# WireGuard Module for VHostLoom

This optional module adds a WireGuard VPN interface (`wg0`) so you can access
private services (e.g., Stable Diffusion, Llamafile, Ollama, Forgejo SSH, etc.)
securely over a VPN, without exposing them on the public Internet.

## Overview

- WireGuard listens on `UDP 51820` on the WAN interface.
- Clients connect to the server and receive an address in a VPN subnet
  (e.g., `10.20.0.0/24`).
- nftables rules restrict "private services" to be reachable **only** via the
  WireGuard interface (`wg0`), while public services (Traefik on 80/443) remain
  exposed on the WAN interface.

## Setup

1. **Copy and edit WireGuard config**

   ```bash
   sudo mkdir -p /etc/wireguard
   sudo cp wireguard/wg0.conf.example /etc/wireguard/wg0.conf
   sudo chmod 600 /etc/wireguard/wg0.conf

Generate keys:

```bash
wg genkey | tee server.key | wg pubkey > server.pub
wg genkey | tee client.key | wg pubkey > client.pub
```

* Put `server.key` into `PrivateKey` for `[Interface]`.
* Put `client.pub` into `PublicKey` for `[Peer]`.

2. **Enable WireGuard**

   ```bash
   sudo systemctl enable wg-quick@wg0
   sudo systemctl start wg-quick@wg0
   ```

   You should now see the interface:

   ```bash
   ip addr show wg0
   ```

3. **Configure firewall**

   Use `firewall/nftables-wireguard.conf.example` as a starting point:

   ```bash
   sudo cp firewall/nftables-wireguard.conf.example /etc/nftables.conf
   sudo nft -f /etc/nftables.conf
   sudo systemctl enable nftables
   ```

   Adjust:

   * `wan_if` to match your actual WAN interface (e.g., `eno1`).
   * `wg_if` to `wg0` (default).
   * `wg_tcp_ports` set to match your private services (SSH, Stable Diffusion, etc.).

4. **Client configuration**

   On your client (laptop, etc.), create a WireGuard config like:

   ```ini
   [Interface]
   Address    = 10.20.0.2/32
   PrivateKey = <CLIENT_PRIVATE_KEY>
   DNS        = 1.1.1.1

   [Peer]
   PublicKey  = <SERVER_PUBLIC_KEY>
   Endpoint   = your.domain.example:51820
   AllowedIPs = 10.20.0.0/24
   PersistentKeepalive = 25
   ```

   Bring it up with your WireGuard client (e.g., `wg-quick up`, or a GUI).

5. **Access private services**

   Once the tunnel is up, you should be able to reach private services on the
   VHostLoom host by its VPN address:

   * `http://10.20.0.1:7860` (Stable Diffusion)
   * `http://10.20.0.1:8080` (Llamafile)
   * `http://10.20.0.1:11434` (Ollama)
   * etc.

   Public services (e.g. `https://cloud.example.com`, `https://git.example.com`)
   remain available via their normal DNS names and the Traefik reverse proxy.

## Coexistence with ZeroTier

If you prefer ZeroTier or want both:

* Keep the ZeroTier interface and rules.
* Treat `wg0` and `zt+` as equally trusted VPN ingress points.
* Use a shared set (e.g. `vpn_tcp_ports`) for ports allowed from either VPN
  interface, and separate sets if you want to distinguish them.

This module is intentionally minimal; adapt the address ranges, ports, and
routing rules to match your environment.