top | item 40334877

(no title)

You also need to change the boot behavior of sshd to wait for wireguard (tailscale in my case) to be available. I had to add a couple of lines to the ssh systemd unit.

discuss

codetrotter|1 year ago

Yep. And also pay attention during package and system upgrades on some systems. In certain cases it messes up this ordering, and you end up with sshd starting before Wireguard again and then sshd doesn’t find any interface with the specified address, which in turn makes it so that it won’t bind to that address. Making the machine unreachable until you manually fix it again.

napkin|1 year ago

A less finnicky approach would be binding to 0.0.0.0, then configuring incoming firewall policy. By default deny, then allow SSH through wireguard network. Or by default allow then deny SSH through public network.

RealStickman_|1 year ago

You can create an override file for sshd to avoid issues due to package config changes.

https://www.freedesktop.org/software/systemd/man/latest/syst...

sureglymop|1 year ago

Yeah I would do it with nftables so you don't have to change the sshd listen address.

eyegor|1 year ago

Why don't you just add sshd restart as an interface PostUp step in the client's wireguard config file?

inbetween|1 year ago

it only takes 3 lines in a systemd override fille (which I think don't suffer the overwrite-on-upgrade problem). To my mind, that keeps the startup logic nicely local in service files.

kardos|1 year ago

So allow sshd to start in a failed mode and then restart it?