I have a Proxmox host at OVH with several Failover IPs assigned to VMs on vmbr0. I want to completely block SSH (Port 22) from the public internet for these VMs, while still being able to access them through my WireGuard VPN (running on the Proxmox host).
The Issue:
Currently, I can ping the Failover IPs from my VPN client, but SSH connections time out. Even with all IPTables rules set to ACCEPT, I cannot connect via SSH through the VPN, although it works fine from the public side.
Setup:
How could this be implemented correctly so that the VPN traffic is properly routed to the Failover VMs and, more importantly, so the VMs know how to send the response back to the private VPN subnet? Are there specific routing or proxy ARP settings required for OVH bridges to make this work?
The Issue:
Currently, I can ping the Failover IPs from my VPN client, but SSH connections time out. Even with all IPTables rules set to ACCEPT, I cannot connect via SSH through the VPN, although it works fine from the public side.
Setup:
- Host: Proxmox at OVH (standard vmbr0 bridge)
- VPN: WireGuard on host (10.10.10.0/24)
- VMs: Assigned Failover IPs (e.g., 5.6.7.x)
- Client: Notebook with WireGuard (Failover IPs in AllowedIPs)
How could this be implemented correctly so that the VPN traffic is properly routed to the Failover VMs and, more importantly, so the VMs know how to send the response back to the private VPN subnet? Are there specific routing or proxy ARP settings required for OVH bridges to make this work?