[doc] Add IPv6 overlay addressing documentation

src/components/NavigationDocs.jsx

@@ -420,6 +420,7 @@ export const docsNavigation = [
             title: 'Multi-Factor Authentication',
             href: '/manage/settings/multi-factor-authentication',
           },
+          { title: 'IPv6 Overlay Addressing', href: '/manage/settings/ipv6' },
           { title: 'Delete Account', href: '/manage/settings/delete-account' },
           {
             title: 'Plans and Billing',

src/pages/get-started/cli.mdx

@@ -82,6 +82,7 @@ The command will check if the peer is logged in and connect to the management se
 
       --allow-server-ssh                      Allow SSH server on peer. If enabled, the SSH server will be permitted
       --disable-auto-connect                  Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.
+      --disable-ipv6                          Disables IPv6 overlay addressing. The client will not receive an IPv6 address or accept IPv6 traffic from peers. (v0.68.0+)
       --disable-ssh-auth                      Disable SSH JWT authentication. If enabled, any peer with network access can connect without user authentication
       --dns-resolver-address string           Sets a custom address for NetBird's local DNS resolver. If set, the agent won't attempt to discover the best ip and port to listen on. An empty string "" clears the previous configuration. E.g. --dns-resolver-address 127.0.0.1:5053 or --dns-resolver-address ""
       --ssh-jwt-cache-ttl int                 SSH JWT token cache TTL in seconds. Set to 0 to disable caching (default). E.g. --ssh-jwt-cache-ttl 3600 for 1-hour cache
@@ -167,6 +168,7 @@ Retrieves the peer status from the daemon service.
   -A, --anonymize                 anonymize IP addresses and non-netbird.io domains in the status output
   -h, --help                      help for status
       --ipv4                      display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33
+      --ipv6                      display only NetBird IPv6 of this peer
       --json                      display detailed status information in json format
       --yaml                      display detailed status information in yaml format
 ```

src/pages/manage/network-routes/use-cases/by-scenario/exit-nodes.mdx

@@ -12,9 +12,7 @@ Exit nodes route all internet-bound traffic from your devices through a designat
 
 A default route (`0.0.0.0/0` for IPv4) directs all internet traffic through a designated routing peer.
 
-<Note>
-    IPv6 traffic is currently not supported and is blocked to prevent unintentional leakage.
-</Note>
+When [IPv6 overlay addressing](#ipv6-support) is enabled for the peer, the management server automatically creates a matching `::/0` route so that both IPv4 and IPv6 internet traffic flow through the exit node. Peers without IPv6 enabled have their IPv6 traffic blocked to prevent leakage.
 
 ### Routing Peer
 
@@ -93,6 +91,24 @@ Add a DNS server with the match domain set to `ALL`. Local DNS servers may not b
 
 See [Manage DNS in your network](/manage/dns) for details.
 
+## IPv6 Support
+
+<Note>
+    IPv6 overlay addressing requires NetBird v0.68.0 or later on both the routing peer and the clients.
+</Note>
+
+When IPv6 is enabled in your account settings and the exit node peer supports it, the management server automatically generates a `::/0` route alongside the `0.0.0.0/0` route. No additional configuration is needed.
+
+For peers that do not have IPv6 enabled (older clients, or accounts with IPv6 disabled), IPv6 traffic is blocked at the tunnel interface to prevent unintentional leakage through the exit node.
+
+You can disable IPv6 on individual clients with the `--disable-ipv6` flag:
+
+```bash
+netbird up --disable-ipv6
+```
+
+See [IPv6 Overlay Addressing](/manage/settings/ipv6) for more details on enabling IPv6 for your account.
+
 ## High Availability
 
 Exit nodes support high availability configurations. See [Creating Highly Available Routes](/manage/network-routes#creating-highly-available-routes) for more information.

src/pages/manage/settings/ipv6.mdx

@@ -0,0 +1,84 @@
+# IPv6 Overlay Addressing
+
+<Note>
+    IPv6 overlay addressing requires NetBird v0.68.0 or later.
+</Note>
+
+NetBird supports dual-stack overlay networking, where each peer can receive both an IPv4 and an IPv6 overlay address. Each account gets a unique IPv6 prefix.
+
+## Enabling IPv6
+
+New accounts have IPv6 enabled by default for the **All** group, so every peer receives an IPv6 address out of the box. Existing accounts can enable it from the dashboard.
+
+Navigate to **Settings > Network** and select which groups should have IPv6 enabled. Only peers that belong to at least one selected group will receive an IPv6 address.
+
+When a peer belongs to an IPv6-enabled group, it receives an overlay address from the account's IPv6 range. Peers that do not belong to any IPv6-enabled group only receive an IPv4 address.
+
+### Network Range
+
+The IPv6 network range is configured alongside your IPv4 range. Valid prefix lengths are `/48` through `/120`. The default is a `/64` prefix, which provides enough addresses for most deployments.
+
+## How It Works
+
+### Address Assignment
+
+Each peer receives at most one IPv4 and one IPv6 overlay address. Management assigns the IPv6 address when the peer first connects with a client that supports IPv6 and belongs to an IPv6-enabled group.
+
+### DNS
+
+Peers with IPv6 addresses automatically get AAAA DNS records alongside their A records. Both record types are served from the same NetBird DNS zone.
+
+### Firewall Rules
+
+Access control policies apply to both IPv4 and IPv6 traffic. When a peer has an IPv6 address, the management server generates firewall rules for both address families.
+
+### Exit Nodes
+
+When an exit node route (`0.0.0.0/0`) is configured and the peer supports IPv6, management automatically creates a matching `::/0` route. See [Exit Nodes](/manage/network-routes/use-cases/by-scenario/exit-nodes#ipv6-support) for details.
+
+## Disabling IPv6 on a Client
+
+Individual clients can opt out of IPv6 with the `--disable-ipv6` CLI flag:
+
+```bash
+netbird up --disable-ipv6
+```
+
+This prevents the client from:
+- Receiving an IPv6 overlay address
+- Advertising IPv6 support to management
+- Accepting IPv6 traffic from remote peers
+
+The flag is also available in the desktop UI under **Settings > Disable IPv6**, and in the iOS and Android apps under **Advanced Settings**.
+
+## CLI Status
+
+When IPv6 is enabled, `netbird status` shows the IPv6 address:
+
+```bash
+$ netbird status
+...
+NetBird IP: 100.64.114.31/16
+NetBird IPv6: fd00:1234:5678::1f/64
+...
+```
+
+Use `--ipv6` to show only the IPv6 address:
+
+```bash
+$ netbird status --ipv6
+fd00:1234:5678::1f/64
+```
+
+## API
+
+The following API fields relate to IPv6:
+
+- **Account settings**: `ipv6_enabled_groups` (list of group IDs), `network_range_v6` (CIDR string)
+- **Peer**: `ipv6` (read-only, the assigned IPv6 address)
+
+See the [API reference](/manage/public-api) for details.
+
+## Limitations
+
+- IPv6 overlay addresses are not routable on the public internet