I’m sorry I forgot the -t nat , you are of course correct.
I don’t think this will work. You have to pick one.
I created a little test network. The server has a device eth0 with multiple global routable IPv6 address attached to.
$ cat /etc/sysctl.d/61-wireguard.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
$ cat /etc/wireguard/wg0.conf
[Interface]
Address = fd44:44:44::1/64
ListenPort = 66666
PrivateKey = abcde=
[Peer]
PublicKey = zyxwv=
AllowedIPs = fd44:44:44::2/128
The client config:
[Interface]
PrivateKey = vwxyz=
Address = fd44:44:44::2/64
DNS = fd44:44:44::1
[Peer]
PublicKey = edcba=
Endpoint = wireguard.domain:66666
AllowedIPs = ::/0
After that I can ping from the client the IP fd44:44:44::1 and also the IPv6 from the eth0 device on the server. But no other public IPv6 address.
The only ip6tables command I need to run on the server as root was
ip6tables -t nat -A POSTROUTING -s fd44:44:44::/64 -o eth0 -j MASQUERADE
After that I was immediately able to ping other public IPv6 address like 2001:4860:4860::8888
# ip6tables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s fd44:44:44::/64 -o eth0 -j MASQUERADE
# ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT