diff --git a/roles/firewall/templates/interfaces.j2 b/roles/firewall/templates/interfaces.j2
index fae0f3d..75980f2 100644
--- a/roles/firewall/templates/interfaces.j2
+++ b/roles/firewall/templates/interfaces.j2
@@ -1,10 +1,9 @@
 {% set addrs = interfaces | selectattr('name', '==', 'lo') | map(attribute='ip_addresses') | first -%}
 
-source-directory /etc/network/interfaces.d
-
 auto lo
-iface lo inet loopback
-    address {{ wg_ip }}
+iface lo
 {% for address in addrs %}
     address {{ address.address }}
 {% endfor %}
+
+source-directory /etc/network/interfaces.d
diff --git a/roles/firewall/templates/nftables.nft.j2 b/roles/firewall/templates/nftables.nft.j2
index 5afa559..bc45c0b 100644
--- a/roles/firewall/templates/nftables.nft.j2
+++ b/roles/firewall/templates/nftables.nft.j2
@@ -146,6 +146,19 @@ table inet filter {
     }
 }
 
+table inet wireguard {
+    chain input {
+        type filter hook prerouting priority raw; policy accept
+        udp dport 51820 notrack \
+        comment "Disable connection tracking for wireguard"
+    }
+    chain output {
+        type route hook output priority raw; policy accept
+        meta mark 51820 meta nfproto ipv4 ip saddr set {{ wg_ip | ipaddr('address') }} notrack \
+        comment "Disable connection tracking and set anycast source IP for wireguard"
+    }
+}
+
 table ip nat {
     include "/etc/nftables.d/interfaces.nft"
     include "/etc/nftables.d/networks.nft"
diff --git a/roles/firewall/templates/wg.intf.j2 b/roles/firewall/templates/wg.intf.j2
index 266eef8..f66ff27 100644
--- a/roles/firewall/templates/wg.intf.j2
+++ b/roles/firewall/templates/wg.intf.j2
@@ -1,5 +1,8 @@
+iface lo
+    address {{ wg_ip }}
+
 auto wg
-iface wg inet static
+iface wg
     use wireguard
 {% if wg_net is defined %}
     address {{ wg_net }}