Can't initialize iptables table

[kthys]

Description
Hello, I'm trying to set up the container in a stack (I'm using docker swarm) and I'm getting the errors below in the logs. I tried renaming NET_ADMIN to net_admin and the error persists. I've also tried to add privileged and it doesn't fix the problem.

How to reproduce my bug?
Here's my compose for the container:

vpn:
        image: bubuntux/nordvpn
        privileged: true
        cap_add:
            - NET_ADMIN
        devices:
            - /dev/net/tun
        environment:
            - USER=
            - PASS=
            - COUNTRY=Belgium
            - PROTOCOL=UDP
            - CATEGORY=P2P
            - NETWORK=192.168.0.0/24
            - OPENVPN_OPTS=--pull-filter ignore "ping-restart" --ping-exit 180
            - TZ=Europe/Brussels
        ports:
            - 8083:80
        restart: unless-stopped

Logs

iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
getsockopt failed strangely: Operation not permitted
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Adding network route 192.168.0.0/24...
RTNETLINK answers: Operation not permitted
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Whitelisting downloads.nordcdn.com...
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Downloading config files...
Whitelisting api.nordvpn.com...
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Selecting the best server...
Searching for country : Belgium (21)
Searching for group: legacy_p2p
Searching for technology: openvpn_udp
Best server : be118.nordvpn.com
Using config file /vpn/ovpn/be118.nordvpn.com.udp.ovpn...
+ sg vpn -c 'openvpn --config /vpn/ovpn/be118.nordvpn.com.udp.ovpn --auth-user-pass /vpn/auth --auth-nocache                                 --script-security 2 --up /etc/openvpn/up.sh --down /etc/openvpn/down.sh                                 --pull-filter ignore "ping-restart" --ping-exit 180'
Connecting ...
Fri Dec  6 20:15:53 2019 OpenVPN 2.4.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 26 2018
Fri Dec  6 20:15:53 2019 library versions: OpenSSL 1.1.1b  26 Feb 2019, LZO 2.10
Fri Dec  6 20:15:53 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Dec  6 20:15:53 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri Dec  6 20:15:53 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri Dec  6 20:15:53 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]91.207.57.253:1194
Fri Dec  6 20:15:53 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Dec  6 20:15:53 2019 UDP link local: (not bound)
Fri Dec  6 20:15:53 2019 UDP link remote: [AF_INET]91.207.57.253:1194
Fri Dec  6 20:15:53 2019 TLS: Initial packet from [AF_INET]91.207.57.253:1194, sid=54d346b4 b2964c57
Fri Dec  6 20:15:53 2019 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Fri Dec  6 20:15:53 2019 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA4
Fri Dec  6 20:15:53 2019 VERIFY KU OK
Fri Dec  6 20:15:53 2019 Validating certificate extended key usage
Fri Dec  6 20:15:53 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Dec  6 20:15:53 2019 VERIFY EKU OK
Fri Dec  6 20:15:53 2019 VERIFY OK: depth=0, CN=be118.nordvpn.com
Fri Dec  6 20:15:55 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Dec  6 20:15:55 2019 [be118.nordvpn.com] Peer Connection Initiated with [AF_INET]91.207.57.253:1194
Fri Dec  6 20:15:57 2019 SENT CONTROL [be118.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Fri Dec  6 20:15:57 2019 AUTH: Received control message: AUTH_FAILED
Fri Dec  6 20:15:57 2019 SIGTERM[soft,auth-failure] received, process exiting
+ set +x
Whitelisting api.nordvpn.com...
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Selecting the best server...

Loops again and again...

[mjs2020]

I've been researching this and it seems like swarm mode does not (yet) support cap_add or privileged.