IPv6 Not Getting Past Server

Aaron W. Swenson aaron at grandmasfridge.org
Sat Sep 22 21:55:22 CEST 2018

I’m going to use the official documentation IP addresses. I am using real IPv6
addresses and not using NAT66. Naturally, NAT is being used for IPv4. Here are
the definitions I’m using:

    Server Public IPv6: 2001:DB8::DEAD:F00D/64
    Server Public IPv4:
    Routed /116: 2001:DB8::BEEF:3000/116
    Server Wireguard IPv6: 2001:DB8::BEEF:3001
    Server Wireguard IPv4:
    Client Wireguard IPv6: 2001:DB8::BEEF:3002
    Client Wireguard IPv4:

I can ping the outside world through IPv4 just fine. However, with IPv6 I can
only ping the server’s IPv6 addresses (2001:DB8::BEEF:3001 and
2001:DB8::DEAD:F00D). The outside world stays out of reach. The packets are just
dropped. I’m not getting network unreachable or any other error message back.

When I enabled forwarding for IPv6 on the server, I did have to manually add
the route so that IPv6 would continue working on the server
(ip -r route add default fe80::1). I can SSH into the server, and ping the
outside world no problem. And, the outside world can reach my server via IPv6
just fine, too.

I’m running Gentoo on the server and client.

Sysctl Settings I know to be relevant
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.default.accept_ra = 2
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1

Wireguard Server Configuration
Address =, 2001:DB8::BEEF:3001/116
SaveConfig = true
ListenPort = 51820
PrivateKey = ServerPrivateKey

PublicKey = ClientPublicKey
AllowedIPs =, 2001:DB8::BEEF:3002/128
Endpoint =

Wireguard Client Configuration
Address =
Address = 2001:DB8::BEEF:3002
PrivateKey = ClientPrivateKey

PublicKey = ServerPublicKey
AllowedIPs =, ::/0
Endpoint =
PersistentKeepalive = 25

Server Nftables
flush ruleset;

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    # established/related connections
    ct state {established, related} accept

    # loopback interface
    iifname "lo" accept

    icmp type echo-request accept
    icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-advert, redirect } accept

    # TCP ports
    tcp dport {smtp, http, https, submission, imaps, irc} accept
    # ssh
    tcp dport #ssh# accept
    # Secured IRC
    tcp dport #notthatchatty# accept

    # UDP ports
    udp dport 51820 accept

    ip6 daddr 2001:DB8::BEEF:3000/116 accept

  chain forward {
    type filter hook forward priority 0;

    # allow established/related connections
    ct state {established, related} accept

    # early drop of invalid connections
    ct state invalid drop

    # Allow packets to be forwarded from the VPNs to the outer world
    ip saddr iifname wg0 oifname enp0s3 accept
    ip6 saddr 2001:DB8::BEEF:3000/116 iifname wg0 oifname enp0s3 accept
# IPv4 NAT table
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    ip saddr oif "enp0s3" snat to

Client ‘ip -6 route’
# ip -6 route
2001:DB8::BEEF:3002 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev enp1s0 proto kernel metric 100 pref medium

Server ‘ip -6 route’
2001:DB8::BEEF:3000/116 dev wg0 proto kernel metric 256 pref medium
2001:DB8::/64 dev enp0s3 proto kernel metric 256 expires 2326066sec pref medium
fe80::/64 dev enp0s3 proto kernel metric 256 pref medium
default via fe80::1 dev enp0s3 metric 1024 pref medium
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 358 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20180922/1e30c329/attachment-0001.asc>

More information about the WireGuard mailing list