[BUG] WireGuard Container Fails to Start Due to nftables Error on Older Kernel

[qlaffont]

I am encountering an issue where the WireGuard container fails to start due to a nftables error. The container is attempting to use nftables, which is not supported by my host kernel (4.4.302). Despite setting WG_USE_IPTABLES=true, the container still tries to apply nftables rules, resulting in the following error:
netlink: Error: cache initialization failed: Invalid argument

Environment

Host OS: Synology NAS
Kernel Version: 4.4.302+
Docker Version: 24.0.2
WireGuard Image: lscr.io/linuxserver/wireguard:latest

Configuration

docker-compose.yml:

version: "3.6"
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.default.disable_ipv6=1
    environment:
      - PUID=1026
      - PGID=101
      - TZ=Europe/Paris
      - WG_USE_IPTABLES=true
    volumes:
      - /volume1/backups/wireguard-vpn-relay/wg_confs:/config
    ports:
      - 63710:51820/udp
      - 51821:5000/tcp
    restart: always

wg0.conf:

PrivateKey = 
Address = 
DNS = 192.168.1.1
PostUp = sysctl -w net.ipv4.ip_forward=1; iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = 
AllowedIPs = 0.0.0.0/0
Endpoint = 
PersistentKeepalive = 25

Expected Behavior

The container should start successfully and use iptables instead of nftables when WG_USE_IPTABLES=true is set.

Actual Behavior

The container fails to start due to a nftables error, even when WG_USE_IPTABLES=true is set.

Additional Information

The host kernel (4.4.302) does not support nftables.
The container is attempting to apply nftables rules, which fails.
Setting WG_USE_IPTABLES=true does not seem to prevent the container from trying to use nftables.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[j0nnymoe]

Where are you getting the WG_USE_IPTABLES env from as there is nothing about that in our docs?

[qlaffont]

It comes from an AI but it's a false configuration

[j0nnymoe]

It's not going to work as there is no such env in our container. Unfortunately your issue is due to Synology not updating kernals on their NAS units. Little we can do as anything we could try would only be a band-aid fix.

[0xlnz]

(Commenting here as #390 is locked)

For those looking for a workaround that doesn't involve pinning an old release, I’ve created a wrapper that patches the latest upstream releases to use iptables-legacy: https://github.com/0xlnz/wireguard-iptables-legacy.

It essentially replaces the iptables binary in the LinuxServer image to maintain compatibility with older kernels. It’s working for my setup, but I’d welcome any feedback on potential edge cases or long-term stability. @j0nnymoe @drizuid

[drizuid]

It's great to see contributions, but I see no reason for us to merge anything to bandaid kennels that have been end life for multiple years

Great work around though, I hope you're able to advertise it out to the syno community

[0xlnz]

no reason for us to merge

Agreed. I built this purely as an external workaround for those of us stuck on horribly outdated kernels, so I definitely didn't expect it to be merged upstream

Since #390 is the main thread people land on for this issue (and it's currently locked), would it be possible to add a small note or link there? It might help save some headaches for others in the Synology community looking for a fix.