nftables vpn config

nftables.conf

#!/usr/bin/nft -f

define ext_if = ens3
define ext_ip = a.b.c.d
define vpn_if = ppp0
define vpn_ip = x.y.z.w/s

table inet filter {
  chain input {
    type filter hook input priority 0;

    # allow established/related connections
    ct state {established, related} accept

    # allow gre (before invalid drop for vpn)
    ip protocol gre accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # allow tcp
    tcp dport { http, https } accept
    tcp dport pptp accept
    tcp dport ssh accept

    # everything else
    reject with icmp type port-unreachable
    #drop
  }
  chain output {
    type filter hook output priority 0;
  }
  chain forward {
    type filter hook forward priority 0;

    # allow forwarding for vpn
    iifname $ext_if oifname $vpn_if ip daddr $vpn_ip ct state { related, established } accept
    iifname $vpn_if oifname $ext_if ip saddr $vpn_ip accept

    drop
  }
}

table ip nat {
  chain prerouting {
    type nat hook prerouting priority -150;
  }
  chain postrouting {
    type nat hook postrouting priority -150;

    # enable nat for vpn over ext
    ip saddr $vpn_ip oifname $ext_if masquerade
  }
}