Edited README.md to add Wireguard section

README.md

@@ -321,3 +321,190 @@ much more disk space.
 Also, Docker containers can be large. Consider sym-linking the
 Docker image directory to a larger disk.
 
+## Secure Private Access (WireGuard Module)
+
+Some services in VHostLoom are **not public-facing** by design:
+
+* Stable Diffusion interfaces
+* Llamafile demos & research endpoints
+* Ollama/vLLM
+* Internal dashboards
+* Forgejo SSH
+* Anything experimental or non-web
+
+To protect these services, VHostLoom supports an optional **WireGuard VPN module** that restricts private-service ports so they are reachable **only from authenticated VPN clients**, and *never* from the public Internet.
+
+WireGuard may be used instead of, or alongside, ZeroTier.
+
+---
+
+### Why WireGuard?
+
+WireGuard is:
+
+* extremely fast (kernel-level cryptography)
+* small and security-audited
+* widely supported across platforms
+* perfect for “private access only” services
+
+VHostLoom’s WireGuard module:
+
+* Exposes WireGuard only on WAN (`udp/51820`)
+* Creates a private VPN subnet (`10.20.0.0/24`)
+* Restricts critical ports to the WireGuard interface
+* Leaves Traefik-managed public services untouched
+
+---
+
+## Installing WireGuard
+
+Install on the server:
+
+```bash
+sudo apt install wireguard wireguard-tools
+```
+
+Copy in the example config:
+
+```bash
+sudo mkdir -p /etc/wireguard
+sudo cp wireguard/wg0.conf.example /etc/wireguard/wg0.conf
+sudo chmod 600 /etc/wireguard/wg0.conf
+```
+
+Generate server keypair:
+
+```bash
+wg genkey | tee server.key | wg pubkey > server.pub
+```
+
+Add the server private key to:
+
+```ini
+PrivateKey = <SERVER_PRIVATE_KEY>
+```
+
+---
+
+## Starting WireGuard
+
+```bash
+sudo systemctl enable wg-quick@wg0
+sudo systemctl start wg-quick@wg0
+```
+
+Verify:
+
+```bash
+ip addr show wg0
+wg show
+```
+
+---
+
+## Firewall Configuration
+
+Choose one:
+
+* **`firewall/nftables-wireguard.conf.example`** — basic WireGuard + Traefik + private-services setup
+* **`firewall/nftables-wireguard-zt.conf.example`** — *combined* WireGuard + ZeroTier rules
+
+Install a firewall:
+
+```bash
+sudo cp firewall/nftables-wireguard.conf.example /etc/nftables.conf
+sudo nft -f /etc/nftables.conf
+sudo systemctl enable nftables
+```
+
+This:
+
+* Allows public web (80/443)
+* Accepts WireGuard on WAN (UDP 51820)
+* Allows private services (**only** via wg0)
+* Default-denies everything else
+
+---
+
+## Adding a New WireGuard Client
+
+Use the helper script:
+
+```bash
+wireguard/gen-wg-peer.sh clientname
+```
+
+It will generate:
+
+* `clientname.key`
+* `clientname.pub`
+* `clientname.conf` (the client config)
+
+Add the peer entry to `/etc/wireguard/wg0.conf` **automatically**.
+
+Then send the generated `.conf` file to your device.
+
+---
+
+## Client Template
+
+Clients use a simple config:
+
+```ini
+[Interface]
+PrivateKey = <CLIENT_PRIVATE_KEY>
+Address = 10.20.0.X/32
+DNS = 1.1.1.1
+
+[Peer]
+PublicKey = <SERVER_PUBLIC_KEY>
+Endpoint = <PUBLIC_IP>:51820
+AllowedIPs = 10.20.0.0/24
+PersistentKeepalive = 25
+```
+
+Import into:
+
+* WireGuard app (iOS/Android)
+* `wg-quick`
+* Desktop clients
+
+---
+
+## Coexisting with ZeroTier
+
+If you want both overlay networks:
+
+* ZeroTier mesh connections
+* WireGuard direct VPN
+* Shared access control for private ports
+
+Use:
+
+```
+firewall/nftables-wireguard-zt.conf.example
+```
+
+It grants private-port access to **either**:
+
+* WireGuard (`wg0`)
+* ZeroTier (`zt*`)
+
+You can also restrict different services to different VPNs.
+
+---
+
+## Summary
+
+WireGuard gives VHostLoom:
+
+* Strong isolation of private services
+* Minimal attack surface
+* Predictable firewalling
+* Fast, encrypted access
+
+It integrates fully with the project’s model:
+
+* **Traefik/Authelia** for public-facing authenticated web
+* **WireGuard** (and/or ZeroTier) for *non-web private services*
+