Cannot redirect from Wireguard to VM

Question

I have a bastion and a physical server. Both are linked through a Wireguard tunnel (wg0 as interface in both), with their IPs being respectively 172.16.0.0 and 172.16.1.0.

On the server, I have a VM whose IP is 192.168.122.173, with the interface on the host (virbr0) being 192.168.122.1.

I'd like to ping the VM from my bastion, but I'm unsuccessful. Here is what I've done:

Put both interfaces on server to the same Firewalld zone with the forward and the masquerade:

server$ sudo firewall-cmd --zone=home --list-all
home (active)
  target: ACCEPT
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: virbr0 wg0
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Activated ip forward on sysctl:

server$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Route seems correctly set:

server$ ip route
default via 192.168.1.1 dev enp8s0 proto dhcp src 192.168.1.25 metric 100 
172.16.0.0/24 dev wg0 scope link 
172.16.1.0/24 dev wg0 proto kernel scope link src 172.16.1.0 
172.16.2.0/24 dev wg0 scope link 
192.168.1.0/24 dev enp8s0 proto kernel scope link src 192.168.1.25 metric 100 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1

But when pinging the VM from the bastion, there is nothing:

    bastion$ ping 192.168.122.173
    PING 192.168.122.173 (192.168.122.173) 56(84) bytes of data.
    From 172.16.1.0 icmp_seq=1 Destination Port Unreachable
    From 172.16.1.0 icmp_seq=2 Destination Port Unreachable
    From 172.16.1.0 icmp_seq=3 Destination Port Unreachable

Here is what we can see on the wg0 interface on the server when pinging:

    server$ sudo tcpdump -n -v -i wg0 icmp
    dropped privs to tcpdump
    tcpdump: listening on wg0, link-type RAW (Raw IP), snapshot length 262144 bytes
    16:19:24.721476 IP (tos 0x0, ttl 64, id 36462, offset 0, flags [DF], proto ICMP (1), length 84)
        172.16.0.0 > 192.168.122.173: ICMP echo request, id 44, seq 312, length 64
    16:19:24.721513 IP (tos 0xc0, ttl 64, id 14442, offset 0, flags [none], proto ICMP (1), length 112)
        172.16.1.0 > 172.16.0.0: ICMP 192.168.122.173 protocol 1 port 52925 unreachable, length 92
            IP (tos 0x0, ttl 63, id 36462, offset 0, flags [DF], proto ICMP (1), length 84)
        172.16.0.0 > 192.168.122.173: ICMP echo request, id 44, seq 312, length 64

And there is nothing when tcpdumping the virbr0 interface.

But, when pinging the virbr0 interface from the bastion, it works:

    bastion$ ping 192.168.122.1
    PING 192.168.122.1 (192.168.122.1) 56(84) bytes of data.
    64 bytes from 192.168.122.1: icmp_seq=1 ttl=64 time=6.11 ms
    64 bytes from 192.168.122.1: icmp_seq=2 ttl=64 time=6.12 ms

And when pinging the VM from the server, it works as well:

    server$ ping 192.168.122.173
    PING 192.168.122.173 (192.168.122.173) 56(84) bytes of data.
    64 bytes from 192.168.122.173: icmp_seq=1 ttl=64 time=0.151 ms
    64 bytes from 192.168.122.173: icmp_seq=2 ttl=64 time=0.194 ms
    64 bytes from 192.168.122.173: icmp_seq=3 ttl=64 time=0.185 ms

Here are the configuration for Wireguard.

Bastion

[Interface]
Address = 172.16.0.0/24
SaveConfig = false
ListenPort = 51820
PrivateKey = <redacted>
When Wireguard is up:
* Firewall is configured to allow traffic on the VPN port
* Wireguard interface is moved to the home zone
* SSH is disabled on public zone
* Masquerade is enabled on public zone
* Forwarding is enabled on home zone
PostUp = firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=home --change-interface=wg0 && firewall-cmd --zone=public --remove-service=ssh && firewall-cmd --zone=public --add-masquerade
When Wireguard is down:
* Firewall is configured to disallow traffic on the VPN port
* SSH is enabled on public zone
* Masquerade is disabled on public zone
* Forwarding is disabled on home zone
PostDown = firewall-cmd --zone=public --remove-port 51820/udp && firewall-cmd --zone=public --add-service=ssh && firewall-cmd --zone=public --remove-masquerade
[Peer] # Physical server
PublicKey = <redacted>
AllowedIPs = 172.16.1.0/24,192.168.122.173/24

Physical server

[Interface]
Address = 172.16.1.0/24
SaveConfig = false
ListenPort = 51820
PrivateKey = <redacted>
When Wireguard is up:
* Firewall is configured to allow traffic on the VPN port
* Wireguard interface is moved to the home zone
* Masquerade is enabled on public zone
PostUp = firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=home --change-interface=wg0 && firewall-cmd --zone=public --add-masquerade
When Wireguard is down:
* Firewall is configured to disallow traffic on the VPN port
* Masquerade is disabled on public zone
PostDown = firewall-cmd --zone=public --remove-port 51820/udp && firewall-cmd --zone=public --remove-masquerade
[Peer] # bastion
PublicKey = <redacted>
Endpoint = 146.59.239.146:51820
Keepalive every 25 seconds to maintain the connection through the NAT
PersistentKeepalive = 25
AllowedIPs = 172.16.0.0/24,172.16.2.0/24

The conclusion is that the traffic can't be routed from wg0 to virbr0 on the server, despite the forward being activated and the routes being correct.

I have no idea what I could do from there, or how I could search for a solution.

Thanks a lot !

Cannot redirect from Wireguard to VM

When Wireguard is up:

* Firewall is configured to allow traffic on the VPN port

* Wireguard interface is moved to the home zone

* SSH is disabled on public zone

* Masquerade is enabled on public zone

* Forwarding is enabled on home zone

When Wireguard is down:

* Firewall is configured to disallow traffic on the VPN port

* SSH is enabled on public zone

* Masquerade is disabled on public zone

* Forwarding is disabled on home zone