What needs to be allowed in firewalld so that WireGuard clients can connect to each other via SSH?
The Setup
I have two clients and a server on a WireGuard VPN network. All of them are running Debian 11.
CLIENT A -------- SERVER -------- CLIENT B
10.0.1.2 10.0.1.1 10.0.1.3
What Can Be Done
- I can SSH from either client to the server.
- I can SSH from the server to either client.
Problem: But when I try to SSH client to client, I get, "ssh: connect to host 10.0.1.2 port 22: No route to host"
Troubleshooting
- The path between the machines is up because I can ping…
- client to server,
- server to client,
- and client to client.
- The ports are accessible because I can telnet…
- from the server to either client on port 22.
- from either client to the server on port 22.
Problem: But when I try to telnet client to client, I get "telnet: Unable to connect to remote host: No route to host"
What Has Been Confirmed
- SSH is a listed service on firewalld:
firewall-cmd --list-services
returnsssh
- ip-foward is set on the kernel:
sysctl -a
returnsnet.ipv4.ip_forward = 1
- Forwarding is set on the iptables:
iptables-save
returns-A FORWARD -i wg0 -o wg0 -j ACCEPT
- Disabling firewalld on the server DOES allow an SSH connection between the two WireGuard clients.
Thanks for your help and pointers.
Best Answer
While firewalld is generally an excellent tool for configuring the firewall on a Linux box, for this particular use case -- forwarding traffic for other hosts -- it's kind of a pain in the neck to use. I would suggest turning it off on your server, and just using iptables (or nftables) directly.
If you really want to use firewalld, however, try this (as root):
1. Create a custom zone for your WireGuard interface that accepts all traffic:
2. Add "rich" rules to the zone to reject inbound connections from WireGuard to the server itself:
3. Add "direct" rules to allow forwarding of IPv4 SSH connections between other WireGuard hosts, and reject everything else:
4. Bind the zone to your WireGuard interface and save your changes:
You can add more IPv4 direct rules between 0 and 2 (renumbering the
REJECT
rule to be last) if you want to allow other types of traffic between your WireGuard hosts (or just replace rules 0 and 1 with a single rule like-i wg0 -o wg0 -J ACCEPT
if you want to allow the server to forward any and all traffic between your WireGuard hosts).See Hub and Spoke section of this How to Use WireGuard With Firewalld article for a full explanation (Host C is your server in this article).