{ lib, pkgs, config, ... }:
let wg_port = 51820;
in {
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = lib.mkDefault true;
    "net.ipv6.conf.all.forwarding" = lib.mkDefault true;
  };
  networking = {
    firewall.allowedUDPPorts = [ wg_port ];
    firewall.rejectPackets = true;
    firewall.trustedInterfaces = [ "wgbr" "wg0" ];
    interfaces.wgbr.ipv4 = {
      routes = [ ];
      addresses = [
        {
          address = "10.8.1.1";
          prefixLength = 24;
        }
      ];
    };

    wg-quick.interfaces = {
      wg0 = {
        # Determines the IP address and subnet of the client's end of the tunnel interface.
        address = [ "10.8.1.1/16" ];
        listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)

        # Path to the private key file.
        privateKeyFile = "/root/privkey";

        peers = [
          # For a client configuration, one peer entry for the server will suffice.

          {
            # Public key of the server (not a file path).
            publicKey = "AJ1nr0/w8OvsNq5Ju//m4856u7yY0hlPGMEGeZtlhlY=";

            # Forward all the traffic via VPN.
            allowedIPs = [ "10.8.0.0/16" ];

            # Set this to the server IP and port.
            endpoint = "202.61.230.52:51820";

            # Send keepalives every 25 seconds. Important to keep NAT tables alive.
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
}