first commit

.env

@@ -0,0 +1 @@
+SSH_PORT=22

install.sh

@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+. .env
+
+export iface;   iface="$(ip route show default | grep -Po 'dev\s+\K\w+')"
+export privkey; privkey="$(wg genkey)"
+
+envsubst < nftables.conf > /etc/wireguard/nftables.conf
+envsubst < wg0.conf > /etc/wireguard/wg0.conf
+
+systemctl enable wg-quick@wg0

nftables.conf

@@ -0,0 +1,41 @@
+table ip wg {}; delete table ip wg
+
+table ip wg {
+  chain input {
+    type filter hook input priority filter; policy drop;
+    ct state invalid               counter drop
+    ct state {established,related} counter accept
+
+    iif "lo"                  counter accept
+    ip protocol {icmp,icmpv6} counter accept
+
+    tcp dport $SSH_PORT counter accept comment "ssh"
+    iif "$iface" udp dport 443 counter accept comment "wg"
+
+    counter comment "dropped"
+  }
+
+  chain forward {
+    type filter hook forward priority filter; policy drop;
+
+    iif "wg0" counter accept
+    oif "wg0" counter accept
+
+    counter comment "dropped"
+  }
+
+  chain output {
+    type filter hook output priority filter; policy accept;
+
+    counter comment "accepted"
+  }
+
+  chain postrouting {
+    type nat hook postrouting priority srcnat; policy drop;
+
+    oif "$iface" counter masquerade
+    oif "wg0"    counter masquerade
+
+    counter comment "dropped"
+  }
+}

start.sh

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+wg-quick up wg0

stop.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+wg-quick down wg0

wg0.conf

@@ -0,0 +1,12 @@
+[Interface]
+PrivateKey = $privkey
+Address    = 10.0.0.1/24
+ListenPort = 443
+PostUp     = sysctl net.ipv4.ip_forward=1
+PostUp     = nft -f /etc/wireguard/nftables.conf
+PostDown   = nft delete table ip wg
+
+# dev1
+[Peer]
+PublicKey  = 
+AllowedIPs = 10.0.0.2/32