Can't connect to PostgreSQL through WireGuard

Question

Last day I successfully set up a Wireguard VPN for a server-client (2 peers in total) network. Everything has been going well since then, but I can't get a connection to my PostgreSQL database running on the server going.

The database in hosted in a Docker container, on 5432 inside of it, with port 5432 mapped to 192.168.22.1:5432:5432 (for the Wireguard connection) and 127.0.0.1:5432:5432 for loopback access.

The docker-compose looks like this:

version: "3"
services:
    db:
        container_name: postgres
        image: postgres:15-alpine
        command: ["postgres"]
        ports:
            - 127.0.0.1:5432:5432
            - 192.168.22.1:5432:5432
        env_file: ./.env.db
        networks:
            - backend
        restart: always

Accessing the DB via both IPs on the host does work, so the mapping should be correct.

The server wg0.conf is very basic and looks like this:

[redacted]:~$ sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.22.1
PrivateKey = [redacted]
ListenPort = 51820

[Peer]
PublicKey = [redacted]
AllowedIPs = 192.168.22.2/32

Client wg0.conf is this:

[redacted]:~$ sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.22.2
PrivateKey = [redacted]
ListenPort = 21841


[Peer]
PublicKey = [redacted]
Endpoint = [ip redacted]:51820
AllowedIPs = 192.168.22.0/24

PersistentKeepalive = 25

The UFW is not running because I am behind a NAT, so no rules are needed. Also, although I think I don't need it either, I tried to enable ip_forwarding for IPv4 but it didn't help.

So to test the Wireguard connection I am using some basic netcat, like nc 192.168.22.1 4444 with nc -l 192.168.22.1 4444 and it works perfectly, also with the listen/connect roles reversed. But curiously, the PostgreSQL connection (from client to server, so from 192.168.22.1 to 192.168.22.2 won't work at all:

[redacted]:~$ pg_dump -h 192.168.22.1 -p 5432 -U postgres postgres
pg_dump: error: connection to database "postgres" failed: could not connect to server: Connection timed out
    Is the server running on host "192.168.22.1" and accepting
    TCP/IP connections on port 5432?

This is particularly interesting because the lsof output from the server shows it as open and listening:

[redacted]:~$ sudo lsof -nP -iTCP -sTCP:LISTEN

COMMAND     PID            USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd-r  1134 systemd-resolve   13u  IPv4  27170      0t0  TCP 127.0.0.53:53 (LISTEN)
sshd       1318            root    3u  IPv4  30614      0t0  TCP *:22 (LISTEN)
sshd       1318            root    4u  IPv6  30616      0t0  TCP *:22 (LISTEN)
sshd       2614              mh   10u  IPv6  46163      0t0  TCP [::1]:50405 (LISTEN)
sshd       2614              mh   11u  IPv4  46164      0t0  TCP 127.0.0.1:50405 (LISTEN)
docker-pr  4225            root    4u  IPv4  44625      0t0  TCP 192.168.22.1:5432 (LISTEN)
docker-pr  4251            root    4u  IPv4  60392      0t0  TCP 127.0.0.1:5432 (LISTEN)

Does anybody have a clue what might be going on? Thanks for any help!

---

Added iptables --list as @arch requested:

[redacted]:~$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (6 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             192.168.16.2         tcp dpt:https
ACCEPT     tcp  --  anywhere             192.168.32.2         tcp dpt:postgresql
ACCEPT     tcp  --  anywhere             192.168.16.2         tcp dpt:http
ACCEPT     tcp  --  anywhere             192.168.16.4         tcp dpt:https
ACCEPT     tcp  --  anywhere             192.168.16.4         tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (6 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere    

and ip route:

[redacted]:~$ sudo ip route
default via 10.255.255.1 dev eth0 
default via 10.255.255.1 dev eth0 proto dhcp src [redacted public ip] metric 100 
10.255.255.1 dev eth0 scope link 
10.255.255.1 dev eth0 proto dhcp scope link src [redacted public ip] metric 100 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
172.29.0.0/16 dev br-11921bd2b33e proto kernel scope link src 172.29.0.1 linkdown 
172.30.0.0/16 dev br-30b01ad66a39 proto kernel scope link src 172.30.0.1 linkdown 
172.31.0.0/16 dev br-b73646832cf6 proto kernel scope link src 172.31.0.1 linkdown 
192.168.16.0/20 dev br-6ff592dc2a2d proto kernel scope link src 192.168.16.1 
192.168.32.0/20 dev br-c6a88e393c8f proto kernel scope link src 192.168.32.1 
192.168.22.2 dev wg0 scope link 

CURL output:

[redacted]:~$ curl -v http://192.168.22.1:5432
*   Trying 192.168.22.1:5432...
* TCP_NODELAY set
* connect to 192.168.22.1 port 5432 failed: Connection timed out
* Failed to connect to 192.168.22.1 port 5432: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to 192.168.22.1 port 5432: Connection timed out