[WireGuard] WireGuard doesn't work with network namespace on ArchLinux

[sorcus at inwebse.com]

-------- Forwarded message -------
From: sorcus at inwebse.com
To: "Jason A. Donenfeld" <Jason at zx2c4.com>
Sent: August 19 2016 11:49 AM
Subject: Re: [WireGuard] WireGuard doesn't work with network namespace on ArchLinux
August 19 2016 8:54 AM, "Jason A. Donenfeld" <Jason at zx2c4.com> wrote:

>>> $ cat /etc/wireguard/client.conf
>>> [Interface]
>>> PrivateKey = OAT5r6E1hid***iVBnY=
> 
> Never post any part of your private key to the internet. I advise you
> to change your keys now.

Ok, i understand.

>>> ListenPort = 52345
>>> [Peer]
>>> PublicKey = aMC3f6kw***UDQVwo=
>>> EndPoint = [2a01:4f8:***:***::5]:40111
>>> AllowedIPs = fc00::10/7
> 
> Here's where you go wrong. On the _client_ you want:
> AllowedIPs=::/0,0.0.0.0/0
> In other words, the client trusts the server to send data as any IP,
> and the client will send any IP data to the server.
> 
> The AllowedIPs you use on the server should most likely be a /128 and
> a /32, however.

There is no error anymore, but packets don't leave on the server.

Output of tcpdump -i wg0 on client:
IP6 localhost > 2a00:1450:4010:c01::8a ICPMP6, echo request, seq 1, length 64
IP6 localhost > 2a00:1450:4010:c01::8a ICPMP6, echo request, seq 2, length 64
IP6 localhost > 2a00:1450:4010:c01::8a ICPMP6, echo request, seq 3, length 64

Output of ip netns exec physical tcpdump -t on client:
IP6 localhost.52345 > 2a01:4f8:***:***::5.40111: UDP, length 141
IP6 localhost.52345 > 2a01:4f8:***:***::5.40111: UDP, length 141
IP6 localhost.52345 > 2a01:4f8:***:***::5.40111: UDP, length 141

On server tcpdump doesn't catch any packets. Maybe i need to set some rules with firewall
(iptables, nftables)?

P.S. I apologize for silly questions.