Setting up wireguard IPV6 tunnel broker

Server configuration:

In /etc/sysctl.conf I enabled net.ipv6.conf.all.forwarding = 1 and firewall is disabled.

[Interface]
PrivateKey = <Private key>
Address = 2a7d:*:*:*::1/64
ListenPort = 51820
MTU = 1420

[Peer]
PublicKey = <Public key>
AllowedIPs = 2a7d:*:*:*::a/128

Home PC configuration:

[Interface]
PrivateKey = <Private key>
Address = 2a7d:*:*:*::a/128
MTU = 1420

[Peer]
PublicKey = <Public key>
AllowedIPs = ::/0
Endpoint = <server-ipv4>:51820
PersistentKeepAlive = 60

If from the home PC I ping a host, the host is resolved but does not allow packet transfer:

ping6 -c 3 google.com
PING google.com(mil07s18-in-x0e.1e100.net (2a00:1450:4002:415::200e)) 56 data bytes

--- google.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2051ms
ping6 -c 3 cloudflare.com
PING cloudflare.com(2606:4700::6810:85e5 (2606:4700::6810:85e5)) 56 data bytes

--- cloudflare.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2028ms

I would be inclined to use tcpdump on the server, looking to answer the following questions:

  • Does the echo request arrive on the wireguard interface?
  • Does the echo request leave through the internet-facing interface towards the target?
  • Does a reply packet arrive from the target addressed to your client?
  • Does the reply leave through the wireguard interface towards the client?