feat: add wireguard support

templates/nftables.nft.j2

@@ -12,7 +12,7 @@ table inet filter {
         # Allow loopback
         iif lo accept
 
-# Allow ICMP
+        # Allow ICMP
         ip protocol icmp accept
         ip6 nexthdr ipv6-icmp accept
 
@@ -29,6 +29,12 @@ table inet filter {
         # Allow established/related
         ct state established,related accept
 
+{% if wireguard_enabled %}
+        # Allow WireGuard traffic
+        iifname "wt*" accept
+        oifname "wt*" accept
+{% endif %}
+
         # Allow forwarding from LAN to anywhere
         iif {{ lan_interface }} oif {{ wan_interface }} accept
 {% for forward in nat_port_forwards %}
@@ -47,7 +53,7 @@ table ip nat {
         type nat hook postrouting priority 100; policy accept;
 
         # NAT masquerade from LAN to WAN
-        oif {{ wan_interface }} masquerade
+        iif {{ lan_interface }} oif {{ wan_interface }} masquerade
     }
 
     chain prerouting {