auto {{ vpn_wireguard_iface }}
iface {{ vpn_wireguard_iface }} inet static
    pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard
    pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
    pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE

    post-up /usr/local/sbin/post-up-$IFACE-inet.nft
    post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
{% if vpn_wireguard_role == "server" %}
{% if vpn_wireguard_routing_table is defined %}
    post-up ip rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
    post-up ip -6 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
{% endif %}
{% for client in vpn_wireguard_clients %}
{% if 'subnet' in client %}
    post-up ip route add {{ client.subnet }} dev $IFACE
{% endif %}
{% endfor %}
{% elif vpn_wireguard_role == "client" %}
    post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
{% endif %}

{% if vpn_wireguard_role == "server" %}
{% for client in vpn_wireguard_clients %}
{% if 'subnet' in client %}
    pre-down ip route del {{ client.subnet }} dev $IFACE
{% endif %}
{% endfor %}
{% if vpn_wireguard_routing_table is defined %}
    pre-down ip -6 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
    pre-down ip rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
{% endif %}
{% elif vpn_wireguard_role == "client" %}
    pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
{% endif %}
    pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
    pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft

    address {{ vpn_wireguard_address }}
    netmask {{ vpn_wireguard_prefixlen }}
{% if vpn_wireguard_address_v6 is defined %}

iface {{ vpn_wireguard_iface }} inet6 static
{% if vpn_wireguard_role == "client" %}
    post-up ip -6 route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
{% endif %}

{% if vpn_wireguard_role == "client" %}
    pre-down ip -6 route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
{% endif %}

    address {{ vpn_wireguard_address_v6 }}
    netmask {{ vpn_wireguard_prefixlen_v6 }}
{% endif %}
{% if vpn_wireguard_address_v6 is defined %}
{% if vpn_wireguard_role == "server" %}
    {{ __assert__wireguard_server_role_not_supported_for_ipv6 }}
{% endif %}
{% endif %}