diff --git a/pkg/agent/tunnel/tunnel.go b/pkg/agent/tunnel/tunnel.go
index 5bac7381e2..a0c8724d84 100644
--- a/pkg/agent/tunnel/tunnel.go
+++ b/pkg/agent/tunnel/tunnel.go
@@ -167,7 +167,7 @@ func connect(rootCtx context.Context, waitGroup *sync.WaitGroup, address string,
 		for {
 			remotedialer.ClientConnect(ctx, wsURL, nil, ws, func(proto, address string) bool {
 				host, port, err := net.SplitHostPort(address)
-				return err == nil && proto == "tcp" && ports[port] && host == "127.0.0.1"
+				return err == nil && proto == "tcp" && ports[port] && (host == "127.0.0.1" || host == "::1")
 			}, func(_ context.Context) error {
 				if waitGroup != nil {
 					once.Do(waitGroup.Done)
diff --git a/pkg/cli/server/server.go b/pkg/cli/server/server.go
index 45e411dda9..617347fc7a 100644
--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@@ -462,6 +462,8 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 		if IPv6only {
 			ip = "[::1]"
 		}
+	} else if utilsnet.IsIPv6String(ip) {
+		ip = fmt.Sprintf("[%s]", ip)
 	}
 
 	url := fmt.Sprintf("https://%s:%d", ip, serverConfig.ControlConfig.SupervisorPort)
diff --git a/pkg/cluster/https.go b/pkg/cluster/https.go
index e26bb85114..976db7adf2 100644
--- a/pkg/cluster/https.go
+++ b/pkg/cluster/https.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"log"
 	"net"
@@ -22,6 +23,7 @@ import (
 	"github.com/rancher/wrangler/pkg/generated/controllers/core"
 	"github.com/sirupsen/logrus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilsnet "k8s.io/utils/net"
 )
 
 // newListener returns a new TCP listener and HTTP request handler using dynamiclistener.
@@ -35,7 +37,11 @@ func (c *Cluster) newListener(ctx context.Context) (net.Listener, http.Handler,
 			os.Remove(filepath.Join(c.config.DataDir, "tls/dynamic-cert.json"))
 		}
 	}
-	tcp, err := dynamiclistener.NewTCPListener(c.config.BindAddress, c.config.SupervisorPort)
+	ip := c.config.BindAddress
+	if utilsnet.IsIPv6String(ip) {
+		ip = fmt.Sprintf("[%s]", ip)
+	}
+	tcp, err := dynamiclistener.NewTCPListener(ip, c.config.SupervisorPort)
 	if err != nil {
 		return nil, nil, err
 	}
diff --git a/pkg/daemons/control/deps/deps.go b/pkg/daemons/control/deps/deps.go
index 943d166249..0628725167 100644
--- a/pkg/daemons/control/deps/deps.go
+++ b/pkg/daemons/control/deps/deps.go
@@ -22,6 +22,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/passwd"
 	"github.com/k3s-io/k3s/pkg/token"
+	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
 	certutil "github.com/rancher/dynamiclistener/cert"
 	"github.com/sirupsen/logrus"
@@ -305,7 +306,15 @@ func genClientCerts(config *config.Control) error {
 	factory := getSigningCertFactory(regen, nil, []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, runtime.ClientCA, runtime.ClientCAKey)
 
 	var certGen bool
-	apiEndpoint := fmt.Sprintf("https://127.0.0.1:%d", config.APIServerPort)
+
+	IPv6OnlyService, _ := util.IsIPv6OnlyCIDRs(config.ServiceIPRanges)
+	ip := ""
+	if IPv6OnlyService {
+		ip = "[::1]"
+	} else {
+		ip = "127.0.0.1"
+	}
+	apiEndpoint := fmt.Sprintf("https://%s:%d", ip, config.APIServerPort)
 
 	certGen, err = factory("system:admin", []string{"system:masters"}, runtime.ClientAdminCert, runtime.ClientAdminKey)
 	if err != nil {
diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go
index b380687f30..e19de0078e 100644
--- a/pkg/daemons/control/server.go
+++ b/pkg/daemons/control/server.go
@@ -31,7 +31,13 @@ import (
 	_ "k8s.io/component-base/metrics/prometheus/restclient"
 )
 
