diff --git a/nix/nixos-module/container/wireguard.nix b/nix/nixos-module/container/wireguard.nix
index 88813cb..86caf36 100644
--- a/nix/nixos-module/container/wireguard.nix
+++ b/nix/nixos-module/container/wireguard.nix
@@ -14,6 +14,7 @@ let
   privateKeyFile = ifName:
     "/run/wireguard-keys/${ifName}.key";
 
+  wireguardMark = 3;
   vpnTable = 100;
 in
 {
@@ -50,6 +51,7 @@ in
     };
     wireguardConfig = {
       PrivateKeyFile = privateKeyFile ifName;
+      FirewallMark = wireguardMark;
       RouteTable = "vpn";
     };
     wireguardPeers = [ {
@@ -67,6 +69,7 @@ in
     core.routingPolicyRules = [ {
       # Marked wireguard packets take the vpn routing table
       routingPolicyRuleConfig = {
+        FirewallMark = wireguardMark;
         Table = vpnTable;
       };
     } ];