feat: add wireguard support

defaults/main.yaml

@@ -12,3 +12,6 @@ static_routes: []
 
 # incoming firewall rules
 incoming_firewall_rules: []
+
+# wireguard
+wireguard_enable: true

templates/nftables.nft.j2

@@ -29,6 +29,12 @@ table inet filter {
         # Allow established/related
         ct state established,related accept
 
+{% if wireguard_enabled %}
+        # Allow WireGuard traffic
+        iifname "wt*" accept
+        oifname "wt*" accept
+{% endif %}
+
         # Allow forwarding from LAN to anywhere
         iif {{ lan_interface }} oif {{ wan_interface }} accept
 {% for forward in nat_port_forwards %}
@@ -47,7 +53,7 @@ table ip nat {
         type nat hook postrouting priority 100; policy accept;
 
         # NAT masquerade from LAN to WAN
-        oif {{ wan_interface }} masquerade
+        iif {{ lan_interface }} oif {{ wan_interface }} masquerade
     }
 
     chain prerouting {