# Gateway Enforcement Strategy

## WireGuard And Firewall Roles

- WireGuard authenticates peers and provides encrypted transport.
- nftables enforces which protected destinations a peer may reach.
- NexaVPN control plane translates policy into gateway-side rules.

## Gateway Sync Bundle

Each gateway receives a generated sync bundle that contains:

- interface settings
- peer list
- peer allowed source address
- destination policy matrix
- DNS metadata
- revision metadata

Example bundle shape:

```json
{
  "gateway_id": "uuid",
  "revision": 12,
  "interface": {
    "address": "100.96.0.1/24",
    "listen_port": 51820
  },
  "peers": [
    {
      "device_id": "uuid",
      "public_key": "peer-key",
      "assigned_ip": "100.96.0.10/32",
      "allowed_destinations": [
        "172.16.10.0/24"
      ]
    }
  ]
}
```

## nftables Model

Recommended model:

1. Accept WireGuard interface input.
2. Map peer source VPN IP to allowed destination CIDRs.
3. Drop traffic from VPN clients to destinations outside their effective allow list.
4. Permit full tunnel peers through explicit default-route policy.

High-level chain logic:

- traffic enters from `wg0`
- source address identifies the device
- destination is matched against generated sets
- allowed traffic is accepted
- unmatched traffic is dropped and optionally logged

## Enforcement Details

- Each device receives a unique VPN IP, which makes firewall mapping deterministic.
- The generated firewall rules are derived from the effective policy union.
- Device revocation removes both the WireGuard peer and its nftables set members.
- Full-tunnel policy expands to `0.0.0.0/0` and `::/0` when enabled in later IPv6 support.

## Multi-Gateway Readiness

The backend stores policies independently from the gateway implementation. Each gateway receives only the peers assigned to it, which keeps multi-gateway expansion straightforward later.