It’s possible, but again, iptables will never see that ip address in this case because of the VPN.
Packets hit the application layer when the destination and port of a packet match something that is listening for them. Looking at the 1st diagram I pasted, you can see the path to the application layer. In this case, it goes
link layer → is the packet to/from a directly connected neighbor. Usually look at the MAC address at this layer.
Network layer then looks at the src/dst ip addresses to determine where to send it (layer 3 routing). It just needs to figure out who the next hop is (it could be this very device).
Protocol layer is where the ports are checked. The packet was destined to this device, so which port? If there is something listening on that port, send it to them. Else, drop it (replies with PORT UNREACHABLE by default)
Finally, the application layer. The packet is no longer in the kernel. The application has a complete copy of the packet. In this case, the VPN application has a (probably encrypted) packet. It will remove the VPN headers from the packet (and decrypt if needed).
NOW, the VPN has to decide wtf to do with this new, unencrypted packet. You could just push it back onto the network stack and let iptables/kernel figure it out. And a lot of VPNs will do just that. But in your case, the VPN is also running the other application, so it doesn’t have to do that. It just passes it right on over.
The packets hit the VPN application because they are destined to it. When you use a VPN, you take your normal packet (from a.b.c.d to homeassistant.com), then wrap it in another layer. That packet fully exists, but you put on a new header that says (no no, send this packet to w.x.y.z instead. He’ll know what to do with it). And he does.
But iptables is running on the same box as HA. And there are two interfaces on this box, eth0 and wg0 [latter is the VPN]. So why can’t iptables see both? Are you saying I would need 3 interfaces and if so then why can iptables then “see” traffic when it’s running at the kernel level – you mentioned the traffic lives in the app layer. Confused.com !
Again, iptables exists only in the kernel. Once the kernel handed the VPN the packet, it would only ever see it again IF the vpn sent it out an external interface. If the packet went from eth0 → wg0 → eth1, it would totally see the packet between wg0 and eth1. But, because the VPN is also running the HA app, it won’t send it anywhere! Thus, the kernel will never see the packet after the VPN gets a hold of it.