Unable to create iptables when starting a Private Network

I’ve recently activated my copy of the Pritunl Enterprise VPN account. And I’ve created the server and setup a private network to access my server remotely. This can be done by routing the server subnet to the VPN server as stated in the Pritunl instructions.

The VPN server will start. However, nothing will display on the Server Output tab of the web portal. But when I check the log in the Pritunl log file. I get the following error

[snowy-plains-5952][2023-01-10 01:36:46,749][ERROR] Server error occurred while running
Traceback (most recent call last):
  File "/usr/lib/pritunl/lib/python3.9/site-packages/pritunl-1.30.3388.46-py3.9.egg/pritunl/server/instance.py", line 1582, in _run_thread
  File "/usr/lib/pritunl/lib/python3.9/site-packages/pritunl-1.30.3388.46-py3.9.egg/pritunl/iptables.py", line 1411, in upsert_rules
    self._insert_iptables_rule(rule, tables=tables)
  File "/usr/lib/pritunl/lib/python3.9/site-packages/pritunl-1.30.3388.46-py3.9.egg/pritunl/iptables.py", line 1229, in _insert_iptables_rule
    return self._insert_iptables_rule_cmd(rule, ipv6)
  File "/usr/lib/pritunl/lib/python3.9/site-packages/pritunl-1.30.3388.46-py3.9.egg/pritunl/iptables.py", line 1211, in _insert_iptables_rule_cmd
  File "/usr/lib/pritunl/lib/python3.9/site-packages/pritunl-1.30.3388.46-py3.9.egg/pritunl/utils/proc.py", line 88, in run
    raise subprocess.CalledProcessError(
subprocess.CalledProcessError: Command '['iptables', '-I', 'INPUT', '-i', 'tun4', '-m', 'set', '--match-set', '63bcc12c5eb9da02e3aaa815_or', 'dst', '-j', 'ACCEPT', '-m', 'comment', '--comment', 'pritunl-63bcbb5d5eb9da02e3aaa3d7']' returned non-zero exit status 2.
  server_id   = "21bcbb5d5eb9da02e3aaa3d7"
  instance_id = "63bcc12c5eb34a02e3aaa815"
[snowy-plains-5952][2023-01-10 01:36:46,750][ERROR] Popen returned error exit code
  cmd         = ["iptables", "-I", "INPUT", "-i", "tun4", "-m", "set", "--match-set", "63bcc12c5eb9da02e3aaa815_or", "dst", "-j", "ACCEPT", "-m", "comment", "--comment", "pritunl-63bcbb5d5eb9da02e3aaa3d7"]
  timeout     = 15
  return_code = 2

What are the potential issues causing this problem? And what are the possible solutions?


What Linux distribution and version is the server running on?

Raspberry Pi OS ARM64 Bullseye


This issue is caused by the platform, the software is only built and tested on x86.

Well some ARM64 images have been built for pritunl using Docker successfully.


There are some guides that also exist, teaching you how to compile for ARM64.

I’m not convince that it is the platform issue.

Also iptables is a an architecture/platform independent command line tools.

The issue only arises when you create a private network. Starting the server with the default settings does not present any issue.

It’s an issue with the iptables on that system. Possibly missing support for ipset. The error message should include Process stderr to provide additional information.

ipset was installed using apt. There is no additional information about the error on the Pritunl log sheet.

I tried pasting the command into the CMD line and got the following error.

iptables v1.8.7 (nf_tables): Couldn’t load match `set’:No such file or directory

I’ve used

ipset list

and got no set listed. It looks like ipset is not creating the required IP set for iptables to process.

It looks like Pritunl uses the same IPset name every time. Putting the NAT address into that IP set should perform the intended behavior of forwarding the private network to the client devices?

EDIT: The name slightly changes every time.

It is listed temporarily and then deleted after the error is written on the log.

It keeps giving me this error.

iptables v1.8.7 (nf_tables): Couldn't load match `set':No such file or directory

It looks like iptables is not detecting the ipset groups despite already being installed on the same system.

I can’t find anything on the internet to resolve this issue. It looks like iptables is not detecting ipset. Could it be a kernel issue?

It look like my system did not loan the ip_set kernel module.

EDIT: xt_set