diff --git a/group_vars/infra/firewall.yml b/group_vars/infra/firewall.yml
index a449ae4..19866f1 100644
--- a/group_vars/infra/firewall.yml
+++ b/group_vars/infra/firewall.yml
@@ -219,8 +219,9 @@ firewall__forward:
     verdict: accept
   # Admin Wireguard
   - dst:
-      - 2a09:6840:211::204
+      - 2a09:6840:211::1:1
       - 45.66.111.204
+      - 10.211.1.1
     protocols:
       udp:
         dport: 5121
diff --git a/group_vars/vpn/bird.yml b/group_vars/vpn/bird.yml
index b63fd68..dc9115a 100644
--- a/group_vars/vpn/bird.yml
+++ b/group_vars/vpn/bird.yml
@@ -1,14 +1,20 @@
 ---
+bird__tables:
+  - wg
+
 bird__kernel:
   kernel:
     learn: true
     import: accept
     export: accept
   vrf:
-    import: reject
+    learn: true
+    import:
+      sources:
+        - "{{ iproute2__custom_protos.wireguard }}"
     export: accept
     table: wg
-    kernel: "{{ iproute2__custom_protos.wireguard }}"
+    kernel: "{{ iproute2__custom_tables.wireguard }}"
 
 bird__ospf:
   limits:
@@ -17,17 +23,13 @@ bird__ospf:
   table: wg
   import: accept
   export:
-    protos:
-      - kernel
-      - wireguard
+    sources:
+      - "{{ iproute2__custom_protos.wireguard }}"
   areas:
     1:
       broadcast:
         - vpn0
 
-bird__tables:
-  - wg
-
 bird__bgp:
   infra1:
     local:
diff --git a/group_vars/vpn/ifupdown2.yml b/group_vars/vpn/ifupdown2.yml
index cd7c311..8f607a5 100644
--- a/group_vars/vpn/ifupdown2.yml
+++ b/group_vars/vpn/ifupdown2.yml
@@ -8,6 +8,7 @@ ifupdown2__wireguard:
     private_key: "{{ vault_wireguard_wg0_private }}"
     listen_port: 5121
     vrf: wg-vrf
+    table: "{{ iproute2__custom_tables.wireguard }}"
     peer_allowed_addresses:
       - 2a09:6840:212::1:1/128
       - 10.212.1.1/32
diff --git a/group_vars/vpn/iproute2.yml b/group_vars/vpn/iproute2.yml
index f81f76a..645773c 100644
--- a/group_vars/vpn/iproute2.yml
+++ b/group_vars/vpn/iproute2.yml
@@ -3,5 +3,5 @@ iproute2__custom_tables:
   wireguard: 2000
 
 iproute2__custom_protos:
-  wireguard: 2000
+  wireguard: 200
 ...
diff --git a/host_vars/wg-1.vpn.infra.auro.re.yml b/host_vars/wg-1.vpn.infra.auro.re.yml
index a3960c2..095fa22 100644
--- a/host_vars/wg-1.vpn.infra.auro.re.yml
+++ b/host_vars/wg-1.vpn.infra.auro.re.yml
@@ -9,11 +9,13 @@ ifupdown2__interfaces:
     addresses:
       - 2a09:6840:211::1:1/64
       - 10.211.1.1/16
-      - 45.66.111.200/30
+      - 45.66.111.204/30
   vpn0:
     addresses:
       - 2a09:6840:213::1:3/64
       - 10.213.1.3/16
+    # FIXME: move to group_vars
+    goto_table: "{{ iproute2__custom_tables.wireguard }}"
 
