diff --git a/system/vpn.nix b/system/vpn.nix
index a64460f..63fd1ee 100644
--- a/system/vpn.nix
+++ b/system/vpn.nix
@@ -34,4 +34,28 @@
       fi
     '';
   };
+
+  # Exclude Tailscale from Mullvad VPN
+  networking.firewall.extraCommands = ''
+    ${pkgs.nftables}/bin/nft -f ${
+      pkgs.writeText "mullvad-incoming" ''
+        table inet allow-tailscale {
+          chain exclude-dns {
+            type filter hook output priority -10; policy accept;
+            ip daddr 100.00.100.100 udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+            ip daddr 100.00.100.100 tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          }
+          chain exclude-outgoing {
+            type route hook output priority 0; policy accept;
+            ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+            ip6 daddr fd7a:115c:a1e0::/48 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          }
+          chain allow-incoming {
+            type filter hook input priority -100; policy accept;
+            iifname "tailscale0" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          }
+        }
+      ''
+    }
+  '';
 }