"
I setup a wireguard tunnel by following this guide so that I can access my home network even when I'm out & about.
I configured a firewall rule that generally disallows any traffic to pass to devices within my home network, but allows all outbound traffic.
Then I added more rules allowing all connections to two specific hosts from my home network.
Things like ICMP ping and HTTP to these two hosts work just fine.
But I just can't get SSH to work.
After some research I found that this step adding normalization rules is important, which I had neglected to do at first.
But even after adding normalization rules, it still doesn't work.
Looking at firewall logs, it seems that out of the wireguard tunnel I can reach the other devices through ssh, but the response isn't let through.
From the attached image:
- Source 192.168.1.238 is the host in my home network which I want to SSH into
- Target 10.50.50.16 is my laptop which is connected to the wireguard tunnel. I run the ssh command from this laptop.
And this is denied by a firewall rule on LAN inbound.
I've tried to add various firewall rules to allow the connection through, but nothing works ;-(
I configured a firewall rule that generally disallows any traffic to pass to devices within my home network, but allows all outbound traffic.
Then I added more rules allowing all connections to two specific hosts from my home network.
Things like ICMP ping and HTTP to these two hosts work just fine.
But I just can't get SSH to work.
After some research I found that this step adding normalization rules is important, which I had neglected to do at first.
But even after adding normalization rules, it still doesn't work.
Looking at firewall logs, it seems that out of the wireguard tunnel I can reach the other devices through ssh, but the response isn't let through.
From the attached image:
- Source 192.168.1.238 is the host in my home network which I want to SSH into
- Target 10.50.50.16 is my laptop which is connected to the wireguard tunnel. I run the ssh command from this laptop.
And this is denied by a firewall rule on LAN inbound.
I've tried to add various firewall rules to allow the connection through, but nothing works ;-(
