table nat {
	chain prerouting {
		type nat hook prerouting priority 0;
		comment "this is necessary even if empty";
	}

	chain postrouting {
		type nat hook postrouting priority 100;
		comment "enable NAT for VPN";
		iifname "tun0" oifname "eth0" ip saddr $VPN_SUBNET masquerade;
	}
}