What needs to be allowed in firewalld so that WireGuard clients can connect to each other via SSH?
The Setup
I have two clients and a server on a WireGuard VPN network. All of them are running Debian 11.
CLIENT A -------- SERVER -------- CLIENT B
10.0.1.2 10.0.1.1 10.0.1.3
What Can Be Done
- I can SSH from either client to the server.
- I can SSH from the server to either client.
Problem: But when I try to SSH client to client, I get, "ssh: connect to host 10.0.1.2 port 22: No route to host"
Troubleshooting
- The path between the machines is up because I can ping...
- client to server,
- server to client,
- and client to client.
- The ports are accessible because I can telnet...
- from the server to either client on port 22.
- from either client to the server on port 22.
Problem: But when I try to telnet client to client, I get "telnet: Unable to connect to remote host: No route to host"
What Has Been Confirmed
- SSH is a listed service on firewalld:
firewall-cmd --list-services
returnsssh
- ip-foward is set on the kernel:
sysctl -a
returnsnet.ipv4.ip_forward = 1
- Forwarding is set on the iptables:
iptables-save
returns-A FORWARD -i wg0 -o wg0 -j ACCEPT
- Disabling firewalld on the server DOES allow an SSH connection between the two WireGuard clients.
Thanks for your help and pointers.