Added Wireguard option for VPN

firewall/nftables.conf.example

@@ -2,7 +2,7 @@
 #
 # Example nftables config for:
 # - Public web ports (80/443) via Traefik
-# - SSH + AI services accessible ONLY over ZeroTier (zt+)
+# - SSH + AI services accessible ONLY over ZeroTier (zt+) or Wireguard
 # - Default deny for everything else
 
 flush ruleset
@@ -12,6 +12,7 @@ flush ruleset
 #
 define wan_if      = "eno1"   # WAN interface (optional use; mainly for clarity)
 define vpn_if_pref = "zt+"    # ZeroTier interfaces start with "zt"
+define wg_if       = "wg0"
 # define lan_if    = "br0"    # If you later want LAN-specific rules
 
 
@@ -21,8 +22,8 @@ table inet filter {
   # Named sets for ports
   #
 
-  # Ports allowed *only* over ZeroTier (VPN) interface(s)
+  # Ports allowed *only* over ZeroTier|Wireguard (VPN) interface(s)
-  set zt_tcp_ports {
+  set vpn_tcp_ports {
     type inet_service
     comment "SSH + AI services via ZeroTier only"
     elements = {
@@ -31,19 +32,29 @@ table inet filter {
       8000,        # vLLM or similar
       8080-8089,   # Llamafile, Sandbox UIs, etc. (range example)
       8501,        # Sandbox Fusion / Streamlit-style
-      11434        # Ollama
+      11434,       # Ollama
+      21114-21119  # RustDesk server TCP ports
+    }
+  }
+
+  set vpn_udp_ports {
+    type inet_service
+    flags interval
+    comment "RustDesk UDP via ZeroTier|Wireguard only"
+    elements = {
+      21116
     }
   }
 
   # Ports allowed on WAN (public Internet)
+  #   Add mail etc. to 'elements' if you ever expose them:
+  #   25, 465, 587, 993 # SMTP
   set wan_tcp_ports {
     type inet_service
     comment "Public-facing services (Traefik, etc.)"
     elements = {
       80,          # HTTP (redirect to HTTPS)
       443          # HTTPS
-      # Add mail etc. here if you ever expose them:
-      # 25, 465, 587, 993
     }
   }
 
@@ -71,7 +82,17 @@ table inet filter {
     # --- ZeroTier-only services (SSH + AI stack) ---
     # Any TCP port in @zt_tcp_ports is allowed only when coming
     # from an interface whose name starts with "zt".
-    iifname $vpn_if_pref tcp dport @zt_tcp_ports accept
+    iifname $vpn_if_pref tcp dport @vpn_tcp_ports accept
+    iifname $vpn_if_pref udp dport @vpn_udp_ports accept
+
+    # WireGuard listener on WAN
+    iifname $wan_if udp dport $wg_port accept
+
+    # Private services via WireGuard OR ZeroTier
+    iifname $wg_if   tcp dport @vpn_tcp_ports accept
+    iifname $zt_if_pref tcp dport @vpn_tcp_ports accept
+    iifname $wg_if   udp dport @vpn_udp_ports accept
+    iifname $zt_if_pref udp dport @vpn_udp_ports accept
 
     # --- Public web (Traefik) ---
     # Allow HTTP/HTTPS on any interface (typically WAN),

firewall/nftables.wireguard.conf.example

@@ -0,0 +1,85 @@
+#!/usr/sbin/nft -f
+#
+# nftables-wireguard.conf.example
+#
+# Example nftables config for:
+# - Traefik on 80/443 (public web)
+# - WireGuard VPN on UDP 51820
+# - Private services only accessible via WireGuard (interface wg0)
+#
+# Copy to /etc/nftables.conf and adjust interface names and port sets.
+
+flush ruleset
+
+# Adjust to your actual interfaces
+define wan_if    = "eno1"    # WAN interface name
+define wg_if     = "wg0"     # WireGuard interface name
+define wg_port   = 51820     # WireGuard UDP port
+
+table inet filter {
+
+  #
+  # Sets of ports
+  #
+
+  # Public web ports (Traefik)
+  set wan_tcp_ports {
+    type inet_service
+    comment "Public-facing web ports"
+    elements = {
+      80,
+      443
+    }
+  }
+
+  # Private TCP services accessible only via WireGuard
+  set wg_tcp_ports {
+    type inet_service
+    flags interval
+    comment "Private services (AI stack, etc.) over WireGuard only"
+    elements = {
+      22,          # SSH
+      7860,        # Stable Diffusion
+      8000,        # vLLM or similar
+      8080-8089,   # Llamafile / sandbox UIs
+      8501,        # Sandbox Fusion / Streamlit
+      11434        # Ollama
+    }
+  }
+
+  chain input {
+    type filter hook input priority 0;
+    policy drop;
+
+    # Loopback
+    iifname "lo" accept
+
+    # Established/related
+    ct state established,related accept
+
+    # ICMP (ping, etc.)
+    ip protocol icmp accept
+    ip6 nexthdr icmpv6 accept
+
+    # WireGuard VPN – allow incoming tunnel on WAN
+    iifname $wan_if udp dport $wg_port accept comment "WireGuard VPN listen"
+
+    # Private services only over WireGuard interface
+    iifname $wg_if tcp dport @wg_tcp_ports accept
+
+    # Public web
+    # If you want to restrict 80/443 strictly to WAN:
+    # iifname $wan_if tcp dport @wan_tcp_ports accept
+    tcp dport @wan_tcp_ports accept
+  }
+
+  chain forward {
+    type filter hook forward priority 0;
+    policy drop;
+  }
+
+  chain output {
+    type filter hook output priority 0;
+    policy accept;
+  }
+}

wireguard/wg0.conf.example

@@ -0,0 +1,27 @@
+# wireguard/wg0.conf.example
+#
+# Example WireGuard server configuration for VHostLoom host
+# Copy to /etc/wireguard/wg0.conf and replace placeholders.
+
+[Interface]
+# Address inside the VPN (server side)
+Address = 10.20.0.1/24
+
+# WireGuard listens on UDP 51820 by default (change if you like)
+ListenPort = 51820
+
+# Server private key (generate with: wg genkey)
+PrivateKey = <SERVER_PRIVATE_KEY>
+
+# Optional: enable routing on Linux (also set sysctl)
+# PostUp   = sysctl -w net.ipv4.ip_forward=1
+# PostDown = sysctl -w net.ipv4.ip_forward=0
+
+# Example peer (your laptop, desktop, etc.)
+[Peer]
+# Peer public key (from: wg genkey | tee peer.key | wg pubkey)
+PublicKey = <CLIENT_PUBLIC_KEY>
+
+# Allowed IPs for this peer inside VPN
+# Typically a single /32 address
+AllowedIPs = 10.20.0.2/32