I have two virtual machines (server, client) with wireguard vpn. When i try ping any IPv6 resource from client packets doesn't return to client.
Tcpdump show me ICMP Reply packets in enp0s3 interface (server), not in wg0 (vpn interface on server). But if disable nftables and start ip6tables, all works. After this step i disable ip6tables and enable nftables... All continue works...
Software versions:
NixOS: 17.09.git.ebaff59 (Hummingbird)
WireGuard: 0.0.20170706
Nftables: 0.7
Build ISO images with next commands:
Server:
nix-build -A config.system.build.isoImage -I nixos-config=./wireguard_server_10.nix ./nixpkgs/nixos/default.nix
Client:
nix-build -A config.system.build.isoImage -I nixos-config=./wireguard_client_20.nix ./nixpkgs/nixos/default.nix
Here nix files:
Create virtual machines with next commands:
Server:
virt-install \
--name NixOSVS10 \
--ram 1024 \
--vcpus 1 \
--cdrom /tmp/nixos_10.iso \
--os-type linux \
--nodisk \
--network bridge=br0 \
--graphics vnc,password="ABCDEF",port=5910,listen=2a01:4f8:xx:xx::13 \
--autostart \
--noautoconsole
Client:
virt-install \
--name NixOSVS20 \
--ram 1024 \
--vcpus 1 \
--cdrom /tmp/nixos_20.iso \
--os-type linux \
--nodisk \
--network bridge=br0 \
--graphics vnc,password="ABCDEF",port=5920,listen=2a01:4f8:xx:xx::13 \
--autostart \
--noautoconsole
Nftables rules:
Server:
Client:
Output for ip a, ip -6 route, route -6, wg, sysctl -a, dmesg, lsmod.
Server:
Client:
Tcpdump logs from client. Ping IPv6 address 2001:19f0:7400:87a2::64 (https://ipv6.net/)
Output from /proc/net/nf_conntrack:
With nftables:
With ip6tables:
Snat doesn't work correctly in nftables. But work after next steps:
[root@nixos:~]# systemctl stop nftables
[root@nixos:~]# ip6tables -t nat -A POSTROUTING -o enp0s3 -j SNAT --to-source 2a01:4f8:xx:xx::10