Open
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
After upgrading my podman host from Fedora 40 to 41, my wireguard pods will no longer start. It appears Fedora 41 has deprecated iptables for nftables:
https://docs.fedoraproject.org/en-US/fedora/latest/release-notes/sysadmin/
These containers worked without issue prior to my upgrade to Fedora 41 and are broken on both hosts I utilize for WG VPN services.
It looks like there are some workarounds/changes available. I will need time to investigate and test on my end:
https://fedoraproject.org/wiki/Changes/LibvirtVirtualNetworkNFTables#Reverting_to_iptables_for_compatibility
Expected Behavior
Container to start
Steps To Reproduce
Utilizing systemd services to automatically start the pods:
[Unit]
Description=Podman container-wireguard.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/%n.ctr-id
ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --rm --sdnotify=conmon --replace -d --privileged --name wireguard -e PUID=1000 -e PGID=1000 -e "TZ=America/New York" --cap-add=NET_RAW --cap-add=NET_ADMIN -e SERVERURL=vpn.mydomain.com -e SERVERPORT=51821 -e PEERS=WireGuard1 -e PEERDNS=192.168.1.1 -e INTERNAL_SUBNET=10.21.21.0 -e ALLOWEDIPS=0.0.0.0/0 -p 51820:51820/udp --sysctl=net.ipv4.conf.all.src_valid_mark=1 -v /var/wireguard/wireguard-vpn:/config:Z -v /var/wireguard/wireguard-modules:/lib/modules:Z --pull=always --label io.containers.autoupdate=registry lscr.io/linuxserver/wireguard:latest
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all
[Install]
WantedBy=default.target
Environment
- OS: Fedora 41
- How docker service was installed: Native PodmanCPU architecture
x86-64
Docker creation
podman --replace -d --privileged --name wireguard -e PUID=1000 -e PGID=1000 -e "TZ=America/New York" --cap-add=NET_RAW --cap-add=NET_ADMIN -e SERVERURL=vpn.mydomain.com -e SERVERPORT=51821 -e PEERS=WireGuard1 -e PEERDNS=192.168.1.1 -e INTERNAL_SUBNET=10.21.21.0 -e ALLOWEDIPS=0.0.0.0/0 -p 51820:51820/udp --sysctl=net.ipv4.conf.all.src_valid_mark=1 -v /var/wireguard/wireguard-vpn:/config:Z -v /var/wireguard/wireguard-modules:/lib/modules:Z --pull=always --label io.containers.autoupdate=registry lscr.io/linuxserver/wireguard:latestContainer logs
'''
February 24, 2025
[#] ip link delete dev wg0
wireguard
Perhaps iptables or your kernel needs to be upgraded.
wireguard
iptables v1.8.11 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
wireguard
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
wireguard
[#] ip -4 route add 10.21.21.2/32 dev wg0
wireguard
[#] ip link set mtu 1420 up dev wg0
wireguard
[#] ip -4 address add 10.21.21.1 dev wg0
wireguard
[#] wg setconf wg0 /dev/fd/63
wireguard
[#] ip link add wg0 type wireguard
wireguard
Warning: `/config/wg_confs/wg0.conf' is world accessible
wireguard
Connection to localhost (::1) 53 port [udp/domain] succeeded!
wireguardMetadata
Metadata
Assignees
Labels
No labels
Type
Projects
Status
Issues