-
Notifications
You must be signed in to change notification settings - Fork 0
Permissions
Alexander Zinchenko edited this page Jun 22, 2026
·
2 revisions
WireGuard's wg-quick needs root and specific kernel capabilities to create the tunnel interface and program routing/firewall rules. This container therefore runs its processes as root inside the container (there is no privilege-dropping process user, unlike the OpenVPN variant).
| Requirement | Why |
|---|---|
--cap-add=NET_ADMIN |
Create/configure the wg0 interface and iptables rules |
--cap-add=SYS_ADMIN |
Allow wg-quick to set net.ipv4.conf.all.src_valid_mark
|
--device /dev/net/tun |
Tunnel device access |
--sysctl net.ipv4.conf.all.src_valid_mark=1 |
Required for WireGuard's reverse-path / fwmark routing |
If your host blocks SYS_ADMIN or sysctl changes, privileged: true works as a last resort.
services:
vpn:
image: azinchen/nordvpn-wg:latest
cap_add:
- NET_ADMIN
- SYS_ADMIN
devices:
- /dev/net/tun
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
environment:
- TOKEN=your_nordvpn_token_heredocker run -d --cap-add=NET_ADMIN --cap-add=SYS_ADMIN \
--device /dev/net/tun \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
-e TOKEN=your_nordvpn_token_here \
azinchen/nordvpn-wgThis container does not create a separate process user and does not take PUID/PGID.
Containers that share the VPN's network namespace manage their own volume permissions
independently.
Configuration
- Server Selection
- Server Groups
- IPv6 Configuration
- Automatic Reconnection
- Local Network Access
- VPN Gateway Mode
- Custom DNS
- Permissions
Security
Examples
Operations
Reference