diff --git a/roles/wireguard/templates/nftables.conf b/roles/wireguard/templates/nftables.conf
index 107c269e0581082a4bbf66674a7788ab9e741d19..58493072380e4d8664133acf65ecc0f6aa5f3172 100644
--- a/roles/wireguard/templates/nftables.conf
+++ b/roles/wireguard/templates/nftables.conf
@@ -2,17 +2,31 @@
 
 flush ruleset
 
-{% set sputnik_ip = query('ldap', 'ip', 'sputnik', 'adm') %}
+{% set sputnik_ip = (query('ldap', 'ip', 'sputnik', 'adm') | ipv4)[0] %}
 table ip nat {
 	chain prerouting {
 		type nat hook prerouting priority 0; policy accept;
-		ip daddr {{ sputnik_ip }} dnat 172.31.0.2
+		ip daddr {{ sputnik_ip }} dnat to 172.31.0.2
 	}
 	chain postrouting {
 		type nat hook postrouting priority 100; policy accept;
-		ip saddr 172.31.0.2 ip protocol icmp snat {{ sputnik_ip }}
-		ip saddr 172.31.0.2 ip protocol tcp snat {{ sputnik_ip }}
-		ip saddr 172.31.0.2 ip protocol udp snat {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol icmp snat to {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol tcp snat to {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol udp snat to {{ sputnik_ip }}
+	}
+}
+
+{% set sputnik_ip6 = (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] %}
+table ip6 nat {
+	chain prerouting {
+		type nat hook prerouting priority 0; policy accept;
+		ip6 daddr {{ sputnik_ip6 }} dnat to fd0c:700:0:8::2
+	}
+	chain postrouting {
+		type nat hook postrouting priority 100; policy accept;
+		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr icmpv6 snat to {{ sputnik_ip6 }}
+		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr tcp snat to {{ sputnik_ip6 }}
+		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr udp snat to {{ sputnik_ip6 }}
 	}
 }