@stavros1 

When the Hub Two receives an inbound port forward connection you will see an entry similar to this in the event log, the example is for UDP. event log is location

Hub Two Home >Advanced settings >Technical log >Event log

What is your home PC running? Windows? Is the network connection within the Windows OS set to 'Private', rather than 'Public'? If we're talking a *nix machine, then are you confident you're not inadvertently firewalling something?

Hi dvorak,

The device IP is set to static ("Always use this IP address: Yes").

All non-UPnP port forwards are set to this device:

Hello Dan_the_Van,

I can see the connection attempts in the event log. I have tried SSH again, and the log contains multiple entries of:

FWL Port Forward Server(<LAN IP>) TCP 22 accepted a new connection from <WAN IP of ssh client>

But the connection times out when the client is trying to connect from outside the LAN (mobile data). As soon as I connect to the hub wifi and use the LAN IP/hostname, the connection works fine.

iperf has the same behaviour, so it's not an authentication issue with SSH.

Hello bobpullen,

The pc is running Linux. I checked iptables, all chains except docker-specific ones have default policy ACCEPT. No service-specific rules exist, and there are no relevant DROP rules - only 2 in chain DOCKER which does not have any packets going to it.

The log shows that the port forwarding is working,. It looks like the client is not accepting the connection. Have you checked that the client is configured to accept SSH from outside the LAN subnet ?

Hi Dan_the_Van,

Turns out, an existing outbound Wireguard connection was the issue, that was set to route all traffic through it. I am not an expert in networking, but I believe that incoming packets were routed to the pc just fine, and then wrongly routed out through the VPN. This had not crossed my mind as LAN connections worked while the config file has the line "AllowedIPs = 0.0.0.0/0". I assumed that routing must be working fine, but no.

I have fixed this issue by adding these lines to the wireguard config:

PostUp = ip rule add from <LAN IP of pc> table 128
PostUp = ip route add table 128 to 192.168.1.0/24 dev eth0
PostUp = ip route add table 128 default via 192.168.1.254

PreDown = ip route del table 128 to 192.168.1.0/24 dev eth0
PreDown = ip route del table 128 default via 192.168.1.254
PreDown = ip rule del from <LAN IP of pc> table 128

This was taken from https://askubuntu.com/questions/991004/iptable-rule-to-route-only-outbound-traffic-through-vpn/99114...

For completeness, 192.168.1.0/24 is the Hub's subnet, and 192.168.1.254 is the gateway IP. LAN IP of pc is eg. 192.168.1.x

In reply to your VPN server suggestion, this is my goal actually. But for troubleshooting I opted for iperf and SSH, as wireguard fails silently and would make it harder to investigate the problem.

Pleased all good now

I have Wireguard VPN running on a raspberry pi 2 using the instructions found here https://www.pivpn.io/ 

Wireguard on a RPI is a very reliable VPN server. I have been running once continuously for a number of years without any issues.