configuração wireguard faltando algo no servidor

Tentando fazer o teste wireguard vpn funcionar e não consigo. Qualquer sugestão sobre o que verificar a seguir será apreciada.

O servidor é um droplet DO rodando Ubuntu com kernel 3.13.0-141, o cliente é um desktop kvm guest rodando Mint com kernel 4.4.0-112 e conexão de rede em ponte atrás do roteador nat. O cliente pode executar ping no servidor ok, mas qualquer outro tipo de pacote parece se perder, embora o tcpdump mostre muitos pacotes chegando em wg0 no servidor. ip_forward e proxy_arp estão habilitados no servidor conforme sugeridonesta postagem. ufw no servidor tem a porta do túnel aberta. O servidor também está executando o openvpn em outras portas.

Usando wg-quick com esses arquivos de configuração.

Cliente:

[Interface]
Address = 10.0.0.200
DNS = 8.8.8.8
PrivateKey = UJeiJJvi5NdqiBrgBfsim+ZS4c69M5EP5fUNNIXMy08=
[Peer]
PublicKey = MreTtFUDB5bQfkegxX2cvz3BLC9sybK4y0loTKhVunU=
AllowedIPs = 0.0.0.0/0
Endpoint = 159.203.227.235:51820

sudo wg-quick up ./wg0.conf 
[sudo] password for jim: 
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip address add 10.0.0.200 dev wg0
[#] ip link set mtu 1420 dev wg0
[#] ip link set wg0 up
[#] resolvconf -a tun.wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0

Servidor:

[Interface]
Address = 10.0.0.201
SaveConfig = true
ListenPort = 51820
PrivateKey = 6GBAE7bFjrOfEp1uWiPvoW+5CyfpjsBmK0/vCIWbGl0=
[Peer]
PublicKey = furwAmh4vbKrLAGZG/QDIUT2a1GLi0WxDY6YdQKzIHE=
AllowedIPs = 10.0.0.200/32

sudo wg-quick up ./wg0.conf
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip link set mtu 1420 dev wg0
[#] ip link set wg0 up
[#] ip route add 10.0.0.200/32 dev wg0

ip route show table all

default via 159.203.224.1 dev eth0 
10.0.0.200 dev wg0  scope link 
10.12.0.0/16 dev eth0  proto kernel  scope link  src 10.12.0.5 
159.203.224.0/20 dev eth0  proto kernel  scope link  src 159.203.227.235 
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 
broadcast 10.12.0.0 dev eth0  table local  proto kernel  scope link  src 10.12.0.5 
local 10.12.0.5 dev eth0  table local  proto kernel  scope host  src 10.12.0.5 
broadcast 10.12.255.255 dev eth0  table local  proto kernel  scope link  src 10.12.0.5 
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
broadcast 159.203.224.0 dev eth0  table local  proto kernel  scope link  src 159.203.227.235 
local 159.203.227.235 dev eth0  table local  proto kernel  scope host  src 159.203.227.235 
broadcast 159.203.239.255 dev eth0  table local  proto kernel  scope link  src 159.203.227.235 
broadcast 172.17.0.0 dev docker0  table local  proto kernel  scope link  src 172.17.0.1 
local 172.17.0.1 dev docker0  table local  proto kernel  scope host  src 172.17.0.1 
broadcast 172.17.255.255 dev docker0  table local  proto kernel  scope link  src 172.17.0.1 
fe80::/64 dev eth0  proto kernel  metric 256 
fe80::/64 dev veth215195c  proto kernel  metric 256 
fe80::/64 dev docker0  proto kernel  metric 256 
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
local ::1 dev lo  table local  proto none  metric 0 
local fe80::42:2fff:fec9:400 dev lo  table local  proto none  metric 0 
local fe80::601:d8ff:febf:4701 dev lo  table local  proto none  metric 0 
local fe80::84ce:13ff:feaf:f628 dev lo  table local  proto none  metric 0 
ff00::/8 dev eth0  table local  metric 256 
ff00::/8 dev veth215195c  table local  metric 256 
ff00::/8 dev docker0  table local  metric 256 
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101