Avoid IPv6 NAT by assigning an IPv6 address directly from the host instead

[jamesmcm]

We can get the /64 details from the host and assign a free IP in that block to the network namespace directly - so NAT is not required. However, this means adjusting the firewall rules to account for this too - e.g. we need the GUA in the firewall rules too.

We can also change from MASQUERADE rules to SNAT (assuming the IP address of the output interface will not change while vopono is running - maybe only do this for IPv6).

IPv6 NAT can be optionally requested with an argument to vopono exec.

[jamesmcm]

Above gives us a GUA for network namespace without a VPN service running.

Then for the GUA with the VPN service:

We actually need to check if the Wireguard config has a GUA assigned in the Peer interface, since that is the GUA we should use.

Likewise in OpenVPN need to check for ifconfig-ipv6 in the config - to get the appropriate GUA.