-var localhostIP = net.ParseIP("127.0.0.1")
+func getLocalhostIP(serviceCIDR []*net.IPNet) net.IP {
+	IPv6OnlyService, _ := util.IsIPv6OnlyCIDRs(serviceCIDR)
+	if IPv6OnlyService {
+		return net.ParseIP("::1")
+	}
+	return net.ParseIP("127.0.0.1")
+}
 
 func Server(ctx context.Context, cfg *config.Control) error {
 	rand.Seed(time.Now().UTC().UnixNano())
@@ -95,7 +101,7 @@ func controllerManager(ctx context.Context, cfg *config.Control) error {
 		"cluster-cidr":                     util.JoinIPNets(cfg.ClusterIPRanges),
 		"root-ca-file":                     runtime.ServerCA,
 		"profiling":                        "false",
-		"bind-address":                     localhostIP.String(),
+		"bind-address":                     getLocalhostIP(cfg.ServiceIPRanges).String(),
 		"secure-port":                      "10257",
 		"use-service-account-credentials":  "true",
 		"cluster-signing-kube-apiserver-client-cert-file": runtime.ClientCA,
@@ -127,7 +133,7 @@ func scheduler(ctx context.Context, cfg *config.Control) error {
 		"kubeconfig":                runtime.KubeConfigScheduler,
 		"authorization-kubeconfig":  runtime.KubeConfigScheduler,
 		"authentication-kubeconfig": runtime.KubeConfigScheduler,
-		"bind-address":              localhostIP.String(),
+		"bind-address":              getLocalhostIP(cfg.ServiceIPRanges).String(),
 		"secure-port":               "10259",
 		"profiling":                 "false",
 	}
@@ -164,7 +170,7 @@ func apiServer(ctx context.Context, cfg *config.Control) error {
 	argsMap["insecure-port"] = "0"
 	argsMap["secure-port"] = strconv.Itoa(cfg.APIServerPort)
 	if cfg.APIServerBindAddress == "" {
-		argsMap["bind-address"] = localhostIP.String()
+		argsMap["bind-address"] = getLocalhostIP(cfg.ServiceIPRanges).String()
 	} else {
 		argsMap["bind-address"] = cfg.APIServerBindAddress
 	}
@@ -297,7 +303,7 @@ func cloudControllerManager(ctx context.Context, cfg *config.Control) error {
 		"authorization-kubeconfig":     runtime.KubeConfigCloudController,
 		"authentication-kubeconfig":    runtime.KubeConfigCloudController,
 		"node-status-update-frequency": "1m0s",
-		"bind-address":                 "127.0.0.1",
+		"bind-address":                 getLocalhostIP(cfg.ServiceIPRanges).String(),
 		"port":                         "0",
 	}
 	if cfg.NoLeaderElect {
diff --git a/pkg/etcd/etcd.go b/pkg/etcd/etcd.go
index 4026ddf021..7cd67cad67 100644
--- a/pkg/etcd/etcd.go
+++ b/pkg/etcd/etcd.go
@@ -134,6 +134,13 @@ func NewETCD() *ETCD {
 	}
 }
 
+func getLocalhostAddress(address string) string {
+	if utilsnet.IsIPv6String(address) {
+		return "[::1]"
+	}
+	return "127.0.0.1"
+}
+
 // EndpointName returns the name of the endpoint.
 func (e *ETCD) EndpointName() string {
 	return "etcd"
@@ -744,7 +751,7 @@ func (e *ETCD) clientURL() string {
 
