Unable to create iptables when starting a Private Network

cat8402 · January 10, 2023, 1:47am

I’ve recently activated my copy of the Pritunl Enterprise VPN account. And I’ve created the server and setup a private network to access my server remotely. This can be done by routing the server subnet to the VPN server as stated in the Pritunl instructions.

The VPN server will start. However, nothing will display on the Server Output tab of the web portal. But when I check the log in the Pritunl log file. I get the following error

[snowy-plains-5952][2023-01-10 01:36:46,749][ERROR] Server error occurred while running
Traceback (most recent call last):
  File "/usr/lib/pritunl/lib/python3.9/site-packages/pritunl-1.30.3388.46-py3.9.egg/pritunl/server/instance.py", line 1582, in _run_thread
    self.iptables.upsert_rules()
  File "/usr/lib/pritunl/lib/python3.9/site-packages/pritunl-1.30.3388.46-py3.9.egg/pritunl/iptables.py", line 1411, in upsert_rules
    self._insert_iptables_rule(rule, tables=tables)
  File "/usr/lib/pritunl/lib/python3.9/site-packages/pritunl-1.30.3388.46-py3.9.egg/pritunl/iptables.py", line 1229, in _insert_iptables_rule
    return self._insert_iptables_rule_cmd(rule, ipv6)
  File "/usr/lib/pritunl/lib/python3.9/site-packages/pritunl-1.30.3388.46-py3.9.egg/pritunl/iptables.py", line 1211, in _insert_iptables_rule_cmd
    utils.Process(
  File "/usr/lib/pritunl/lib/python3.9/site-packages/pritunl-1.30.3388.46-py3.9.egg/pritunl/utils/proc.py", line 88, in run
    raise subprocess.CalledProcessError(
subprocess.CalledProcessError: Command '['iptables', '-I', 'INPUT', '-i', 'tun4', '-m', 'set', '--match-set', '63bcc12c5eb9da02e3aaa815_or', 'dst', '-j', 'ACCEPT', '-m', 'comment', '--comment', 'pritunl-63bcbb5d5eb9da02e3aaa3d7']' returned non-zero exit status 2.
  server_id   = "21bcbb5d5eb9da02e3aaa3d7"
  instance_id = "63bcc12c5eb34a02e3aaa815"
[snowy-plains-5952][2023-01-10 01:36:46,750][ERROR] Popen returned error exit code
  cmd         = ["iptables", "-I", "INPUT", "-i", "tun4", "-m", "set", "--match-set", "63bcc12c5eb9da02e3aaa815_or", "dst", "-j", "ACCEPT", "-m", "comment", "--comment", "pritunl-63bcbb5d5eb9da02e3aaa3d7"]
  timeout     = 15
  return_code = 2

What are the potential issues causing this problem? And what are the possible solutions?

Thanks,

zach · January 10, 2023, 3:49am

What Linux distribution and version is the server running on?

cat8402 · January 10, 2023, 4:11am

Raspberry Pi OS ARM64 Bullseye

cat8402 · January 10, 2023, 4:12am

v1.30.3388.46

zach · January 10, 2023, 10:05am

This issue is caused by the platform, the software is only built and tested on x86.

cat8402 · January 10, 2023, 1:07pm

Well some ARM64 images have been built for pritunl using Docker successfully.

https://hub.docker.com/layers/goofball222/pritunl/1.30.3292.22/images/sha256-23e334dc339615741a68bdb39635eafbbc67e590e5594221aef9783106ba7763?context=explore

There are some guides that also exist, teaching you how to compile for ARM64.

I’m not convince that it is the platform issue.

cat8402 · January 10, 2023, 2:44pm

Also iptables is a an architecture/platform independent command line tools.

cat8402 · January 11, 2023, 5:12am

The issue only arises when you create a private network. Starting the server with the default settings does not present any issue.

zach · January 11, 2023, 11:24pm

It’s an issue with the iptables on that system. Possibly missing support for ipset. The error message should include Process stderr to provide additional information.

cat8402 · January 11, 2023, 11:37pm

ipset was installed using apt. There is no additional information about the error on the Pritunl log sheet.

cat8402 · January 11, 2023, 11:49pm

I tried pasting the command into the CMD line and got the following error.

iptables v1.8.7 (nf_tables): Couldn’t load match `set’:No such file or directory

I’ve used

ipset list

and got no set listed. It looks like ipset is not creating the required IP set for iptables to process.

cat8402 · January 11, 2023, 11:59pm

It looks like Pritunl uses the same IPset name every time. Putting the NAT address into that IP set should perform the intended behavior of forwarding the private network to the client devices?

EDIT: The name slightly changes every time.

cat8402 · January 12, 2023, 12:16am

It is listed temporarily and then deleted after the error is written on the log.

cat8402 · January 12, 2023, 12:32am

It keeps giving me this error.

iptables v1.8.7 (nf_tables): Couldn't load match `set':No such file or directory

It looks like iptables is not detecting the ipset groups despite already being installed on the same system.

cat8402 · January 12, 2023, 12:40am

I can’t find anything on the internet to resolve this issue. It looks like iptables is not detecting ipset. Could it be a kernel issue?

cat8402 · January 12, 2023, 12:50am

It look like my system did not loan the ip_set kernel module.

EDIT: xt_set