diff --git a/vpn/Dockerfile b/vpn/Dockerfile
index 931d3bf..ea6f370 100644
--- a/vpn/Dockerfile
+++ b/vpn/Dockerfile
@@ -1,16 +1,10 @@
 # Custom wg-easy with iptables-nft (nftables-backed iptables)
 # Fixes crash-loop when host kernel lacks legacy iptable_nat module.
-FROM weejewel/wg-easy:latest
+FROM ghcr.io/wg-easy/wg-easy:latest
 
-# Alpine's iptables-nft provides iptables that uses nftables kernel API
-# instead of the legacy iptable_nat module. This works on kernels
-# where only nftables netfilter modules are available.
-RUN apk add --no-cache iptables-nft
-
-# Ensure iptables-nft takes priority over legacy iptables
-RUN ln -sf /sbin/iptables-nft /sbin/iptables && \
-    ln -sf /sbin/iptables-nft-save /sbin/iptables-save && \
-    ln -sf /sbin/iptables-nft-restore /sbin/iptables-restore && \
-    ln -sf /sbin/ip6tables-nft /sbin/ip6tables && \
-    ln -sf /sbin/ip6tables-nft-save /sbin/ip6tables-save && \
-    ln -sf /sbin/ip6tables-nft-restore /sbin/ip6tables-restore
+# The upstream image defaults to iptables-legacy via update-alternatives.
+# Switch to iptables-nft so it works on kernels where only nftables
+# netfilter modules are available (iptable_nat module missing).
+RUN apk add --no-cache iptables-nft && \
+    update-alternatives --set iptables /usr/sbin/iptables-nft && \
+    update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
diff --git a/vpn/compose.yml b/vpn/compose.yml
index 22ca77a..cd14f27 100644
--- a/vpn/compose.yml
+++ b/vpn/compose.yml
@@ -3,7 +3,7 @@ version: "3.8"
 services:
   wireguard:
     build:
-      context: ./vpn
+      context: .
       dockerfile: Dockerfile
     image: wg-easy-iptables-nft:latest
     container_name: wireguard