ERROR: FIREWALL_OUTBOUND_SUBNETS= causes gluetun to exit eth0 invalid argument

[ppriorfl]

I had all my services in a single docker compose and worked fine. However Radarr was not working correctly with IMDB and radarr support says it's related to using a VPN and not to put it behind VPN. So I've put gluetun into a separate docker compose stack and am attaching only certain dockers to it.

Gluetun runs normally and makes a VPN connection.

However to allow non-vpn dockers outside the stack to access I have added - FIREWALL_OUTBOUND_SUBNETS=10.0.0.1/24

(all other dockers are on a custom macvlan network with individual IP addressed on this subnet. The host machine for docker/portainer is also on the same subnet).

When I add this line it exits with error:
ERROR adding outbound subnet to routes: adding route for subnet 10.0.0.1/24: replacing route for subnet 10.0.0.1/24 at interface eth0: invalid argument
INFO Shutdown successful

Here is my gluetun docker compose:
`

---

version: "3"
services:
gluetun:
container_name: gluetun
image: qmcgaw/gluetun
networks:
LAN:
ipv4_address: 10.0.0.224
devices:
- /dev/net/tun
ports:
- 9117:9117/tcp #jackett
- 8181:8181/tcp #sabnzbd
- 9696:9696/tcp #prowlarr
- 8112:8112/tcp #deluge
- 56673:56673/tcp #deluge
- 56673:56673/udp #deluge
- 8085:8085/tcp #qbittorrent
- 49710:49710/tcp #qbittorrent
- 49710:49710/udp #qbittorrent
- 3000:3000/tcp #firefox
- 3001:3001/tcp #firefox
- 5800:5800/tcp #myjdownloader
- 5800:5800/udp #myjdownloader
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=airvpn
- VPN_TYPE=wireguard
- WIREGUARD_PRIVATE_KEY=redacted=
- WIREGUARD_PRESHARED_KEY=redacted=
- WIREGUARD_ADDRESSES=redacted
- SERVER_COUNTRIES=redacted
- FIREWALL_VPN_INPUT_PORTS=redacted
- FIREWALL_OUTBOUND_SUBNETS=10.0.0.1/24 # added this to get access to LAN from container
networks:
LAN:
external: true
`

[nomandera]

Did anyone ever get to the bottom of this? As far as I can tell FIREWALL_OUTBOUND_SUBNETS just does not work at least on my environment.

2024-12-10T09:14:58.874999163Z 2024-12-10T09:14:58Z INFO [routing] default route found: interface eth0, gateway 10.2.2.254, assigned IP 10.2.2.16 and family v4
2024-12-10T09:14:58.875013502Z 2024-12-10T09:14:58Z INFO [routing] adding route for 0.0.0.0/0
2024-12-10T09:14:58.875018338Z 2024-12-10T09:14:58Z INFO [firewall] setting allowed subnets...
2024-12-10T09:14:58.875911053Z 2024-12-10T09:14:58Z INFO [routing] default route found: interface eth0, gateway 10.2.2.254, assigned IP 10.2.2.16 and family v4
2024-12-10T09:14:58.875928434Z 2024-12-10T09:14:58Z INFO [routing] adding route for 10.10.10.1/24
2024-12-10T09:14:58.875934338Z 2024-12-10T09:14:58Z INFO [routing] routing cleanup...
2024-12-10T09:14:58.875936865Z 2024-12-10T09:14:58Z INFO [routing] default route found: interface eth0, gateway 10.2.2.254, assigned IP 10.2.2.16 and family v4
2024-12-10T09:14:58.875938823Z 2024-12-10T09:14:58Z INFO [routing] deleting route for 0.0.0.0/0
2024-12-10T09:14:58.875940642Z 2024-12-10T09:14:58Z ERROR adding outbound subnet to routes: adding route for subnet 10.10.10.1/24: replacing route for subnet 10.10.10.1/24 at interface eth0: invalid argument
2024-12-10T09:14:58.875942569Z 2024-12-10T09:14:58Z INFO Shutdown successful

I have tried subnets with no chance of overlap and it seems to make no difference.

