From 89c28c593a1d0ec8aeb82b3a0642c997e7229624 Mon Sep 17 00:00:00 2001
From: Simon Cornet <simon@simoncor.net>
Date: Tue, 17 Feb 2026 14:07:51 +0100
Subject: [PATCH] feat: add wireguard exit node

---
 templates/nftables.nft.j2 | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/templates/nftables.nft.j2 b/templates/nftables.nft.j2
index 6ee06cf..06e8fdc 100644
--- a/templates/nftables.nft.j2
+++ b/templates/nftables.nft.j2
@@ -6,17 +6,17 @@ table inet filter {
     chain input {
         type filter hook input priority 0; policy drop;
 
-        # Allow established/related
+        # allow established/related
         ct state established,related accept
 
-        # Allow loopback
+        # allow loopback
         iif lo accept
 
-        # Allow ICMP
+        # allow icmp
         ip protocol icmp accept
         ip6 nexthdr ipv6-icmp accept
 
-        # Allow incoming firewall rules
+        # allow incoming firewall rules
 {% for rule in incoming_firewall_rules %}
         # {{ rule.name }}
         iif {{ lan_interface }} ip saddr {{ rule.source }} {{ rule.protocol | default('tcp') }} dport {{ rule.port }} accept
@@ -26,16 +26,19 @@ table inet filter {
     chain forward {
         type filter hook forward priority 0; policy drop;
 
-        # Allow established/related
+        # allow established/related
         ct state established,related accept
 
 {% if wireguard_enabled %}
-        # Allow WireGuard traffic
+        # allow wireguard traffic
         iifname "wt*" accept
         oifname "wt*" accept
+
+        # allow wireguard to internet (exit node)
+        iifname "wt*" oif {{ wan_interface }} accept
 {% endif %}
 
-        # Allow forwarding from LAN to anywhere
+        # allow forwarding from lan to anywhere
         iif {{ lan_interface }} oif {{ wan_interface }} accept
 {% for forward in nat_port_forwards %}
         # {{ forward.name }}
@@ -52,8 +55,13 @@ table ip nat {
     chain postrouting {
         type nat hook postrouting priority 100; policy accept;
 
-        # NAT masquerade from LAN to WAN
+        # nat masquerade from lan to wan
         iif {{ lan_interface }} oif {{ wan_interface }} masquerade
+
+{% if wireguard_enabled %}
+        # nat mascerade from wireguard to wan (exit node) 
+        iifname "wt*" oif {{ wan_interface }} masquerade
+{% endif %}
     }
 
     chain prerouting {