# BTGuard VPN — wg-quick local override.
#
# Ubuntu's stock /etc/apparmor.d/wg-quick profile only permits wg-quick to read
# its config from /etc/wireguard/**. Our privileged helper deliberately does NOT
# write into /etc/wireguard (so the system 'wg-quick' command and other VPN
# software that uses /etc/wireguard remain undisturbed). Instead the helper
# stages the transient connection config inside its own systemd StateDirectory
# at /var/lib/btguard-vpn-helper/wg/ (root:root mode 0700, deleted on disconnect).
#
# This file is loaded by the Ubuntu profile via:
#   include if exists <local/wg-quick>
# from /etc/apparmor.d/wg-quick. Reload after install with:
#   apparmor_parser -r /etc/apparmor.d/wg-quick

  # Helper-staged wg-quick config + sibling .tmp file used by the bash script.
  /var/lib/btguard-vpn-helper/wg/ r,
  /var/lib/btguard-vpn-helper/wg/** rwk,
