You also need to change the boot behavior of sshd to wait for wireguard (tailscale in my case) to be available. I had to add a couple of lines to the ssh systemd unit.
Yep. And also pay attention during package and system upgrades on some systems. In certain cases it messes up this ordering, and you end up with sshd starting before Wireguard again and then sshd doesn’t find any interface with the specified address, which in turn makes it so that it won’t bind to that address. Making the machine unreachable until you manually fix it again.
A less finnicky approach would be binding to 0.0.0.0, then configuring incoming firewall policy. By default deny, then allow SSH through wireguard network. Or by default allow then deny SSH through public network.
if you want to get fancy and/or over engineered you would use systemd templated units to setup sshd@.service and a ListenAddress in the config listening on %i. Then you could bring up sshd@(expectedip).service for each expected IP
.. but that doesn't gain all that much tbh.if anything the only hesitation I'd have on listening to * and relying on firewall rules is if the service comes up before its configured. but exposing sshd isn't even that bad
I did something like that but somehow after an upgrade I still lost access to one of my systems that I had set up like that. This machine is physically in a different city from me so I rarely have the chance to go there. And lately I’ve even been in another country.
it only takes 3 lines in a systemd override fille (which I think don't suffer the overwrite-on-upgrade problem). To my mind, that keeps the startup logic nicely local in service files.
