fix: use ln -sf instead of update-alternatives --set

update-alternatives fails because iptables-nft isn't registered as an alternative key (only iptables-legacy was registered by the official Dockerfile). Direct symlink override works.
fix: remove apk add iptables-nft — built-in on Alpine 3.18+
2026-05-13 12:57:12 -04:00 · 2026-05-13 12:48:51 -04:00 · 2026-05-13 16:37:35 +00:00 · 2026-05-13 12:30:15 -04:00
2 changed files with 7 additions and 14 deletions
--- a/vpn/Dockerfile
+++ b/vpn/Dockerfile
@@ -1,16 +1,9 @@
 # Custom wg-easy with iptables-nft (nftables-backed iptables)
 # Fixes crash-loop when host kernel lacks legacy iptable_nat module.
-FROM weejewel/wg-easy:latest
+FROM ghcr.io/wg-easy/wg-easy:latest
-# Alpine's iptables-nft provides iptables that uses nftables kernel API
+# The upstream image registers only iptables-legacy with update-alternatives.
-# instead of the legacy iptable_nat module. This works on kernels
+# iptables-nft binary exists but isn't registered as an alternative.
-# where only nftables netfilter modules are available.
+# Override the alternatives-managed symlinks directly.
-RUN apk add --no-cache iptables-nft
+RUN ln -sf /usr/sbin/iptables-nft /usr/sbin/iptables && \
-
+    ln -sf /usr/sbin/ip6tables-nft /usr/sbin/ip6tables
 # Ensure iptables-nft takes priority over legacy iptables
 RUN ln -sf /sbin/iptables-nft /sbin/iptables && \
    ln -sf /sbin/iptables-nft-save /sbin/iptables-save && \
    ln -sf /sbin/iptables-nft-restore /sbin/iptables-restore && \
    ln -sf /sbin/ip6tables-nft /sbin/ip6tables && \
    ln -sf /sbin/ip6tables-nft-save /sbin/ip6tables-save && \
    ln -sf /sbin/ip6tables-nft-restore /sbin/ip6tables-restore
--- a/vpn/compose.yml
+++ b/vpn/compose.yml
@@ -3,7 +3,7 @@ version: "3.8"
 services:
  wireguard:
    build:
-      context: ./vpn
+      context: .
      dockerfile: Dockerfile
    image: wg-easy-iptables-nft:latest
    container_name: wireguard
Author	SHA1	Message	Date
Hermes	7e2b133946	fix: use ln -sf instead of update-alternatives --set update-alternatives fails because iptables-nft isn't registered as an alternative key (only iptables-legacy was registered by the official Dockerfile). Direct symlink override works.	2026-05-13 12:57:12 -04:00
Hermes	611e96b306	fix: remove apk add iptables-nft — built-in on Alpine 3.18+ In Alpine 3.18+, the 'iptables' package IS the nftables variant. iptables-nft is not a separate package. The binary is already in the base image — only need to flip update-alternatives.	2026-05-13 12:48:51 -04:00
Thierry Pouplier	f184ed957c	Merge pull request 'fix: update wg-easy to official ghcr image with iptables-nft' (#26 ) from fix/vpn-iptables-nft-upstream into master Reviewed-on: #26	2026-05-13 16:37:35 +00:00
Hermes	2bf31c7ccc	fix: update wg-easy to official ghcr image with iptables-nft - Switch FROM weejewel/wg-easy:latest (4yr old, Alpine 3.11) to ghcr.io/wg-easy/wg-easy:latest (actively maintained, Alpine krypton) - Use update-alternatives instead of raw ln -sf to flip iptables from legacy to nftables backend - Fix compose build context: ./vpn -> . (Dockerfile was at same level) The weejewel/wg-easy image lacked iptables-nft package in Alpine 3.11. The new official image has it available, we just flip the alternatives. The old ln -sf approach was fragile across Alpine versions.	2026-05-13 12:30:15 -04:00