IPv6 Wireguard ULA Routing

Question

I would like to route traffic between two devices when they're both on NAT connections. They are both connected to a wireguard VPN on a VPS, but they cannot ping each other.

On their wireguard interfaces, I have assigned the address fd0d:87fa:c3bc:1::1 to the VPS, fd0d:87fa:c3bc:5::1 to Alice, and fd0d:87fa:c3bc:6::1 to Bob.

The routing tables are:

Alice:

liam@alice# ip -6 route show dev wg0
fd0d:87fa:c3bc:1::/64 proto static metric 50 pref medium
fd0d:87fa:c3bc:5::/64 metric 1024 pref medium
fd0d:87fa:c3bc:6::/64 via fd0d:87fa:c3bc:1::1 metric 1024 pref medium
fe80::/64 proto kernel metric 50 pref medium
ff00::/8 metric 256 pref medium

Bob:

liam@bob# ip -6 route show dev wg0
fd0d:87fa:c3bc:1::/64 metric 1024 pref medium
fd0d:87fa:c3bc:5::/64 via fd0d:87fa:c3bc:1::1 metric 1024 pref medium
fd0d:87fa:c3bc:6::/64 proto kernel metric 256 pref medium

VPS:

liam@vps# ip -6 route show dev wg0
fd0d:87fa:c3bc:1::/64 proto kernel metric 256 pref medium
fd0d:87fa:c3bc:2::/64 metric 1024 pref medium
fd0d:87fa:c3bc:3::/64 metric 1024 pref medium
fd0d:87fa:c3bc:4::/64 metric 1024 pref medium
fd0d:87fa:c3bc:5::/64 metric 1024 pref medium
fd0d:87fa:c3bc:6::/64 metric 1024 pref medium

IPv6 forwarding is enabled on the VPS:

liam@vps# sysctl net.ipv6.conf.wg0.forwarding
net.ipv6.conf.wg0.forwarding = 1

and all ip6tables are empty with policy ACCEPT:

liam@{vps,alice,bob}# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Alice and Bob can ping the VPS, but they cannot ping each other:

liam@alice# ping fd0d:87fa:c3bc:1::1
PING fd0d:87fa:c3bc:1::1(fd0d:87fa:c3bc:1::1) 56 data bytes
64 bytes from fd0d:87fa:c3bc:1::1: icmp_seq=1 ttl=64 time=31.8 ms
^C
liam@alice# ping fd0d:87fa:c3bc:6::1
PING fd0d:87fa:c3bc:6::1(fd0d:87fa:c3bc:6::1) 56 data bytes
From fd0d:87fa:c3bc:5::1 icmp_seq=1 Destination unreachable: Address unreachable

liam@bob# ping fd0d:87fa:c3bc:1::1
PING fd0d:87fa:c3bc:1::1(fd0d:87fa:c3bc:1::1) 56 data bytes
64 bytes from fd0d:87fa:c3bc:1::1: icmp_seq=1 ttl=64 time=58.3 ms
^C
liam@bob# ping fd0d:87fa:c3bc:5::1
PING fd0d:87fa:c3bc:5::1(fd0d:87fa:c3bc:5::1) 56 data bytes
From fd0d:87fa:c3bc:6::1 icmp_seq=1 Destination unreachable: Address unreachable

What steps have I missed to get IPv6 traffic routed though wireguard?

Answer 1

Ensure the AllowedIPs wireguard setting of the VPS allows the IPs of other clients though the interface.

Replace line starting with - with the line starting with + in Alice and Bob's wireguard .conf files:

 [Peer]
 PublicKey = {redacted-vps-public-key}
-AllowedIPs = fd0d:87fa:c3bc:1::/64
+AllowedIPs = fd0d:87fa:c3bc::/48
 Endpoint = {vps-wireguard-uri}
 PersistentKeepalive = 60