[BUG] (SYNOLOGY) tunnel fails to create with iptables rules on latest branch #390
Closed as not planned
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
Latest branch of wireguard using the same config file I have had for a long time fails to create the tunnel with the following error:
iptables v1.8.11 (nf_tables): Could not fetch rule set generation id: Invalid argument
Deleting the iptables rules from my config will allow the tunnel to start, but I cannot access resources on my network. Reverting to version 1.0.20210914 fixes the issue.
Expected Behavior
Tunnel creates successfully
Steps To Reproduce
On Synology DSM 7.2.2 Container Manager, if I add these iptables rules to my config:
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
and start the docker container, the tunnel will fail
Environment
- OS: Synology DiskStationManager 7.2.2-72806
- How docker service was installed: Container Manager installed through Package ManagerCPU architecture
x86-64
Docker creation
version: '3.3'
services:
wireguard:
container_name: wireguard
image: linuxserver/wireguard:latest
networks:
- wireguard
cap_add:
- NET_ADMIN
sysctls:
- net.ipv4.ip_forward=1
volumes:
- /dev/net/tun:/dev/net/tun
- /volume1/docker/wireguard:/config
- /lib/modules:/lib/modules
environment:
- WG_COLOR_MODE=always
- LOG_LEVEL=info
- TZ=America/Chicago
ports:
- 51871:51871/udp
restart: always
networks:
wireguard:Container logs
[migrations] started
[migrations] no migrations found
usermod: no changes
───────────────────────────────────────
██╗ ███████╗██╗ ██████╗
██║ ██╔════╝██║██╔═══██╗
██║ ███████╗██║██║ ██║
██║ ╚════██║██║██║ ██║
███████╗███████║██║╚██████╔╝
╚══════╝╚══════╝╚═╝ ╚═════╝
Brought to you by linuxserver.io
───────────────────────────────────────
To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID: 911
User GID: 911
───────────────────────────────────────
Linuxserver.io version: 1.0.20250521-r0-ls81
Build-date: 2025-07-29T17:05:49+00:00
───────────────────────────────────────
Uname info: Linux wireguard 4.4.302+ #72806 SMP Mon Jul 21 23:14:27 CST 2025 x86_64 GNU/Linux
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
crond[165]: crond (busybox 1.37.0) started, log level 5
crond[165]: user:root entry:*/15 * * * * run-parts /etc/periodic/15min
crond[165]: user:root entry:0 * * * * run-parts /etc/periodic/hourly
crond[165]: user:root entry:0 2 * * * run-parts /etc/periodic/daily
crond[165]: user:root entry:0 3 * * 6 run-parts /etc/periodic/weekly
crond[165]: user:root entry:0 5 1 * * run-parts /etc/periodic/monthly
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/wg0.conf, adding to list ****
**** Activating tunnel /config/wg_confs/wg0.conf ****
[#] ip link add dev wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.0.1/16 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] iptables -A FORWARD -i wg0 -j ACCEPT
iptables v1.8.11 (nf_tables): Could not fetch rule set generation id: Invalid argument
[#] resolvconf -d wg0 -f
[#] ip link delete dev wg0
**** Tunnel /config/wg_confs/wg0.conf failed, will stop all others! ****
**** All tunnels are now down. Please fix the tunnel config /config/wg_confs/wg0.conf and restart the container ****
[ls.io-init] done.