#!/usr/sbin/nft -f

# Define some variables for easy reference
define wan = eth0
define vpn = wg0
define vpn_net = 100.64.0.1/24

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;
        }
        chain forward {
                type filter hook forward priority 0;

                # New: Forward all established and related traffic. Drop invalid traffic
                ct state established,related accept
                ct state invalid drop

                # New: Allow WireGuard traffic to access the internet via wan
                iifname $vpn oifname $wan ct state new accept
        }
        chain output {
                type filter hook output priority 0;
        }
}

# New: add a router section for point 3.
table ip router {
# Both need to be set even when one is empty.
        chain prerouting {
                type nat hook prerouting priority 0;
        }
        chain postrouting {
                type nat hook postrouting priority 100;

                # Masquerade WireGuard traffic.
                # All WireGuard traffic will look like it comes from the servers IP address.
                oifname $wan ip saddr $vpn_net masquerade
        }
}