Seems to work

services/firewall/config/firewall.nft

@@ -9,6 +9,8 @@ define lan_net = 192.168.2.0/24
 define allowed_icmpv6 = { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded }
 define allowed_icmp = { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded }
 
+define lan_clients = { 10.0.0.3 }
+
 table inet firewall {
   chain postrouting {
     type nat hook postrouting priority 100;
@@ -20,16 +22,16 @@ table inet firewall {
   chain incoming {
     # This line set what traffic the chain will handle, the priority and default policy.
     # The priority comes in when you in another table have a chain set to "hook input" and want to specify in what order they should run.
-	type filter hook input priority 0; policy drop;
-    
-	ct state invalid drop                                 # early drop of invalid packets
-	ct state {established, related} accept                # allow established/related connections
-	
+    type filter hook input priority 0; policy drop;
+
+    ct state invalid drop                                 # early drop of invalid packets
+    ct state {established, related} accept                # allow established/related connections
+
     iif lo accept                                         # allow traffic from loopback interface
 
-	# Limit and accept ICMP packets
-    ip protocol icmp icmp type @allowed_icmp limit rate 1/second burst 5 packets accept
-    ip6 nexthdr icmpv6 icmpv6 type @allowed_icmpv6 limit rate 1/second burst 5 packets accept
+    # Limit and accept ICMP packets
+    ip protocol icmp icmp type $allowed_icmp limit rate 1/second burst 5 packets accept
+    ip6 nexthdr icmpv6 icmpv6 type $allowed_icmpv6 limit rate 1/second burst 5 packets accept
 
     # Rules for all interfaces
     tcp dport { 80, 443 } accept                          # Allow http and https for all interfaces
@@ -49,10 +51,13 @@ table inet firewall {
     ct state invalid drop                                 # early drop of invalid packets
     ct state {established, related} accept                # allow established/related connections
 
+    iifname $vpn ip saddr $lan_clients ip daddr $lan_net accept # Allow specific clients to access the LAN network
+    iifname $vpn ip daddr $lan_net drop                   # Block all other VPN clients from accessing the LAN network 
+    
     iifname $vpn oifname $wan accept                      # Allow VPN traffic to access WAN
   }
 
   chain outgoing {
-	type filter hook output priority 0; policy accept;
+    type filter hook output priority 0; policy accept;
   }
 }

services/firewall/install.sh

@@ -1,21 +1,6 @@
 #!/bin/sh
 echo "Setting up firewall..."
 
-apk add -u awall # important -u flag!
-apk add ip6tables iptables
-modprobe -v ip_tables
-modprobe -v ip6_tables
-#modprobe -v iptable_nat #if NAT is used
-
-# Register services
-rc-update add iptables
-rc-update add ip6tables
-rc-service iptables start
-rc-service ip6tables start
-
-# In the global policy, LAN rules are omitted, as we are behind a NAT router.
-# If not, add this to global.policy.json:
-#         "LAN": { "iface": "eth1" },
-# ...
-#   { "in": "LAN", "action": "accept" },
-#   { "out": "LAN", "action": "accept" },
+apk add nftables
+rc-update add nftables boot
+rc-service nftables start

services/wireguard/install.sh

@@ -18,6 +18,7 @@ EOF
 
 # Enable IP forwarding, persistent
 echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf
+echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.d/ip_forward.conf
 sysctl -p /etc/sysctl.d/ip_forward.conf
 
 # Auto-start Wireguard on boot