Wireguard bounce server can´t ping between clients (eve-ng)

Your settings of allowed_ips on 2 and 3 only allow the source IP to be 1. That is why you can ping either 2 or 3 from 1. But when a packet from 2 gets forwarded to 3, it is ignored by 3 since its source address (2) is not one of its allowed_ips. Typically a hub and spoke setup like this would allow the entire /24 of tunnel IPs on each spoke so that any client can link to any other. (At the hub, allowed_ips must be /32 one at a time for each peer).

I have not tried this but realize that a packet from 2 for 3 at the hub likely gets kicked out of Wireguard back through general kernel routing and then sent back into Wireguard to be re-encrypted with 3's key. So the firewall zone with the VPN may need to allow forwarding. It definitely should not have masq set.

This concept (whether the firewall sees peer-peer traffic as intrazone forwarding) would be something interesting to test in a lab.