I am running a VM at hetzner (named gateway in the diagram below) that is used as a wireguard server. I hand out public IPv6 addresses via wireguard to clients. It is possible to ping all systems from every other system. I can ssh into both the gateway and the server from outside of my VPN, however I cannot ssh from the server to the gateway (or the other way around) and I cannot access any other service than ssh on the server. I am not sure if these are two separate issues or just one issue and I am not sure how to debug this issue further. tcpdump -i wg0 tcp port 22 shows that packages are received when I try to ssh, but the client gets a timeout.
┌────────────┐
│ │ ssh server ✓
│ Macbook │ ssh gateway ✓
│ │ wget server ✕
└─────┬──────┘
│
┌─────┴──────┐
│ │
│ Router │
│ │
└─────┬──────┘
│ public IPv6, CGNAT IPv4
┌──────┴─────┐
│ │ ┌────────────┐ ┌─────────────┐
│ │ │ │ Wireguard │ │
│ Internet ├───────┤ Gateway ├─────────────┤ Server │
│ │ │ │ public IPv6 │ │
│ │ └────────────┘ └─────────────┘
└────────────┘ ssh server ✕ ssh gateway ✕
ping server ✓ ping gateway ✓
ufw is disabled on the server. The gateway configuration looks like this
# ufw status
Status: active
To Action From
-- ------ ----
51820/udp ALLOW Anywhere
OpenSSH ALLOW Anywhere
53/tcp ALLOW Anywhere # Open port DNS tcp port 53
53/udp ALLOW Anywhere # Open port DNS udp port 53
Lighttpd Full DENY Anywhere
Anywhere on wg0 ALLOW Anywhere
51820/udp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
53/tcp (v6) ALLOW Anywhere (v6) # Open port DNS tcp port 53
53/udp (v6) ALLOW Anywhere (v6) # Open port DNS udp port 53
Lighttpd Full (v6) DENY Anywhere (v6)
Anywhere (v6) on wg0 ALLOW Anywhere (v6)
Anywhere on eth0 ALLOW FWD Anywhere on wg0
Anywhere on wg0 ALLOW FWD Anywhere on eth0
Anywhere (v6) on eth0 ALLOW FWD Anywhere (v6) on wg0
Anywhere (v6) on wg0 ALLOW FWD Anywhere (v6) on eth0