 bird__router_id: 10.213.1.3
 
diff --git a/roles/bird/templates/bird.conf.j2 b/roles/bird/templates/bird.conf.j2
index 459ac43..e5884d4 100644
--- a/roles/bird/templates/bird.conf.j2
+++ b/roles/bird/templates/bird.conf.j2
@@ -53,8 +53,8 @@ protocol kernel {{ name | bird_name(ipv4) }} {
 {% set ipv4 = version == "ipv4" %}
 protocol pipe {{ name | bird_name(ipv4) }} {
     table {{ pipe.table | bird_name(ipv4) }};
-    peer_table {{ pipe.peer_table | bird_name(ipv4) }};
-    {{ import_export(kernel, ipv4) | indent(8) }}
+    peer table {{ pipe.peer_table | default("master") | bird_name(ipv4) }};
+    {{ import_export(kernel, ipv4) | indent(4) }}
 }
 {% endfor %}
 {% endfor %}
diff --git a/roles/ifupdown2/templates/interfaces.j2 b/roles/ifupdown2/templates/interfaces.j2
index de4ff68..2968730 100644
--- a/roles/ifupdown2/templates/interfaces.j2
+++ b/roles/ifupdown2/templates/interfaces.j2
@@ -15,11 +15,13 @@ ip-forward yes
 ip6-forward yes
 {% endif %}
 {% if iface.goto_table is defined %}
-{% set prio = ifupdown2__prio_base + 2 * index %}
-pre-up ip rule add prio {{ prio }} iif $IFACE table {{ iface.goto_table }}
-pre-up ip rule add prio {{ prio + 1 }} iif $IFACE blackhole
-post-down ip rule del prio {{ prio }} iif $IFACE table {{ iface.goto_table }}
-post-down ip rule del prio {{ prio + 1 }} iif $IFACE blackhole
+{% set prio = ifupdown2__prio_base + 3 * index %}
+pre-up ip rule add prio {{ prio }} iif $IFACE table local
+pre-up ip rule add prio {{ prio + 1 }} iif $IFACE table {{ iface.goto_table }}
+pre-up ip rule add prio {{ prio + 2 }} iif $IFACE blackhole
+post-down ip rule del prio {{ prio }} iif $IFACE table local
+post-down ip rule del prio {{ prio + 1 }} iif $IFACE table {{ iface.goto_table }}
+post-down ip rule del prio {{ prio + 2 }} iif $IFACE blackhole
 {% endif %}
 {% if iface.vrf is defined %}
 vrf {{ iface.vrf }}
@@ -30,10 +32,13 @@ ipv6-addrgen {{ iface.ipv6_addrgen
 {% endif %}
 {% endmacro %}
 
+{% set index = 1 %}
+
 {% for name, iface in ifupdown2__interfaces.items() %}
+{% set index = index + 4 %}
 auto {{ name }}
 iface {{ name }}
-    {{ iface_common(iface) | indent(4) }}
+    {{ iface_common(iface, index) | indent(4) }}
 {% if iface.bridge_ports is defined %}
     bridge-ports {{ iface.bridge_ports | join(" ") }}
 {% endif %}
@@ -58,19 +63,22 @@ iface {{ name }}
 {% endfor %}
 
 {% for name, iface in ifupdown2__wireguard.items() | sort(attribute="0") %}
+{% set index = index + 4 %}
 auto {{ name }}
 iface {{ name }}
     link-type wireguard
-    {{ iface_common(iface, index=loop.index) | indent(4) }}
+    {{ iface_common(iface, index) | indent(4) }}
     pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
 {% for address in iface.peer_allowed_addresses | default([]) %}
-    post-up ip route add {{ address }} proto {{ ifupdown2__wireguard_proto }} dev $IFACE
+    post-up ip route add {{ address }} proto {{ ifupdown2__wireguard_proto }} \
+        table {{ iface.table | default("main") }} dev $IFACE
 {% endfor %}
 {% endfor %}
 
 {% for name, iface in ifupdown2__vrf.items() | sort(attribute="0") %}
+{% set index = index + 4 %}
 auto {{ name }}
 iface {{ name }}
-    {{ iface_common(iface, index=loop.index) | indent(4) }}
+    {{ iface_common(iface, index) | indent(4) }}
     vrf-table {{ iface.table }}
 {% endfor %}