Cannot ping to internet from WireGuard interface despite ::/0 being set in allowed-ips

General questions
,
1

Hi, I’m new to this forum but not new to WireGuard. Running VyOS Stream 2025.11, I was trying to initially set up WAN access over WireGuard for my downstream L3 switch with PBR, but while testing, I had found out I cannot ping from VyOS over WireGuard to any addresses outside the interface’s /64 prefix despite allowed-ips ::/0 being set.

On the other hand, accessing WAN/internet-facing addresses thru IPv4 works fine with static routes, NAT, and firewall rules configued (which I had similarly done for IPv6 excl. NAT)

While writing this new thread, I did have some suspicion that it might have to do with my VPN server on a VPS, but since I’m also running another WireGuard interface on said VPS that had been working fine, I’m a bit unsure.

show version output. (manually-redacted)

Version: VyOS 2025.11
Release train: circinus
Release flavor: generic

Built by: ``autobuild@vyos.net
Built on: Tue 11 Nov 2025 13:49 UTC
Build UUID: f65157d9-61eb-410c-9876-bc5e239a2f96
Build commit ID: 6d5f851f240d7e

Architecture: x86_64
Boot via: installed image
System type: bare metal

Hardware vendor: Sophos
Hardware model: XG
Hardware S/N: [hidden]
Hardware UUID: [hidden]

Copyright: VyOS maintainers and contributors

WireGuard config.

wireguard wg0 {
address xxx.xxx.255.2/30
address xxxx:xxxx:e002:1::2/64
ip {
adjust-mss clamp-mss-to-pmtu
}
ipv6 {
adjust-mss clamp-mss-to-pmtu
}
peer vps0 {
address xxxx:xxxx::f03c:95ff:fe95:2697
allowed-ips xxx.xxx.0.0/0
allowed-ips ::/0
persistent-keepalive 5
port 51820
preshared-key ****************
public-key ****************
}
private-key xxxxxx
}

Static Routing and Table config.

protocols {
static {
route xxx.xxx.0.0/0 {
next-hop xxx.xxx.255.1 {
distance 10
interface wg0
}
next-hop xxx.xxx.1.1 {
distance 1
interface eth0
}
}
route xxx.xxx.0.0/16 {
next-hop xxx.xxx.0.2 {
distance 1
interface bond0
}
}
route6 ::/0 {
next-hop xxxx:xxxx:e002:1::1 {
distance 10
interface wg0
}
next-hop fe80::1 {
distance 1
interface eth0
}
}
route6 xxxx:xxxx:22f4:9b10::/60 {
next-hop fe80::e21a:eaff:fe17:aa2c {
interface bond0
}
}
route6 xxxx:xxxx:e002:10::/60 {
next-hop fe80::e21a:eaff:fe17:aa2c {
interface bond0
}
}
table 1 {
route xxx.xxx.0.0/0 {
next-hop xxx.xxx.1.1 {
interface eth0
}
}
route6 ::/0 {
next-hop fe80::1 {
interface eth0
}
}
}
table 2 {
route xxx.xxx.0.0/0 {
next-hop xxx.xxx.255.1 {
interface wg0
}
}
route6 ::/0 {
next-hop xxxx:xxxx:e002:1::1 {
interface wg0
}
}
}
table 3 {
route xxx.xxx.0.0/8 {
next-hop xxx.xxx.0.1 {
interface bond0
}
}
route6 xxxx:xxxx:22f4:9b10::/60 {
next-hop fe80::e21a:eaff:fe17:aa2c {
interface bond0
}
}
route6 xxxx:xxxx:e002:10::/60 {
next-hop fe80::e21a:eaff:fe17:aa2c {
interface bond0
}
}
}
}
}

IPv6 main routing table.

S ::/0 [10/0] via xxxx:xxxx:e002:1::1, wg0, weight 1, 11:49:26
S>* ::/0 [1/0] via fe80::1, eth0, weight 1, 12:00:04
C>* xxxx:xxxx:e002:1::/64 is directly connected, wg0, weight 1, 11:49:26
L * xxxx:xxxx:e002:1::2/128 is directly connected, wg0, weight 1, 11:49:26
L * xxxx:xxxx:e002:1::2/128 is directly connected, wg0, weight 1, 11:50:16
L * xxxx:xxxx:e002:1::2/128 is directly connected, wg0, weight 1, 12:00:14
L>* xxxx:xxxx:e002:1::2/128 is directly connected, wg0, weight 1, 12:00:28
S xxxx:xxxx:e002:10::/60 [1/0] via fe80::e21a:eaff:fe17:aa2c, bond0 inactive, weight 1, 12:00:04
C>* xxxx:xxxx:22f4:9b00::/64 is directly connected, eth0 linkdown, weight 1, 12:00:14
K * xxxx:xxxx:22f4:9b00::/64 [0/256] is directly connected, eth0 linkdown, weight 1, 12:00:31
L * xxxx:xxxx:22f4:9b00:7e5a:1cff:fe7e:797d/128 is directly connected, eth0 linkdown, weight 1, 12:00:14
L>* xxxx:xxxx:22f4:9b00:7e5a:1cff:fe7e:797d/128 is directly connected, eth0 linkdown, weight 1, 12:00:26
S xxxx:xxxx:22f4:9b10::/60 [1/0] via fe80::e21a:eaff:fe17:aa2c, bond0 inactive, weight 1, 12:00:04
K>* xxxx:xxxx:22f4:9b20::/64 [0/256] is directly connected, eth6 linkdown, weight 1, 12:00:31
K>* xxxx:xxxx:e940::/64 [0/256] is directly connected, bond0 linkdown, weight 1, 12:00:29
C * fe80::/64 is directly connected, wg0, weight 1, 11:49:26
C * fe80::/64 is directly connected, eth0 linkdown, weight 1, 12:00:14
C>* fe80::/64 is directly connected, lo, weight 1, 12:00:34

