IPv4 clients, the public IPv6 address is determined, and a temporary mapping between public IPv6 address and internal-use-only IPv4 address is created, allowing IPv4 clients inside to communicate with IPv6 hosts outside. (For those fretting about conflicts with existing public IPv4 addresses, the ones used in the mappings don't have to be globally routable. For those fretting about IPv6 addresses being larger than IPv4 address, this is translation not embedding, and few networks need enough simultaneous connections for this to be an issue.)
A userspace daemon or plugin for Tayga etc. etc. would be fine, it doesn't need to be implemented in-kernel.