From a4e7d103899e48bb3986f61807c2ea57f825826b Mon Sep 17 00:00:00 2001
From: "Wesley R. Elsberry" <welsberr@gmail.com>
Date: Thu, 20 Nov 2025 08:43:15 -0500
Subject: [PATCH] Added Wireguard README.md

---
 wireguard/README.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 wireguard/README.md

diff --git a/wireguard/README.md b/wireguard/README.md
new file mode 100644
index 0000000..53f7313
--- /dev/null
+++ b/wireguard/README.md
@@ -0,0 +1,23 @@
+# WireGuard Module for VHostLoom
+
+This optional module adds a WireGuard VPN interface (`wg0`) so you can access
+private services (e.g., Stable Diffusion, Llamafile, Ollama, Forgejo SSH, etc.)
+securely over a VPN, without exposing them on the public Internet.
+
+## Overview
+
+- WireGuard listens on `UDP 51820` on the WAN interface.
+- Clients connect to the server and receive an address in a VPN subnet
+  (e.g., `10.20.0.0/24`).
+- nftables rules restrict "private services" to be reachable **only** via the
+  WireGuard interface (`wg0`), while public services (Traefik on 80/443) remain
+  exposed on the WAN interface.
+
+## Setup
+
+1. **Copy and edit WireGuard config**
+
+   ```bash
+   sudo mkdir -p /etc/wireguard
+   sudo cp wireguard/wg0.conf.example /etc/wireguard/wg0.conf
+   sudo chmod 600 /etc/wireguard/wg0.conf