From 1781bb5939f212209b794752cb9e47c9553f9bd5 Mon Sep 17 00:00:00 2001
From: Simon Cornet <simon@simoncor.net>
Date: Tue, 17 Feb 2026 14:02:35 +0100
Subject: [PATCH] feat: add wireguard support

---
 defaults/main.yaml        |  3 +++
 templates/nftables.nft.j2 | 10 ++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yaml b/defaults/main.yaml
index 74cfc4b..f9c5984 100644
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -12,3 +12,6 @@ static_routes: []
 
 # incoming firewall rules
 incoming_firewall_rules: []
+
+# wireguard
+wireguard_enable: true
diff --git a/templates/nftables.nft.j2 b/templates/nftables.nft.j2
index 2d0e955..6ee06cf 100644
--- a/templates/nftables.nft.j2
+++ b/templates/nftables.nft.j2
@@ -12,7 +12,7 @@ table inet filter {
         # Allow loopback
         iif lo accept
 
-# Allow ICMP
+        # Allow ICMP
         ip protocol icmp accept
         ip6 nexthdr ipv6-icmp accept
 
@@ -29,6 +29,12 @@ table inet filter {
         # Allow established/related
         ct state established,related accept
 
+{% if wireguard_enabled %}
+        # Allow WireGuard traffic
+        iifname "wt*" accept
+        oifname "wt*" accept
+{% endif %}
+
         # Allow forwarding from LAN to anywhere
         iif {{ lan_interface }} oif {{ wan_interface }} accept
 {% for forward in nat_port_forwards %}
@@ -47,7 +53,7 @@ table ip nat {
         type nat hook postrouting priority 100; policy accept;
 
         # NAT masquerade from LAN to WAN
-        oif {{ wan_interface }} masquerade
+        iif {{ lan_interface }} oif {{ wan_interface }} masquerade
     }
 
     chain prerouting {