table inet wg { chain vpn { type filter hook output priority filter; policy drop; meta nftrace set 1 oif "wlo1" ip daddr 143.244.46.105 udp dport 51820 accept # oif "wlo1" drop } } [root@kyler wireguard]# ip a s dev wlo1 4: wlo1: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether e0:d4:64:ef:09:07 brd ff:ff:ff:ff:ff:ff altname wlp40s0 altname wlxe0d464ef0907 inet 192.168.50.20/24 brd 192.168.50.255 scope global dynamic noprefixroute wlo1 valid_lft 81500sec preferred_lft 81500sec inet6 fe80::57cf:fc:7ef9:69d5/64 scope link noprefixroute valid_lft forever preferred_lft forever [root@kyler wireguard]# ip a s dev wg-ua 5: wg-ua: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 10.14.0.2/16 scope global wg-ua valid_lft forever preferred_lft forever [root@kyler wireguard]# [root@kyler wireguard]# ip r default via 192.168.50.1 dev wlo1 proto dhcp src 192.168.50.20 metric 600 10.1.1.0/24 dev wg0 proto kernel scope link src 10.1.1.5 10.14.0.0/16 dev wg-ua proto kernel scope link src 10.14.0.2 192.168.50.0/24 dev wlo1 proto kernel scope link src 192.168.50.20 metric 600 ================================================================================ after enabling wireguard: nft list ruleset table ip wg-quick-wg-ua { chain preraw { type filter hook prerouting priority raw; policy accept; iifname != "wg-ua" ip daddr 10.14.0.2 fib saddr type != local drop } chain premangle { type filter hook prerouting priority mangle; policy accept; meta l4proto udp meta mark set ct mark } chain postmangle { type filter hook postrouting priority mangle; policy accept; meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark } }