Wireguard on kunat.dev https://kunat.dev/tags/wireguard/ Recent content in Wireguard on kunat.dev Hugo -- 0.147.5 en-us 2025 kunat.dev Sat, 24 Jan 2026 13:35:18 +0100 Synology DSM 7.x: qBittorrent WireGuard/NFTables Errors After Update https://kunat.dev/notes/synology-qbittorrent-wireguard-nftables/ Sat, 24 Jan 2026 13:35:18 +0100 https://kunat.dev/notes/synology-qbittorrent-wireguard-nftables/ <p>Seeing <code>RTNETLINK answers: Not supported</code> during <code>init-wireguard</code>, or <code>Error: Could not process rule: Not supported</code> with <code>add table inet hotio</code> when starting <code>ghcr.io/hotio/qbittorrent</code> on DSM 7.2/7.3? That&rsquo;s Synology&rsquo;s 4.4 kernel lacking nftables support after hotio dropped legacy iptables workarounds.</p> <p>Typical failure logs look like this:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>[VPN] Creating interface [wg0-fix]. </span></span><span style="display:flex;"><span>RTNETLINK answers: Not supported </span></span></code></pre></div><p>Or later during firewall setup:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>Error: Could not process rule: Not supported </span></span><span style="display:flex;"><span>add table inet hotio </span></span></code></pre></div><h2 id="the-fix">The Fix</h2> <p>Pin the image to the last known working WireGuard build from the <a href="https://github.com/TRaSH-Guides/Synology-Templates/pull/222" target="_blank" >TRaSH-Guides PR #222</a>:</p> Seeing RTNETLINK answers: Not supported during init-wireguard, or Error: Could not process rule: Not supported with add table inet hotio when starting ghcr.io/hotio/qbittorrent on DSM 7.2/7.3? That’s Synology’s 4.4 kernel lacking nftables support after hotio dropped legacy iptables workarounds.

Typical failure logs look like this:

[VPN] Creating interface [wg0-fix].
RTNETLINK answers: Not supported

Or later during firewall setup:

Error: Could not process rule: Not supported
add table inet hotio

The Fix

Pin the image to the last known working WireGuard build from the TRaSH-Guides PR #222:

services:
  qbittorrent:
    image: ghcr.io/hotio/qbittorrent:release-e799f87

Tradeoffs of pinning an old image:

  • No security or feature updates.
  • Potential breakage when VPN providers change endpoints or auth flows.
  • You’re stuck on older qBittorrent/libtorrent versions.
  • This is a temporary workaround, not a real fix.

Long term, move the VPN to a dedicated container (for example, gluetun with OpenVPN) and run qBittorrent without VPN logic inside its container. That keeps your NAS kernel limitations out of the qBittorrent image and avoids the nftables requirement.

Resources

If you’re interested, check out how to set up qBittorrent with PIA on Synology, verify your qBittorrent VPN IP, or add a reverse proxy to your Synology setup:

]]>