I have wireguard talking between two routers. Works generally fine. I can ssh from the server router to the client router, but strangely I can not ssh from the client router to the server router. In each case I am using their private wireguard-specific ip addresses. Ping works in both directions.
Is there a reason dropbear server would not be listening properly on the wg interface? It looks below like it is listening everywhere.
# netstat -ltn | grep 22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
[Peer]
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1 # this is same on client & server
The wireguard interface is in the WAN zone and there's no rule to open the SSH port. Depending on your setup I'd either move the wireguard interface into the LAN zone, or put it in it's own zone and open the SSH port.
Generally it depends on what traffic is coming through the tunnel. If you are using wireguard between trusted devices then you should be fine just putting it in the LAN zone. If, on the other hand, you were using wireguard to tunnel internet traffic through a remote host then you should probably consider having it in the WAN zone.
In that case it might be useful if you posted the output of
uci export network; uci export dhcp; \
uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
from both routers along with an explanation of what your setup is, then we can see if everything looks right. If you do post any output make sure to redact sensitive info like keys and public IPs.
Typically, on your own server you can trust WG enough to assign it to the LAN zone, so there's no need to expose SSH to the WAN.
A more realistic use case for a separate firewall zone is to prevent traffic leak on the WG client.