# WireGuard Module for VHostLoom

This optional module adds a WireGuard VPN interface (`wg0`) so you can access
private services (e.g., Stable Diffusion, Llamafile, Ollama, Forgejo SSH, etc.)
securely over a VPN, without exposing them on the public Internet.

## Overview

- WireGuard listens on `UDP 51820` on the WAN interface.
- Clients connect to the server and receive an address in a VPN subnet
  (e.g., `10.20.0.0/24`).
- nftables rules restrict "private services" to be reachable **only** via the
  WireGuard interface (`wg0`), while public services (Traefik on 80/443) remain
  exposed on the WAN interface.

## Setup

1. **Copy and edit WireGuard config**

   ```bash
   sudo mkdir -p /etc/wireguard
   sudo cp wireguard/wg0.conf.example /etc/wireguard/wg0.conf
   sudo chmod 600 /etc/wireguard/wg0.conf