V3 stable and latest v3.39.1 act identically

Enabling debug logging does not make anything jump out to me

2024-12-10T09:25:21.507768915Z 2024-12-10T09:25:21Z INFO [routing] default route found: interface eth0, gateway  10.2.2.254, assigned IP  10.2.2.16 and family v4
2024-12-10T09:25:21.507772725Z 2024-12-10T09:25:21Z DEBUG [netlink] ip -4 rule list
2024-12-10T09:25:21.507776378Z 2024-12-10T09:25:21Z DEBUG [netlink] ip -6 rule list
2024-12-10T09:25:21.507780031Z 2024-12-10T09:25:21Z DEBUG [netlink] ip -f 0 rule add from  10.2.2.16/32 lookup 200 pref 100
2024-12-10T09:25:21.507783707Z 2024-12-10T09:25:21Z INFO [routing] adding route for 0.0.0.0/0
2024-12-10T09:25:21.507787349Z 2024-12-10T09:25:21Z DEBUG [routing] ip route replace 0.0.0.0/0 via  10.2.2.254 dev eth0 table 200
2024-12-10T09:25:21.507792646Z 2024-12-10T09:25:21Z INFO [firewall] setting allowed subnets...
2024-12-10T09:25:21.507796618Z 2024-12-10T09:25:21Z DEBUG [firewall] /sbin/iptables --append OUTPUT -o eth0 -s  10.2.2.16 -d 10.10.10.1/24 -j ACCEPT
2024-12-10T09:25:21.508336232Z 2024-12-10T09:25:21Z INFO [routing] default route found: interface eth0, gateway  10.2.2.254, assigned IP  10.2.2.16 and family v4
2024-12-10T09:25:21.508340030Z 2024-12-10T09:25:21Z INFO [routing] adding route for 10.10.10.1/24
2024-12-10T09:25:21.508342061Z 2024-12-10T09:25:21Z DEBUG [routing] ip route replace 10.10.10.1/24 via  10.2.2.254 dev eth0 table 199
2024-12-10T09:25:21.508358881Z 2024-12-10T09:25:21Z INFO [routing] routing cleanup...
2024-12-10T09:25:21.508413337Z 2024-12-10T09:25:21Z INFO [routing] default route found: interface eth0, gateway  10.2.2.254, assigned IP  10.2.2.16 and family v4
2024-12-10T09:25:21.508422387Z 2024-12-10T09:25:21Z INFO [routing] deleting route for 0.0.0.0/0
2024-12-10T09:25:21.508424996Z 2024-12-10T09:25:21Z DEBUG [routing] ip route delete 0.0.0.0/0 via  10.2.2.254 dev eth0 table 200
2024-12-10T09:25:21.508432368Z 2024-12-10T09:25:21Z DEBUG [netlink] ip -4 rule list
2024-12-10T09:25:21.508443791Z 2024-12-10T09:25:21Z DEBUG [netlink] ip -6 rule list
2024-12-10T09:25:21.508449844Z 2024-12-10T09:25:21Z DEBUG [netlink] ip -f 0 rule del from  10.2.2.16/32 lookup 200 pref 100
2024-12-10T09:25:21.508455295Z 2024-12-10T09:25:21Z ERROR adding outbound subnet to routes: adding route for subnet 10.10.10.1/24: replacing route for subnet 10.10.10.1/24 at interface eth0: invalid argument
2024-12-10T09:25:21.508459

other than this looks like the command being issued is either malformed or not correct in context but there is not enough logging detail to know precisely what that command is and since it shutdowns immediately after I cant debug the normal shell into container way.

[ESHARK22]

Have you found a solution to this?

(Asking since this was initially brought up over a year ago)

[nomandera]

This works for me now. Coincidentally I tried again last week and using the same approach it just operates as documented.

[ESHARK22]

Funnily enough, I just got my setup working too

[Alkoopman85]

This appears to be an issue again. After adding FIREWALL_OUTBOUND_SUBNETS environmental variable gluetun fails to start.

2025-03-24T08:19:48-07:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2025-03-24T08:19:48-07:00 INFO [routing] adding route for 0.0.0.0/0
2025-03-24T08:19:48-07:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 172.18.0.1 dev eth0 table 200
2025-03-24T08:19:48-07:00 INFO [firewall] setting allowed subnets...
2025-03-24T08:19:48-07:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -o eth0 -s 172.18.0.2 -d 192.168.1.31/24 -j ACCEPT
2025-03-24T08:19:48-07:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2025-03-24T08:19:48-07:00 INFO [routing] adding route for 192.168.1.31/24
2025-03-24T08:19:48-07:00 DEBUG [routing] ip route replace 192.168.1.31/24 via 172.18.0.1 dev eth0 table 199
2025-03-24T08:19:48-07:00 INFO [routing] routing cleanup...
2025-03-24T08:19:48-07:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2025-03-24T08:19:48-07:00 INFO [routing] deleting route for 0.0.0.0/0
2025-03-24T08:19:48-07:00 DEBUG [routing] ip route delete 0.0.0.0/0 via 172.18.0.1 dev eth0 table 200
2025-03-24T08:19:48-07:00 ERROR adding outbound subnet to routes: adding route for subnet 192.168.1.31/24: replacing route for subnet 192.168.1.31/24 at interface eth0: invalid argument
2025-03-24T08:19:48-07:00 INFO Shutdown successful

Any workaround or help would be greatly appreciated. I'm using the latest tag as of now

[erodrig]

for me FIREWALL_OUTBOUND_SUBNETS seems to be doing nothing

docker exec -it gluetun ip route
default via 192.168.0.1 dev eth0
10.14.0.0/16 dev tun0 proto kernel scope link src 10.14.0.2
192.168.0.0/16 dev eth0 proto kernel scope link src 192.168.0.2

  - FIREWALL_OUTBOUND_SUBNETS=192.168.100.0/24 

that was my value, doing this fixes the issue manually

docker exec -it gluetun ip route add 192.168.100.0/24 via 192.168.0.1 dev eth0

any ideas?

[prubesh]

had a similar issue, try FIREWALL_OUTBOUND_SUBNETS=10.0.0.0/24, the .1 gave me invalid argument

10.0.0.1/24 points to a specific device (10.0.0.1) within the 10.0.0.0/24 network.
10.0.0.0/24 represents the entire network range including all possible host addresses.