From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: germano.massullo@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 327f9d85 for ; Tue, 21 Nov 2017 18:07:46 +0000 (UTC) Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com [74.125.82.41]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 4be8f6a0 for ; Tue, 21 Nov 2017 18:07:46 +0000 (UTC) Received: by mail-wm0-f41.google.com with SMTP id v186so5276610wma.2 for ; Tue, 21 Nov 2017 10:12:47 -0800 (PST) Return-Path: Received: from [192.168.1.100] (host179-8-dynamic.56-79-r.retail.telecomitalia.it. [79.56.8.179]) by smtp.googlemail.com with ESMTPSA id g3sm8183723edi.66.2017.11.21.10.12.46 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Nov 2017 10:12:46 -0800 (PST) Subject: Re: Gateway for Wireguard VPN From: Germano Massullo To: WireGuard mailing list References: <2a922e87-81a4-0bbe-8990-2502a91429ef@gmail.com> Message-ID: Date: Tue, 21 Nov 2017 19:12:45 +0100 MIME-Version: 1.0 In-Reply-To: <2a922e87-81a4-0bbe-8990-2502a91429ef@gmail.com> Content-Type: text/plain; charset=utf-8 List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , For who has a Firewalld based Linux distribution like Fedora/RHEL/CentOS: === Host B (VPN gateway) === When system creates interface wg0, it is not attached to any firewall zone, so it falls into default zone, that blocks everything except for ICMP packets. Therefore if you simply run ping among hosts (example from A to C) everything works, but as soon you try to use a service, it will not work. You can solve with # firewall-cmd --zone=trusted --add-interface=wg0 --permanent # firewall-cmd --reload Now from host A you can correctly run $ ssh user@10.1.0.22 that is the server running on host C