Ping results. (manually-redacted)

xxxx@xxxx0:~$ ping 1.1.1.1 interface wg0
PING 1.1.1.1 (1.1.1.1) from xxx.xx.255.2 wg0: 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=51 time=16.6 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=51 time=16.8 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=51 time=17.1 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=51 time=16.8 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=51 time=16.0 ms
^C
— 1.1.1.1 ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 15.985/16.642/17.064/0.363 ms

xxxx@xxxx0:~$ ping 2620:fe::fe interface wg0
/bin/ping6: connect: Network is unreachable

xxxx@xxxx0:~$ ping xxx.xx.255.1 interface wg0
PING xxx.xx.255.1 (xxx.xx.255.1) from xxx.xx.255.2 wg0: 56(84) bytes of data.
64 bytes from xxx.xx.255.1: icmp_seq=1 ttl=64 time=16.4 ms
64 bytes from xxx.xx.255.1: icmp_seq=2 ttl=64 time=15.7 ms
64 bytes from xxx.xx.255.1: icmp_seq=3 ttl=64 time=15.9 ms
64 bytes from xxx.xx.255.1: icmp_seq=4 ttl=64 time=16.2 ms
64 bytes from xxx.xx.255.1: icmp_seq=5 ttl=64 time=15.8 ms
^C
— xxx.xx.255.1 ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 15.698/15.999/16.422/0.274 ms

xxxx@xxxx0:~$ ping xxxx:xxxx:e002:1::1 interface wg0
PING xxxx:xxxx:e002:1::1(xxxx:xxxx:e002:1::1) from xxxx:xxxx:e002:1::2 wg0: 56 data bytes
64 bytes from xxxx:xxxx:e002:1::1: icmp_seq=1 ttl=64 time=15.4 ms
64 bytes from xxxx:xxxx:e002:1::1: icmp_seq=2 ttl=64 time=15.9 ms
64 bytes from xxxx:xxxx:e002:1::1: icmp_seq=3 ttl=64 time=16.2 ms
64 bytes from xxxx:xxxx:e002:1::1: icmp_seq=4 ttl=64 time=15.9 ms
64 bytes from xxxx:xxxx:e002:1::1: icmp_seq=5 ttl=64 time=16.0 ms
^C
— xxxx:xxxx:e002:1::1 ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 15.401/15.888/16.192/0.262 ms

I can provide the full config upon request as a text file.

2

Not sure if you’re still working on this, but this doesn’t look exactly right to me; it looks like default via eth0 is being selected, even though it shows as linkdown? I could be missing something though.

Is eth0 supposed to be up or down?

3

I’m honestly not too sure how to respond, other than saying that later on I had configured local-route6 policies for the wg0 interface. In addition, I actually discovered on a quirk; I can ping through the WireGuard interface via IPv6 if I specified the interface address directly (in this case, the one ending with :1::2), but not if I specified the interface name.

As for the eth0 interface, it’s supposed to be up. But, since I had done more changes since the time I posted my issues here, I might need to post those changes later.

xxxx@xxxx0# ping -I xxxx:xxxx:xxxx:1::2 2620:fe::fe
PING 2620:fe::fe(2620:fe::fe) from xxxx:xxxx:xxxx:1::2 : 56 data bytes
64 bytes from 2620:fe::fe: icmp_seq=1 ttl=42 time=52.1 ms
64 bytes from 2620:fe::fe: icmp_seq=2 ttl=42 time=52.1 ms
64 bytes from 2620:fe::fe: icmp_seq=3 ttl=42 time=51.6 ms
64 bytes from 2620:fe::fe: icmp_seq=4 ttl=42 time=52.3 ms
64 bytes from 2620:fe::fe: icmp_seq=5 ttl=42 time=52.2 ms
^C
— 2620:fe::fe ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 51.647/52.055/52.279/0.218 ms
[edit]
xxxx@xxxx0# ping -I wg0 2620:fe::fe
ping: connect: Network is unreachablex