diff --git a/tests/test_wireguard_manager.py b/tests/test_wireguard_manager.py
index fca501c..c3d852e 100644
--- a/tests/test_wireguard_manager.py
+++ b/tests/test_wireguard_manager.py
@@ -494,13 +494,12 @@ class TestWireGuardSysctlAndPortCheck(unittest.TestCase):
 
     # ── generate_config sysctl safety ────────────────────────────────────────
 
-    def test_generate_config_postup_has_nonfatal_sysctl(self):
+    def test_generate_config_omits_rp_filter_sysctl(self):
+        # rp_filter is removed from PostUp/PostDown: writing /proc/sys fails in
+        # the unprivileged (NET_ADMIN-only) WireGuard container and crashed
+        # wg-quick. It is a perf/security tweak, not required for WG or NAT.
         cfg = self.wg.generate_config()
-        self.assertIn('sysctl -q net.ipv4.conf.all.rp_filter=0 || true', cfg)
-
-    def test_generate_config_postdown_has_nonfatal_sysctl(self):
-        cfg = self.wg.generate_config()
-        self.assertIn('sysctl -q net.ipv4.conf.all.rp_filter=1 || true', cfg)
+        self.assertNotIn('rp_filter', cfg)
 
     def test_generate_config_has_masquerade(self):
         cfg = self.wg.generate_config()