gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 21 Actions Packages Projects 1 Releases Wiki Activity

fix: update wg-easy to official ghcr image with iptables-nft #44

Merged
gortium merged 3 commits from fix/vpn-iptables-nft-upstream into master 2026-05-13 16:39:57 +00:00
Conversation 0 Commits 3 Files Changed 1 +1 -1
Hermes commented 2026-05-13 16:31:02 +00:00
Collaborator
Copy Link

Problem

The WireGuard VPN stack (vpn_stack.service) fails to start with two issues:

  1. Build context mismatch: compose.yml set context: ./vpn but the Dockerfile is at the same level as compose.yml, not in a vpn/ subdirectory.
  2. Base image too old: weejewel/wg-easy:latest is 4 years stale on Alpine 3.11, which doesn't have the iptables-nft package. After fixing the context, the build failed with ERROR: unable to select packages: iptables-nft (no such package).

Changes

assets/compose/vpn/compose.yml

  • context: ./vpncontext: . (Dockerfile is co-located)

assets/compose/vpn/Dockerfile

  • FROM weejewel/wg-easy:latestFROM ghcr.io/wg-easy/wg-easy:latest (officially maintained, modern Alpine/krypton)
  • apk add iptables-nft + update-alternatives --set to flip from iptables-legacy to iptables-nft (the official image defaults to legacy, which requires the iptable_nat kernel module — missing on this host)
  • Replaced fragile ln -sf approach with proper update-alternatives API

Why we still need a custom image

The official ghcr.io/wg-easy/wg-easy:latest explicitly sets iptables-legacy as the default via update-alternatives --install. Our host kernel lacks the iptable_nat module, so we need iptables-nft (nftables-backed). The custom Dockerfile just flips the alternatives — 2 extra layers.

Testing

After deploy:

systemctl restart vpn_stack.service
systemctl status vpn_stack.service
## Problem The WireGuard VPN stack (`vpn_stack.service`) fails to start with two issues: 1. **Build context mismatch**: `compose.yml` set `context: ./vpn` but the Dockerfile is at the same level as compose.yml, not in a `vpn/` subdirectory. 2. **Base image too old**: `weejewel/wg-easy:latest` is 4 years stale on Alpine 3.11, which doesn't have the `iptables-nft` package. After fixing the context, the build failed with `ERROR: unable to select packages: iptables-nft (no such package)`. ## Changes **`assets/compose/vpn/compose.yml`** - `context: ./vpn` → `context: .` (Dockerfile is co-located) **`assets/compose/vpn/Dockerfile`** - `FROM weejewel/wg-easy:latest` → `FROM ghcr.io/wg-easy/wg-easy:latest` (officially maintained, modern Alpine/krypton) - `apk add iptables-nft` + `update-alternatives --set` to flip from `iptables-legacy` to `iptables-nft` (the official image defaults to legacy, which requires the `iptable_nat` kernel module — missing on this host) - Replaced fragile `ln -sf` approach with proper `update-alternatives` API ## Why we still need a custom image The official `ghcr.io/wg-easy/wg-easy:latest` explicitly sets `iptables-legacy` as the default via `update-alternatives --install`. Our host kernel lacks the `iptable_nat` module, so we need `iptables-nft` (nftables-backed). The custom Dockerfile just flips the alternatives — 2 extra layers. ## Testing After deploy: ```bash systemctl restart vpn_stack.service systemctl status vpn_stack.service ```
Hermes added 2 commits 2026-05-13 16:31:03 +00:00
fix: update compose submodule for wg-easy iptables-nft fix 06b3eb840f
fix: update compose submodule for wg-easy iptables-nft fix 9d5434425f 
Updates the assets/compose submodule to point to the fix/vpn-iptables-nft-upstream
branch which contains:
- Switch FROM weejewel/wg-easy:latest (Alpine 3.11, stale 4yr) to
  ghcr.io/wg-easy/wg-easy:latest (actively maintained, Alpine krypton)
- Use update-alternatives instead of raw ln -sf to flip iptables
  from legacy to nftables backend
- Fix compose build context: ./vpn -> . (Dockerfile is at same level)
Hermes added 1 commit 2026-05-13 16:39:15 +00:00
chore: merge master into branch 0bb6890f1c
gortium merged commit 0c9c33d735 into master 2026-05-13 16:39:57 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Hermes gortium
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: gortium/infra#44
No description provided.
Delete Branch "fix/vpn-iptables-nft-upstream"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?