Sharing VPN connection with 2nd desktop wired directly together

sysctl -n net.ipv4.ip_forward
1
table inet mullvad {
	chain prerouting {
		type filter hook prerouting priority -199; policy accept;
		iif != "wg-mullvad" ct mark 0x00000f41 meta mark set 0x6d6f6c65
		ip saddr mullvad_server_ip udp sport 123 meta mark set 0x6d6f6c65
	}

	chain output {
		type filter hook output priority filter; policy drop;
		oif "lo" accept
		ct mark 0x00000f41 accept
		udp sport 68 ip daddr 255.255.255.255 udp dport 67 accept
		ip daddr mullvad_server_ip udp dport 123 meta mark 0x6d6f6c65 accept
		oif "wg-mullvad" udp dport 53 ip daddr wireguard_ip accept
		oif "wg-mullvad" tcp dport 53 ip daddr wireguard_ip accept
		udp dport 53 reject
		tcp dport 53 reject with tcp reset
		oif "wg-mullvad" accept
		ip daddr 10.0.0.0/8 accept
		ip daddr 172.16.0.0/12 accept
		ip daddr 192.168.0.0/16 accept
		ip daddr 169.254.0.0/16 accept
		ip daddr 255.255.255.255 accept
		ip daddr 224.0.0.0/24 accept
		ip daddr 239.0.0.0/8 accept
		udp sport 67 udp dport 68 accept
		reject
	}

	chain input {
		type filter hook input priority filter; policy drop;
		iif "lo" accept
		ct mark 0x00000f41 accept
		udp sport 67 udp dport 68 accept
		ip saddr mullvad_server_ip udp sport 123 ct state established accept
		iif "wg-mullvad" accept
		ip daddr our_client_wireguard_ip drop
		ip saddr 10.0.0.0/8 accept
		ip saddr 172.16.0.0/12 accept
		ip saddr 192.168.0.0/16 accept
		ip saddr 169.254.0.0/16 accept
		udp sport 68 ip daddr 255.255.255.255 udp dport 67 accept
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		udp sport 68 ip daddr 255.255.255.255 udp dport 67 accept
		udp sport 67 udp dport 68 accept
		oif "wg-mullvad" udp dport 53 ip daddr wireguard_ip accept
		oif "wg-mullvad" tcp dport 53 ip daddr wireguard_ip accept
		udp dport 53 reject
		tcp dport 53 reject with tcp reset
		oif "wg-mullvad" accept
		iif "wg-mullvad" ct state established accept
		ip daddr 10.0.0.0/8 accept
		ip daddr 172.16.0.0/12 accept
		ip daddr 192.168.0.0/16 accept
		ip daddr 169.254.0.0/16 accept
		ip daddr 255.255.255.255 accept
		ip daddr 224.0.0.0/24 accept
		ip daddr 239.0.0.0/8 accept
		reject
	}
}

table ip mullvadmangle4 {
	chain mangle {
		type route hook output priority mangle; policy accept;
		oif "wg-mullvad" udp dport 53 ip daddr wireguard_ip accept
		oif "wg-mullvad" tcp dport 53 ip daddr wireguard_ip accept
		meta cgroup 5087041 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
	}

	chain nat {
		type nat hook postrouting priority srcnat; policy accept;
		oif "wg-mullvad" ct mark 0x00000f41 drop
		oif != "lo" ct mark 0x00000f41 masquerade
	}
}

mullvad_server_ip is the public IP of the server

wireguard_ip is the 10.0.0.0/8 subnet of the server itself

our_client_wireguard_ip is the 10.0.0.0/8 subnet IP given to us by the server

I am using Mullvad VPN with their official desktop client app available on GitHub mullvad/mullvadvpn-app

The goal is to share the VPN with a 2nd desktop wired directly to a secondary NIC on the 1st desktop. Essentially using the 1st desktop to act as a router with NAT masquerade.

Already have successful link between the two with static IP configuration allowing test nginx page hosted from 1st desktop to be loaded on 2nd desktop.

Desktop 1 is 192.168.1.1
Desktop 2 is 192.168.1.2 with 192.168.1.1 as gateway

I know this could be done different ways but I am strictly trying to modify this existing nftables ruleset just enough to get the forwarding to work.

I’ve read similar topics suggesting to set a static route on the 2nd desktop but this defeats the purpose of a plug and play solution. As the Wireguard 10.0.0.0/8 subnet addresses can change.