Nftables, iptables - Wireguard, wg-quick in 4.2 - Is there a problem with installing iptables aswell?

I, like many other qubes users, use mullvad, on 4.1 i set up a few proxyVMs that, in /rw/config/rc.local would select a wireguard configuration file at random from a specified directory - These worked very well.

I have read a number of the posts on the switch to nftables in 4.2 and how this stops the wg configuration files working with wg-quick up…

While experimenting with various ways to remedy this i found that if i installed iptables into a debian-12 template (that already has nftables installed) then wg-quick (and by extension my rc.local files) work again just fine and do not “seem” to be leaking.

Is there a good reason to not do this? Does it cause a leak i have not found or pose any other security/privacy risk? I am not an expert in this area so any information on potential issues would be welcome.


wg-quick should work on 4.2, only iptables support is dropped, so if you have iptables rules (maybe triggered by wg-quick?) you would have to rewrite them.

Can confirm that wg-quick works without iptables. The only thing that is not working are the custom made iptables rules obviously.

I’m not using it, but there are no reason for wg-quick to stop working.

Just for posterity:

One reason the Mullvad-generated .conf file would stop working on 4.2 is that the PostUp and PreDown fields include non-custom iptables commands if “Enable kill switch (Linux only)” is enabled during generation ( The user might not know what these iptables commands are for if they’re just following instructions- that they’re optional, that they’re for the killswitch, and that they can instead be implemented through other means with nftables.