diff --git a/hosts/hosting-02/default.nix b/hosts/hosting-02/default.nix
index 399b9f7..6dea46e 100644
--- a/hosts/hosting-02/default.nix
+++ b/hosts/hosting-02/default.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 {
   imports = [
     ./disk-config.nix
@@ -18,12 +18,51 @@
       80
       443
     ];
+    allowedUDPPorts = [
+      51820
+    ];
   };
 
   systemd.network.networks."30-wan".address = [
     "2a01:4f8:c013:7fc0::/64"
   ];
 
+  users.groups.vpn = { };
+  users.users.vpn = {
+    isSystemUser = true;
+    group = "vpn";
+  };
+
+  networking.iproute2 = {
+    enable = true;
+    rttablesExtraConfig = ''
+      133 vpn
+    '';
+  };
+
+  systemd.services.vpn-policy-routing =
+    let
+      vpnUid = toString config.users.users.vpn.uid;
+    in
+    {
+      description = "Apply policy routing rules for the 'vpn' user.";
+
+      wantedBy = [ "multi-user.target" ];
+
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+
+      serviceConfig.type = "oneshot";
+
+      script = ''
+        IP_CMD="${pkgs.iproute2}/bin/ip"
+        $IP_CMD rule add from ${builtins.elemAt config.networking.wireguard.interfaces.wg0.ips 0} table vpn prio 200
+        $IP_CMD rule add uidrange ${vpnUid}-${vpnUid} table vpn prio 201
+        $IP_CMD -6 rule add from ${builtins.elemAt config.networking.wireguard.interfaces.wg0.ips 1} table vpn prio 200
+        $IP_CMD -6 rule add uidrange ${vpnUid}-${vpnUid} table vpn prio 201
+      '';
+    };
+
   networking.wireguard = {
     enable = true;
 
@@ -47,6 +86,7 @@
 
       listenPort = 51820;
       privateKeyFile = config.sops.secrets.wireguardKey.path;
+      table = "133";
     };
   };