diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix
index e1e640c4474..1578f8680c8 100644
--- a/nixos/modules/virtualisation/nixos-containers.nix
+++ b/nixos/modules/virtualisation/nixos-containers.nix
@@ -445,6 +445,7 @@ let
       localAddress = null;
       localAddress6 = null;
       tmpfs = null;
+      mullvadExclude = false;
     };
 
 in
@@ -691,6 +692,14 @@ in
               '';
             };
 
+            mullvadExclude = mkOption {
+              type = types.bool;
+              default = false;
+              description = lib.mdDoc ''
+                Start container with mullvad-exclude.
+              '';
+            };
+
             # Removed option. See `checkAssertion` below for the accompanying error message.
             pkgs = mkOption { visible = false; };
           } // networkOptions;
@@ -767,6 +776,8 @@ in
 
       postStart = postStartScript dummyConfig;
 
+      postStop = mkIf dummyConfig.mullvadExclude "";
+
       restartIfChanged = false;
 
       serviceConfig = serviceDirectives dummyConfig;
@@ -797,7 +808,12 @@ in
           recursiveUpdate unit {
             preStart = preStartScript containerConfig;
             script = startScript containerConfig;
-            postStart = postStartScript containerConfig;
+            postStart = (if containerConfig.mullvadExclude then ''
+              ${config.services.mullvad-vpn.package}/bin/mullvad split-tunnel pid add $MAINPID
+            '' else "") + postStartScript containerConfig;
+            postStop = mkIf containerConfig.mullvadExclude ''
+              ${config.services.mullvad-vpn.package}/bin/mullvad split-tunnel pid delete $MAINPID
+            '';
             serviceConfig = serviceDirectives containerConfig;
             unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "${stateDirectory}/%i";
             environment.root = if containerConfig.ephemeral then "/run/nixos-containers/%i" else "${stateDirectory}/%i";