dch-gw: Host Pyrocufflink VPN locally

This commit adjusts the firewall and networking configuration on dc0 to
host the Pyrocufflink remote access IPsec VPN locally instead of
forwarding it to the internal VPN server.

roles/dch-gw/templates/masquerade.nft.j2

@@ -1,5 +1,17 @@
 table ip nat {
+    set vpn_subnets {
+        type ipv4_addr
+        flags interval
+        elements = {
+            172.31.0.64/28,
+{% for prefix in firemon_networks %}
+            {{ prefix }},
+{% endfor %}
+        }
+    }
+
     chain postrouting {
+        ip daddr @vpn_subnets counter accept
         oif {{ ansible_default_ipv4.interface }} masquerade
     }
 }