Hello,
I’m not sure if this is an issue with NixOS or “wg-easy”. I get the following error message when I try to start the container:
wireguard-server | Migrating database...
wireguard-server | ====================================================
wireguard-server | wg-easy - https://github.com/wg-easy/wg-easy
wireguard-server | ====================================================
wireguard-server | | wg-easy: v15.0.0 |
wireguard-server | | Node: v22.16.0 |
wireguard-server | | Platform: linux |
wireguard-server | | Arch: x64 |
wireguard-server | ====================================================
wireguard-server | Migration complete
wireguard-server | Starting WireGuard...
wireguard-server | Starting Wireguard Interface wg0...
wireguard-server | Saving Config...
wireguard-server | Listening on http://0.0.0.0:51821
wireguard-server | Config saved successfully.
wireguard-server | $ wg-quick down wg0
wireguard-server | $ wg-quick up wg0
wireguard-server | [unhandledRejection] Error: Command failed: wg-quick up wg0
wireguard-server | [#]
wireguard-server | [#] ip link add wg0 type wireguard
wireguard-server | [#] wg setconf wg0 /dev/fd/63
wireguard-server | [#] ip -4 address add 10.8.0.1/24 dev wg0
wireguard-server | [#] ip -6 address add fdcc:xxxx:xxxx:xxxx::cafe:1/112 dev wg0
wireguard-server | [#] ip link set mtu 1420 up dev wg0
wireguard-server | [#] iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -s fdcc:ad94:bacf:61a4::cafe:0/112 -o eth0 -j MASQUERADE; ip6tables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT;
wireguard-server | ip6tables v1.8.11 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
wireguard-server | Perhaps ip6tables or your kernel needs to be upgraded.
wireguard-server | [#] ip link delete dev wg0
wireguard-server |
wireguard-server | at genericNodeError (node:internal/errors:983:15)
wireguard-server | at wrappedFn (node:internal/errors:537:14)
wireguard-server | at ChildProcess.exithandler (node:child_process:414:12)
wireguard-server | at ChildProcess.emit (node:events:518:28)
wireguard-server | at maybeClose (node:internal/child_process:1101:16)
wireguard-server | at ChildProcess._handle.onexit (node:internal/child_process:304:5) {
wireguard-server | code: 3,
wireguard-server | killed: false,
wireguard-server | signal: null,
wireguard-server | cmd: 'wg-quick up wg0'
wireguard-server | }
Here’s my Docker Compose configuration:
networks:
wireguard:
external: false
traefik:
external: true
services:
wireguard:
container_name: wireguard-server
image: ghcr.io/wg-easy/wg-easy:15
init: true
restart: always
volumes:
- /srv/zfs/docker/wireguard/server/etc:/etc/wireguard
networks:
- wireguard
- traefik
ports:
- "51820:51820/udp"
cap_add:
- NET_ADMIN
- NET_RAW
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
labels:
traefik.enable: "true"
traefik.docker.network: "traefik"
traefik.http.routers.wireguard.rule: "Host(`wireguard.int.xxx.xxx`)"
traefik.http.routers.wireguard.entrypoints: "websecure"
traefik.http.routers.wireguard.tls.certresolver: "letsencrypt"
traefik.http.routers.wireguard.service: "wireguard"
traefik.http.services.wireguard.loadbalancer.server.port: 51821
NixOS:
boot.kernelModules = ["kvm-intel" "wireguard"];
environment.systemPackages = with pkgs; [
wireguard-tools
];
Thanks!