 // metricsURL returns the metrics access address
 func (e *ETCD) metricsURL(expose bool) string {
-	address := "http://127.0.0.1:2381"
+	address := fmt.Sprintf("http://%s:2381", getLocalhostAddress(e.address))
 	if expose {
 		if utilsnet.IsIPv6String(e.address) {
 			address = fmt.Sprintf("https://[%s]:2381,%s", e.address, address)
@@ -761,7 +768,7 @@ func (e *ETCD) cluster(ctx context.Context, forceNew bool, options executor.Init
 		Name:                e.name,
 		InitialOptions:      options,
 		ForceNewCluster:     forceNew,
-		ListenClientURLs:    e.clientURL() + ",https://127.0.0.1:2379",
+		ListenClientURLs:    e.clientURL() + "," + fmt.Sprintf("http://%s:2379", getLocalhostAddress(e.address)),
 		ListenMetricsURLs:   e.metricsURL(e.config.EtcdExposeMetrics),
 		ListenPeerURLs:      e.peerURL(),
 		AdvertiseClientURLs: e.clientURL(),
diff --git a/pkg/server/server.go b/pkg/server/server.go
index c4a5806b9c..5615241733 100644
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -37,6 +37,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/net"
+	utilsnet "k8s.io/utils/net"
 )
 
 const (
@@ -91,7 +92,12 @@ func StartServer(ctx context.Context, config *Config, cfg *cmds.Server) error {
 		if err == nil {
 			ip = hostIP
 		} else {
-			ip = net2.ParseIP("127.0.0.1")
+			IPv6OnlyService, _ := util.IsIPv6OnlyCIDRs(config.ControlConfig.ServiceIPRanges)
+			if IPv6OnlyService {
+				ip = net2.ParseIP("::1")
+			} else {
+				ip = net2.ParseIP("127.0.0.1")
+			}
 		}
 	}
 
@@ -333,7 +339,12 @@ func printTokens(advertiseIP string, config *config.Control) error {
 	)
 
 	if advertiseIP == "" {
-		advertiseIP = "127.0.0.1"
+		IPv6OnlyService, _ := util.IsIPv6OnlyCIDRs(config.ServiceIPRanges)
+		if IPv6OnlyService {
+			advertiseIP = "::1"
+		} else {
+			advertiseIP = "127.0.0.1"
+		}
 	}
 
 	if len(config.Runtime.ServerToken) > 0 {
@@ -365,12 +376,24 @@ func printTokens(advertiseIP string, config *config.Control) error {
 func writeKubeConfig(certs string, config *Config) error {
 	ip := config.ControlConfig.BindAddress
 	if ip == "" {
-		ip = "127.0.0.1"
+		IPv6OnlyService, _ := util.IsIPv6OnlyCIDRs(config.ControlConfig.ServiceIPRanges)
+		if IPv6OnlyService {
+			ip = "[::1]"
+		} else {
+			ip = "127.0.0.1"
+		}
+	} else if utilsnet.IsIPv6String(ip) {
+		ip = fmt.Sprintf("[%s]", ip)
 	}
 	port := config.ControlConfig.HTTPSPort
 	// on servers without a local apiserver, tunnel access via the loadbalancer
 	if config.ControlConfig.DisableAPIServer {
-		ip = "127.0.0.1"
+		IPv6OnlyService, _ := util.IsIPv6OnlyCIDRs(config.ControlConfig.ServiceIPRanges)
+		if IPv6OnlyService {
+			ip = "[::1]"
+		} else {
+			ip = "127.0.0.1"
+		}
 		port = config.ControlConfig.APIServerPort
 	}
 	url := fmt.Sprintf("https://%s:%d", ip, port)
@@ -454,6 +477,8 @@ func printToken(httpsPort int, advertiseIP, prefix, cmd string) {
 			logrus.Errorf("Failed to choose interface: %v", err)
 		}
 		ip = hostIP.String()
+	} else if utilsnet.IsIPv6String(ip) {
+		ip = fmt.Sprintf("[%s]", ip)
 	}
 
 	logrus.Infof("%s %s %s -s https://%s:%d -t ${NODE_TOKEN}", prefix, version.Program, cmd, ip, httpsPort)