Synology DSM 7.x: qBittorrent WireGuard/NFTables Errors After Update

Seeing RTNETLINK answers: Not supported during init-wireguard, or Error: Could not process rule: Not supported with add table inet hotio when starting ghcr.io/hotio/qbittorrent on DSM 7.2/7.3? That’s Synology’s 4.4 kernel lacking nftables support after hotio dropped legacy iptables workarounds.

Typical failure logs look like this:

[VPN] Creating interface [wg0-fix].
RTNETLINK answers: Not supported

Or later during firewall setup:

Error: Could not process rule: Not supported
add table inet hotio

The Fix

Pin the image to the last known working WireGuard build from the TRaSH-Guides PR #222:

services:
  qbittorrent:
    image: ghcr.io/hotio/qbittorrent:release-e799f87

Tradeoffs of pinning an old image:

• No security or feature updates.
• Potential breakage when VPN providers change endpoints or auth flows.
• You’re stuck on older qBittorrent/libtorrent versions.
• This is a temporary workaround, not a real fix.

Long term, move the VPN to a dedicated container (for example, gluetun with OpenVPN) and run qBittorrent without VPN logic inside its container. That keeps your NAS kernel limitations out of the qBittorrent image and avoids the nftables requirement.

Resources

• TRaSH-Guides Synology Templates PR #222
• gluetun
• hotio qBittorrent container docs

If you’re interested, check out how to set up qBittorrent with PIA on Synology, verify your qBittorrent VPN IP, or add a reverse proxy to your Synology setup:

• Setting Up qBittorrent with Private Internet Access (PIA) VPN on Synology NAS
• Verifying VPN Status for Docker qBittorrent on Synology
• Setting Up Caddy as a Reverse Proxy on Synology NAS