docs: add docs about proxy mode and nft issue.

README.md

@@ -101,6 +101,18 @@ The default `GOST_ARGS` is `-L :1080`, which provides HTTP and SOCKS5 proxy. If
 
 You may want to use the proxy from another container and find that you cannot connect to `127.0.0.1:1080` in that container. This is because the `docker-compose.yml` only maps the port to the host, not to other containers. To solve this problem, you can use the service name as the hostname, for example, `warp:1080`. You also need to put the two containers in the same docker network.
 
+### NFT error on Synology or QNAP NAS
+
+If you are using Synology or QNAP NAS, you may encounter an error like `Failed to run NFT command`. This is because both Synology and QNAP use old iptables, while WARP uses nftables. It can't be easily fixed since nftables need to be added when the kernel is compiled.
+
+Possible solutions:
+- If you don't need UDP support, use the WAPR's proxy mode by following the instructions in the [documentation](docs/proxy-mode.md).
+- If you need UDP support, run a fully virtualized Linux system (KVM) on your NAS or use another device to run the container.
+
+References that might help:
+- [Related issue](https://github.com/cmj2002/warp-docker/issues/16)
+- [Request of supporting iptables in Cloudflare Community](https://community.cloudflare.com/t/legacy-support-for-docker-containers-running-on-synology-qnap/733983)
+
 ### Container runs well but cannot connect from host
 
 This issue often arises when using Zero Trust. You may find that you can run `curl --socks5-hostname 127.0.0.1:1080 https://cloudflare.com/cdn-cgi/trace` inside the container, but cannot run this command outside the container (from host or another container). This is because Cloudflare WARP client is grabbing the traffic. See [host connectivity issue](docs/host-connectivity.md) for solutions.

docs/README.md

@@ -8,3 +8,4 @@ This directory contains advanced usage and configurations of the project. Below
 - [zero-trust.md](zero-trust.md): Details the steps to use the WARP client with Cloudflare Zero Trust.
 - [masque.md](masque.md): Describes how to enable MASQUE, WARP's new protocol.
 - [podman.md](podman.md): Provides information to run the container with Podman.
+- [proxy-mode.md](proxy-mode.md): instructions on how to use the container in WARP's proxy mode.

docs/proxy-mode.md

@@ -0,0 +1,59 @@
+# Use the proxy mode of WARP
+
+> [!NOTE]
+> This article is based on the current WARP documentation, and the WARP commands may be changed by Cloudflare in the future. If you encounter any issues during following the instructions, please open an issue.
+
+> [!WARNING]
+> UDP support is not available in the proxy mode of WARP.
+
+Use `docker exec -it warp bash` to get into the container and run the following commands:
+
+```bash
+warp-cli mode proxy
+warp-cli proxy port 40000
+```
+
+Create a new healthcheck script `new-healthcheck.sh` with content:
+
+```bash
+#!/bin/bash
+
+curl -fsS --socks5-hostname 127.0.0.1:1080 "https://cloudflare.com/cdn-cgi/trace" | grep -qE "warp=(plus|on)" || exit 1
+exit 0
+```
+
+Update the `docker-compose.yml` file:
+1. set env `GOST_ARGS` to `-L :1080 -F=127.0.0.1:40000`
+2. mount new healthcheck to `/healthcheck/connected-to-warp.sh`:
+
+For example, the default `docker-compose.yml` file will be changed to:
+
+```yaml
+version: "3"
+
+services:
+  warp:
+    image: caomingjun/warp
+    container_name: warp
+    restart: always
+    ports:
+      - "1080:1080"
+    environment:
+      - WARP_SLEEP=2
+      - GOST_ARGS=-L :1080 -F=127.0.0.1:40000
+      # - WARP_LICENSE_KEY= # optional
+    cap_add:
+      # Docker already have them, these are for podman users
+      - MKNOD
+      - AUDIT_WRITE
+      # additional required cap for warp, both for podman and docker
+      - NET_ADMIN
+    sysctls:
+      - net.ipv6.conf.all.disable_ipv6=0
+      - net.ipv4.conf.all.src_valid_mark=1
+    volumes:
+      - ./data:/var/lib/cloudflare-warp
+      - ./new-healthcheck.sh:/healthcheck/connected-to-warp.sh
+```
+
+After updating the `docker-compose.yml` file, run `docker-compose down && docker-compose up -d` to restart the container.