From 8d3de0e86dfefc14e2ddf77e48ccc1ced4834de5 Mon Sep 17 00:00:00 2001
From: LinuxServer-CI <ci@linuxserver.io>
Date: Tue, 23 May 2023 13:43:41 +0000
Subject: [PATCH] Bot Updating Documentation

---
 images/docker-wireguard.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/images/docker-wireguard.md b/images/docker-wireguard.md
index 12f4dbcc2..125fd0edf 100644
--- a/images/docker-wireguard.md
+++ b/images/docker-wireguard.md
@@ -46,6 +46,10 @@ During container start, it will first check if the wireguard module is already i
 
 This can be run as a server or a client, based on the parameters used.
 
+## Note on iptables
+
+Some hosts may not load the iptables kernel modules by default. In order for the container to be able to load them, you need to assign the `SYS_MODULE` capability and add the optional `/lib/modules` volume mount. Alternatively you can `modprobe` them from the host before starting the container.
+
 ## Server Mode
 
 If the environment variable `PEERS` is set to a number or a list of strings separated by comma, the container will run in server mode and the necessary server and peer/client confs will be generated. The peer/client config qr codes will be output in the docker log if `LOG_CONFS` is set to `true`. They will also be saved in text and png format under `/config/peerX` in case `PEERS` is a variable and an integer or `/config/peer_X` in case a list of names was provided instead of an integer.
@@ -116,6 +120,7 @@ services:
     container_name: wireguard
     cap_add:
       - NET_ADMIN
+      - SYS_MODULE #optional
     environment:
       - PUID=1000
       - PGID=1000
@@ -130,6 +135,7 @@ services:
       - LOG_CONFS=true #optional
     volumes:
       - /path/to/appdata/config:/config
+      - /lib/modules:/lib/modules #optional
     ports:
       - 51820:51820/udp
     sysctls:
@@ -143,6 +149,7 @@ services:
 docker run -d \
   --name=wireguard \
   --cap-add=NET_ADMIN \
+  --cap-add=SYS_MODULE `#optional` \
   -e PUID=1000 \
   -e PGID=1000 \
   -e TZ=Etc/UTC \
@@ -156,6 +163,7 @@ docker run -d \
   -e LOG_CONFS=true `#optional` \
   -p 51820:51820/udp \
   -v /path/to/appdata/config:/config \
+  -v /lib/modules:/lib/modules `#optional` \
   --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
   --restart unless-stopped \
   lscr.io/linuxserver/wireguard:latest
@@ -193,6 +201,7 @@ Docker images are configured using parameters passed at runtime (such as those a
 | Volume | Function |
 | :----: | --- |
 | `/config` | Contains all relevant configuration files. |
+| `/lib/modules` | Host kernel modules for situations where they're not already loaded. |
 
 #### Miscellaneous Options