s6-rc: warning: unable to start service legacy-cont-init: command exited 1

Getting this error when trying to enable VPN support. Other references in my research suggest it's a permissions issue?

qbittorrent         | cont-init: info: running /etc/cont-init.d/00-env-file-init
qbittorrent         | cont-init: info: /etc/cont-init.d/00-env-file-init exited 0
qbittorrent         | cont-init: info: running /etc/cont-init.d/00-start-container
qbittorrent         |
qbittorrent         | ----------------------------------------------------------------------
qbittorrent         | ENVIRONMENT
qbittorrent         | ----------------------------------------------------------------------
qbittorrent         | PUID=1001
qbittorrent         | PGID=1001
qbittorrent         | UMASK=002
qbittorrent         | TZ=America/New_York
qbittorrent         | WEBUI_PORTS=8181/tcp,8181/udp
qbittorrent         | VPN_ENABLED=true
qbittorrent         | VPN_LAN_NETWORK=192.168.0.0/24
qbittorrent         | VPN_CONF=wg0
qbittorrent         | VPN_ADDITIONAL_PORTS=
qbittorrent         | PRIVOXY_ENABLED=false
qbittorrent         | ----------------------------------------------------------------------
qbittorrent         |
qbittorrent         | Executing usermod...
qbittorrent         | usermod: no changes
qbittorrent         | Applying permissions to /config
qbittorrent         | cont-init: info: /etc/cont-init.d/00-start-container exited 0
qbittorrent         | cont-init: info: running /etc/cont-init.d/01-configure-app
qbittorrent         | cont-init: info: /etc/cont-init.d/01-configure-app exited 0
qbittorrent         | cont-init: info: running /etc/cont-init.d/02-setup-wg
qbittorrent         | [INFO] Docker network type is not set to "host".
qbittorrent         | [INFO] "sysctl net.ipv4.conf.all.src_valid_mark=1" is set.
qbittorrent         | [INFO] Configuration file "/config/wireguard/wg0.conf" was found.
qbittorrent         | [INFO] WireGuard is down. Continuing...
qbittorrent         | [INFO] Starting WireGuard...
qbittorrent         | [#] ip link add wg0 type wireguard
qbittorrent         | [#] wg setconf wg0 /dev/fd/63
qbittorrent         | [#] ip -4 address add 10.70.83.76/32 dev wg0
qbittorrent         | [#] ip link set mtu 1420 up dev wg0
qbittorrent         | [#] resolvconf -a wg0 -m 0 -x
qbittorrent         | [#] wg set wg0 fwmark 51820
qbittorrent         | [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
qbittorrent         | [#] ip -4 rule add not fwmark 51820 table 51820
qbittorrent         | [#] ip -4 rule add table main suppress_prefixlength 0
qbittorrent         | [#] echo skipping setting net.ipv4.conf.all.src_valid_mark
qbittorrent         | skipping setting net.ipv4.conf.all.src_valid_mark
qbittorrent         | [#] iptables-restore -n
qbittorrent         | [INFO] WireGuard is started.
qbittorrent         | [INFO] WebUI ports are "8181/tcp,8181/udp".
qbittorrent         | [INFO] Additional ports are "".
qbittorrent         | [INFO] WireGuard remote is "185.65.134.222:51820".
qbittorrent         | [INFO] Docker network interface is "eth0".
qbittorrent         | [INFO] Docker network IP is "172.18.0.5/16".
qbittorrent         | [INFO] Docker network CIDR is "172.18.0.0/16".
qbittorrent         | [INFO] Adding "192.168.0.0/24" as route via interface "eth0".
qbittorrent         | [INFO] ip route overview:
qbittorrent         | default via 172.18.0.1 dev eth0
qbittorrent         | 172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.5
qbittorrent         | 192.168.0.0/24 via 172.18.0.1 dev eth0
qbittorrent         | [INFO] Configuring iptables...
qbittorrent         | [INFO] Configuring ip6tables...
qbittorrent         | cont-init: info: /etc/cont-init.d/02-setup-wg exited 3
qbittorrent         | cont-init: info: running /etc/cont-init.d/03-setup-privoxy
qbittorrent         | cont-init: info: /etc/cont-init.d/03-setup-privoxy exited 0
qbittorrent         | cont-init: warning: some scripts exited nonzero
qbittorrent         | s6-rc: warning: unable to start service legacy-cont-init: command exited 1
qbittorrent         | /run/s6/basedir/scripts/rc.init: warning: s6-rc failed to properly bring all the services up! Check your logs (in /run/uncaught-logs/current if you have in-container logging) for more information.
qbittorrent         | /run/s6/basedir/scripts/rc.init: fatal: stopping the container.
qbittorrent         | s6-rc: info: service fix-attrs: stopping
qbittorrent         | s6-rc: info: service fix-attrs successfully stopped
qbittorrent         | s6-rc: info: service s6rc-oneshot-runner: stopping
qbittorrent         | s6-rc: info: service s6rc-oneshot-runner successfully stopped
qbittorrent exited with code 1

Here is my redacted wg0.conf (Mullvad):

[Interface]
PrivateKey = <REDACTED>
Address = <REDACTED>/32
DNS = 193.138.218.74

[Peer]
PublicKey = <REDACTED>
AllowedIPs = 0.0.0.0/0
Endpoint = <REDACTED>:51820

And my docker compose (not the whole thing, its huge):

  qbittorrent:
    container_name: qbittorrent
    image: cr.hotio.dev/hotio/qbittorrent
    ports:
      - "8181:8181"
      - "8118:8118"
    environment:
      - PUID=1001
      - PGID=1001
      - UMASK=002
      - WEBUI_PORTS=8181/tcp,8181/udp
      - TZ=America/New_York
      - VPN_ENABLED=true
      - VPN_LAN_NETWORK=192.168.0.0/24
      - VPN_CONF=wg0
      #- VPN_ADDITIONAL_PORTS
      - PRIVOXY_ENABLED=false
    volumes:
      - /opt/appdata/qbittorrent:/config
      - /var/downloads:/downloads
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
#    dns:
#      - 1.1.1.1
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0

I am at a loss how to proceed. As I said, other references to this issue suggest it's a permissions/flag issue in the build itself?: https://github.com/just-containers/s6-overlay/issues/376 https://github.com/home-assistant/addons/issues/2496

hotio / qbittorrent

s6-rc: warning: unable to start service legacy-cont-init: command exited 1 #19