[Arrowmaster]

While gluetun works great, there are other implementations of wireguard that fail without the kernel modules. I've also ran into issues from containers wanting the kernel modules for iptables-nft but Synology only has legacy iptables.

[paffdragon]

I belive even for gluetun I had to add the WG kernel module. I think I used this to compile it for myself https://github.com/runfalk/synology-wireguard

I know there are userspace implementations, but can't remember the specifics rn and don't have my notes with me.

> kernel modules for iptables-nft

I think you meant nftables. The iptables-nft package is meant to provide iptables interface for nftables for code that still expects that, afaik. I didn't run into that issue yet (knock-knock). According to docs nftables is available since kernel 3.13, so in theory it might be possible to build the modules for Synology.

However, I don't think I will be buying another Synology in the future, mainly because of other issues like they restricting what RAM I can use or what I want to use the M2 slots for, or their recent experiment with trying to push their own drives only, etc. I might give TrueNAS a try if I am not bored enough to just build one on top of a general purpose OS...

[Arrowmaster]

I had to look it up and I think it was a mix of user error and a bad container. At one point I had been trying to use the nicolaka/netshoot container as a sidecar to troubleshoot iptables on another container and it is/was(?) missing the iptables-legacy package and unable to interact with the first containers iptables.

As great as containerization is, having the right kernel modules available goes a long way and I probably wouldn't have run into trouble like that if the first container hadn't fallen back to iptables because nftables was unavailable.

All of these NAS OSs that include docker work great for the most popular containers, but once you get into the more complex ones strange quirks start poping up.