#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # Allow established connections
        ct state established,related accept

        # Allow loopback
        iif lo accept

        # Allow SSH (adjust port if needed)
        tcp dport 22 accept

        # Allow WireGuard from anywhere (user connections)
        udp dport 51820 accept

        # Allow DNS from VPN clients only
        iifname "wg0" udp dport 53 accept
        iifname "wg0" tcp dport 53 accept

        # Allow ICMP
        icmp type echo-request accept
    }

    chain forward {
        type filter hook forward priority 0; policy drop;

        # Allow forwarding from user VPN
        iifname "wg0" accept

        # Allow forwarding from DE tunnel
        iifname "wg1" accept

        # Allow established connections
        ct state established,related accept
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

table inet nat {
    chain postrouting {
        type nat hook postrouting priority 100;

        # NAT direct traffic going out main interface
        # Traffic going through wg1 doesn't need NAT (DE VDS will NAT it)
        oifname != "wg0" oifname != "wg1" ip saddr 10.10.0.0/24 masquerade
    }
}