ext_if="vtnet0"
wg_if="wg0"

set skip on lo0
set block-policy return
scrub in on $ext_if all fragment reassemble

nat on $ext_if from $wg_if:network to any -> ($ext_if)

block in all
pass out all
antispoof for $ext_if

pass in proto tcp from any to any port ssh flags S/SA modulate state
pass in proto udp from any to any port 51820
pass in on wg0 from any to any

pass quick on $wg_if