I’m going to use the official documentation IP addresses. I am using real IPv6 addresses and not using NAT66. Naturally, NAT is being used for IPv4. Here are the definitions I’m using: Server Public IPv6: 2001:DB8::DEAD:F00D/64 Server Public IPv4: 192.0.2.1 Routed /116: 2001:DB8::BEEF:3000/116 Server Wireguard IPv6: 2001:DB8::BEEF:3001 Server Wireguard IPv4: 10.0.0.1 Client Wireguard IPv6: 2001:DB8::BEEF:3002 Client Wireguard IPv4: 10.0.0.2 I can ping the outside world through IPv4 just fine. However, with IPv6 I can only ping the server’s IPv6 addresses (2001:DB8::BEEF:3001 and 2001:DB8::DEAD:F00D). The outside world stays out of reach. The packets are just dropped. I’m not getting network unreachable or any other error message back. When I enabled forwarding for IPv6 on the server, I did have to manually add the route so that IPv6 would continue working on the server (ip -r route add default fe80::1). I can SSH into the server, and ping the outside world no problem. And, the outside world can reach my server via IPv6 just fine, too. I’m running Gentoo on the server and client. ===================================== Sysctl Settings I know to be relevant ===================================== net.ipv6.conf.all.accept_ra = 2 net.ipv6.conf.default.accept_ra = 2 net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.default.forwarding = 1 net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1 ============================== Wireguard Server Configuration ============================== [Interface] Address = 10.0.0.1/24, 2001:DB8::BEEF:3001/116 SaveConfig = true ListenPort = 51820 PrivateKey = ServerPrivateKey [Peer] PublicKey = ClientPublicKey AllowedIPs = 10.0.0.2/32, 2001:DB8::BEEF:3002/128 Endpoint = 192.0.2.204:53132 ============================== Wireguard Client Configuration ============================== [Interface] Address = 10.0.0.2/32 Address = 2001:DB8::BEEF:3002 PrivateKey = ClientPrivateKey DNS = 8.8.8.8 [Peer] PublicKey = ServerPublicKey AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = 192.0.2.1:51820 PersistentKeepalive = 25 =============== Server Nftables =============== flush ruleset; table inet filter { chain input { type filter hook input priority 0; policy drop; # established/related connections ct state {established, related} accept # loopback interface iifname "lo" accept icmp type echo-request accept icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-advert, redirect } accept # TCP ports tcp dport {smtp, http, https, submission, imaps, irc} accept # ssh tcp dport #ssh# accept # Secured IRC tcp dport #notthatchatty# accept # UDP ports udp dport 51820 accept ip6 daddr 2001:DB8::BEEF:3000/116 accept } chain forward { type filter hook forward priority 0; # allow established/related connections ct state {established, related} accept # early drop of invalid connections ct state invalid drop # Allow packets to be forwarded from the VPNs to the outer world ip saddr 10.0.0.0/8 iifname wg0 oifname enp0s3 accept ip6 saddr 2001:DB8::BEEF:3000/116 iifname wg0 oifname enp0s3 accept } } # IPv4 NAT table table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; } chain postrouting { type nat hook postrouting priority 100; policy accept; ip saddr 10.0.0.0/8 oif "enp0s3" snat to 192.0.2.1 } } ==================== Client ‘ip -6 route’ ==================== # ip -6 route 2001:DB8::BEEF:3002 dev wg0 proto kernel metric 256 pref medium fe80::/64 dev enp1s0 proto kernel metric 100 pref medium ==================== Server ‘ip -6 route’ ==================== 2001:DB8::BEEF:3000/116 dev wg0 proto kernel metric 256 pref medium 2001:DB8::/64 dev enp0s3 proto kernel metric 256 expires 2326066sec pref medium fe80::/64 dev enp0s3 proto kernel metric 256 pref medium default via fe80::1 dev enp0s3 metric 1024 pref medium