Server has 2 interfaces, eth0 - real v4 network if, tun0 - virtual mesh v6 network if.
WireGuard tunnel is wg0, 10.0.0.0/24, server is: 10.0.0.1, client is: 10.0.0.2
Client, uses public ipv6 of server tun0 if as Endpoint connects to a WireGuard listening on port 51193. Client successfully receives handshake, but unable to ping anything but local network.
Server has no firewall.
Example traceroute of google.com from client:
tracert 172.217.18.14
Tracing route to fra24s22-in-f14.1e100.net [172.217.18.14]
over a maximum of 30 hops:
1 123 ms 201 ms 198 ms 10.0.0.1
2 * * * Request timed out.
3 * * * Request timed out.
Server data:
ip route show table main
default via 51.89.97.39 dev ens3 onlink
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1
ip -6 route show table main
::1 dev lo proto kernel metric 256 pref medium
200::/7 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev ens3 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:<REDACTED>:63 brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet <REDACTED_IPV4_ENS3_PUBLIC>/32 brd 135.125.209.103 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe2c:4f63/64 scope link
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 53049 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet6 <REDACTED_IPV6_TUN0_PUBLIC>/7 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a307:5d5d:2a0b:2be1/64 scope link stable-privacy
valid_lft forever preferred_lft forever
12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
127 7404 ACCEPT all -- wg0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
ip6tables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all wg0 * ::/0 ::/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
WireGuard server config:
[Interface]
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51193
PrivateKey = <REDACTED>
[Peer]
PublicKey = <REDACTED>
PresharedKey = <REDACTED>
AllowedIPs = 10.0.0.4/32
Wireguard client config:
[Interface]
PrivateKey = <REDACTED>
Address = 10.0.0.4/32
DNS = 8.8.8.8, 8.8.4.4
[Peer]
PublicKey = <REDACTED>
PresharedKey = <REDACTED>
AllowedIPs = 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3, ::/1, 8000::/2, c000::/3, e000::/4, f000::/5, f800::/6, fe00::/7
Endpoint = [<REDACTED_IPV6_TUN0_PUBLIC>]:51193
All traffic must have access to local network (it already does), otherwise go out via ens3 (this is not working)
I'm missing something? When connecting to wireguard server via clearnet <REDACTED_IPV4_ENS3_PUBLIC>, with tun0 down, everything works normal.