From 2bf31c7ccc8fc1f9f87555a750a0551bfac83221 Mon Sep 17 00:00:00 2001
From: Hermes <hermes@lazyworkhorse.net>
Date: Wed, 13 May 2026 12:30:15 -0400
Subject: [PATCH] fix: update wg-easy to official ghcr image with iptables-nft

- Switch FROM weejewel/wg-easy:latest (4yr old, Alpine 3.11) to
  ghcr.io/wg-easy/wg-easy:latest (actively maintained, Alpine krypton)
- Use update-alternatives instead of raw ln -sf to flip iptables
  from legacy to nftables backend
- Fix compose build context: ./vpn -> . (Dockerfile was at same level)

The weejewel/wg-easy image lacked iptables-nft package in Alpine 3.11.
The new official image has it available, we just flip the alternatives.
The old ln -sf approach was fragile across Alpine versions.
---
 vpn/Dockerfile  | 20 +++++++-------------
 vpn/compose.yml |  2 +-
 2 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/vpn/Dockerfile b/vpn/Dockerfile
index 931d3bf..ea6f370 100644
--- a/vpn/Dockerfile
+++ b/vpn/Dockerfile
@@ -1,16 +1,10 @@
 # Custom wg-easy with iptables-nft (nftables-backed iptables)
 # Fixes crash-loop when host kernel lacks legacy iptable_nat module.
-FROM weejewel/wg-easy:latest
+FROM ghcr.io/wg-easy/wg-easy:latest
 
-# Alpine's iptables-nft provides iptables that uses nftables kernel API
-# instead of the legacy iptable_nat module. This works on kernels
-# where only nftables netfilter modules are available.
-RUN apk add --no-cache iptables-nft
-
-# Ensure iptables-nft takes priority over legacy iptables
-RUN ln -sf /sbin/iptables-nft /sbin/iptables && \
-    ln -sf /sbin/iptables-nft-save /sbin/iptables-save && \
-    ln -sf /sbin/iptables-nft-restore /sbin/iptables-restore && \
-    ln -sf /sbin/ip6tables-nft /sbin/ip6tables && \
-    ln -sf /sbin/ip6tables-nft-save /sbin/ip6tables-save && \
-    ln -sf /sbin/ip6tables-nft-restore /sbin/ip6tables-restore
+# The upstream image defaults to iptables-legacy via update-alternatives.
+# Switch to iptables-nft so it works on kernels where only nftables
+# netfilter modules are available (iptable_nat module missing).
+RUN apk add --no-cache iptables-nft && \
+    update-alternatives --set iptables /usr/sbin/iptables-nft && \
+    update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
diff --git a/vpn/compose.yml b/vpn/compose.yml
index 22ca77a..cd14f27 100644
--- a/vpn/compose.yml
+++ b/vpn/compose.yml
@@ -3,7 +3,7 @@ version: "3.8"
 services:
   wireguard:
     build:
-      context: ./vpn
+      context: .
       dockerfile: Dockerfile
     image: wg-easy-iptables-nft:latest
     container_name: wireguard
-- 
2.49.1