From 2cbaab23c582b41d335ba15839c86b183ca7a6c2 Mon Sep 17 00:00:00 2001
From: xtcnet <xtcnet@users.noreply.github.com>
Date: Sun, 8 Mar 2026 15:01:48 +0700
Subject: [PATCH] fix: remove sysctls from host network container and apply
 them to host OS

---
 README.md  |  5 -----
 install.sh | 23 ++++++++++++++++++++---
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 09b6aba..a9a7d91 100644
--- a/README.md
+++ b/README.md
@@ -45,8 +45,6 @@ docker run -d \
   --name npm-wg \
   --cap-add=NET_ADMIN \
   --cap-add=SYS_MODULE \
-  --sysctl net.ipv4.ip_forward=1 \
-  --sysctl net.ipv4.conf.all.src_valid_mark=1 \
   --network host \
   -v npm-wg-data:/data \
   -v npm-wg-letsencrypt:/etc/letsencrypt \
@@ -67,9 +65,6 @@ services:
     cap_add:
       - NET_ADMIN
       - SYS_MODULE
-    sysctls:
-      - net.ipv4.ip_forward=1
-      - net.ipv4.conf.all.src_valid_mark=1
     network_mode: "host"
     volumes:
       - data:/data
diff --git a/install.sh b/install.sh
index 82f76bf..b751a61 100644
--- a/install.sh
+++ b/install.sh
@@ -128,6 +128,22 @@ install_deps() {
     log_ok "All system dependencies are ready."
 }
 
+# -----------------------------------------------------------
+#  x. Apply sysctls to Host (For WireGuard in Host Network Mode)
+# -----------------------------------------------------------
+apply_sysctls_to_host() {
+    log_step "Applying required sysctl network parameters to host..."
+    sysctl -w net.ipv4.ip_forward=1 >/dev/null 2>&1
+    sysctl -w net.ipv4.conf.all.src_valid_mark=1 >/dev/null 2>&1
+
+    # Persist sysctls if they don't already exist
+    if [ -f /etc/sysctl.conf ]; then
+        grep -q 'net.ipv4.ip_forward=1' /etc/sysctl.conf || echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
+        grep -q 'net.ipv4.conf.all.src_valid_mark=1' /etc/sysctl.conf || echo 'net.ipv4.conf.all.src_valid_mark=1' >> /etc/sysctl.conf
+    fi
+    log_ok "Host network parameters configured."
+}
+
 # -----------------------------------------------------------
 #  x. Generate docker-compose.yml
 # -----------------------------------------------------------
@@ -148,9 +164,6 @@ services:
     cap_add:
       - NET_ADMIN
       - SYS_MODULE
-    sysctls:
-      - net.ipv4.ip_forward=1
-      - net.ipv4.conf.all.src_valid_mark=1
     network_mode: "host"
     volumes:
       - ./data:/data
@@ -208,6 +221,9 @@ do_install() {
     mkdir -p "$INSTALL_DIR"
     log_ok "Directory created."
 
+    # --- Apply Sysctls ---
+    apply_sysctls_to_host
+
     # --- Write docker-compose.yml ---
     generate_docker_compose "$wg_host"
 
@@ -376,6 +392,7 @@ do_update() {
         log_warn "Could not extract WG_HOST. Using ${current_wg_host}."
     fi
 
+    apply_sysctls_to_host
     generate_docker_compose "$current_wg_host"
 
     log_step "Pulling latest image..."