We spent much time to find the reason why our Wireguard setup in pve (and pbs) was not receiving incoming data. In details we want our proxmox nodes to be able to join a Wireguard VPN, so to be "client" for a dedicated wireguard "server" in a dedicated instance (non proxmox).
It was a general issue related to wireguard and Hetzner's (raw) firewall, nothing to do with proxmox, but we post it here in case somebody face the same issue, doubting his proxmox setup:
The solution is to add a rule that enable UDP incoming traffic on the ephemeral ports 32768-65535 (exactly as you need to do for TCP/ACK)
You can, of course, avoid using Hetzner's firewall, but we find it useful as a second level of protection.
Btw: To install wireguard in proxmox (and in CT) we've followed the perfect https://nixvsevil.com/posts/wireguard-in-proxmox-lxc/
We suspect, anyhow, that the UDP incoming port interval can be more narrow then 32768-65535, any clue?
(to forum admins: if this subject is too dedicated to wireguard, and not to proxmox, and you want to remove it, I understand)
It was a general issue related to wireguard and Hetzner's (raw) firewall, nothing to do with proxmox, but we post it here in case somebody face the same issue, doubting his proxmox setup:
The solution is to add a rule that enable UDP incoming traffic on the ephemeral ports 32768-65535 (exactly as you need to do for TCP/ACK)
You can, of course, avoid using Hetzner's firewall, but we find it useful as a second level of protection.
Btw: To install wireguard in proxmox (and in CT) we've followed the perfect https://nixvsevil.com/posts/wireguard-in-proxmox-lxc/
We suspect, anyhow, that the UDP incoming port interval can be more narrow then 32768-65535, any clue?
(to forum admins: if this subject is too dedicated to wireguard, and not to proxmox, and you want to remove it, I understand)