ERROR: Linux route add command failed

[reynum2]

Hello !
It is many years now I use docker-transmission-openvpn

But from few days now without real reason it fail to connect
I tried many things :

• Change the VPN config file
• Try to remove/add route manually
• Update the docker image to the last version
• Change subnet
• Search in many places on internet

But nothing works, I have access to the gui I can add, remove but the torrents does not start

Here is the docker-compose

# cat docker-compose.yml 

version: '2'
services:
 transmission:
  image: haugene/transmission-openvpn
  cap_add:
          - NET_ADMIN
  devices:
          - /dev/net/tun
  restart: always
  ports:
          - "9091:9091"
          - "8888:8888"
  dns:
          - 8.8.8.8
          - 8.8.4.4
  volumes:
          - /etc/localtime:/etc/localtime:ro
          - ./data:/data
          - ./config:/config
  environment:
          - OPENVPN_PROVIDER=VPNTUNNEL
          - OPENVPN_USERNAME=******
          - OPENVPN_PASSWORD=******
          - OPENVPN_CONFIG=GermanyFrankfurt.tcp
          - CREATE_TUN_DEVICE=true
            #- OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60
          - LOCAL_NETWORK=172.22.0.0/16
          - TRANSMISSION_RPC_USERNAME=******
          - TRANSMISSION_RPC_PASSWORD=******
          - TRANSMISSION_RPC_AUTHENTICATION_REQUIRED=true
          - TRANSMISSION_WEB_UI=flood-for-transmission
          - PUID=1001
          - PGID=1000
 proxy:
  image: haugene/transmission-openvpn-proxy
  links:
          - transmission
  ports:
          - "142.76.1.14:9080:8080"
  volumes:
          - /etc/localtime:/etc/localtime:ro

Here is the container output

# docker logs transmission-openvpn_transmission_1
Starting container with revision: fd609f2ace1970858d3c32fcbd6c271b3d274d39
TRANSMISSION_HOME is currently set to: /config/transmission-home
WARNING: Deprecated. Found old default transmission-home folder at /data/transmission-home, setting this as TRANSMISSION_HOME. This might break in future versions.
We will fallback to this directory as long as the folder exists. Please consider moving it to /config/transmission-home
Creating TUN device /dev/net/tun
Using OpenVPN provider: VPNTUNNEL
Running with VPN_CONFIG_SOURCE auto
No bundled config script found for VPNTUNNEL. Defaulting to external config
Will get configs from https://github.com/haugene/vpn-configs-contrib.git
Repository is already cloned, checking for update
Already up to date.
Already on 'main'
Your branch is up to date with 'origin/main'.
Found configs for VPNTUNNEL in /config/vpn-configs-contrib/openvpn/vpntunnel, will replace current content in /etc/openvpn/vpntunnel
Starting OpenVPN using config GermanyFrankfurt.tcp.ovpn
Modifying /etc/openvpn/vpntunnel/GermanyFrankfurt.tcp.ovpn for best behaviour in this container
Modification: Point auth-user-pass option to the username/password file
Modification: Change ca certificate path
Modification: Change ping options
Modification: Update/set resolv-retry to 15 seconds
Modification: Change tls-crypt keyfile path
Modification: Set output verbosity to 3
Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
Modification: Updating status for config failure detection
Setting OpenVPN credentials...
adding route to local network 172.22.0.0/16 via 172.22.0.1 dev eth0
2025-08-20 21:54:18 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2025-08-20 21:54:18 OpenVPN 2.5.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 17 2024
2025-08-20 21:54:18 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2025-08-20 21:54:18 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2025-08-20 21:54:18 Outgoing Control Channel Authentication: Using 384 bit message hash 'SHA384' for HMAC authentication
2025-08-20 21:54:18 Incoming Control Channel Authentication: Using 384 bit message hash 'SHA384' for HMAC authentication
2025-08-20 21:54:18 TCP/UDP: Preserving recently used remote address: [AF_INET]45.87.212.124:1194
2025-08-20 21:54:18 Socket Buffers: R=[131072->131072] S=[16384->16384]
2025-08-20 21:54:18 Attempting to establish TCP connection with [AF_INET]45.87.212.124:1194 [nonblock]
2025-08-20 21:54:18 TCP connection established with [AF_INET]45.87.212.124:1194
2025-08-20 21:54:18 TCP_CLIENT link local: (not bound)
2025-08-20 21:54:18 TCP_CLIENT link remote: [AF_INET]45.87.212.124:1194
2025-08-20 21:54:18 TLS: Initial packet from [AF_INET]45.87.212.124:1194, sid=b100cfbc 222542e7
2025-08-20 21:54:18 VERIFY OK: depth=1, C=SC, L=Victoria, O=VPNTunnel, OU=IT, CN=VPNTunnel CA, [email protected]
2025-08-20 21:54:18 VERIFY KU OK
2025-08-20 21:54:18 Validating certificate extended key usage
2025-08-20 21:54:18 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2025-08-20 21:54:18 VERIFY EKU OK
2025-08-20 21:54:18 VERIFY OK: depth=0, C=SC, L=Victoria, O=VPNTunnel, OU=IT, CN=server, name=EasyRSA, [email protected]
2025-08-20 21:54:18 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
2025-08-20 21:54:18 [server] Peer Connection Initiated with [AF_INET]45.87.212.124:1194
2025-08-20 21:54:19 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2025-08-20 21:54:20 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.10.63.193,dhcp-option DNS 80.67.14.78,redirect-gateway def1 bypass-dhcp,explicit-exit-notify 3,block-outside-dns,route 45.87.212.124 255.255.255.255 net_gateway,route-gateway 10.10.63.193,topology subnet,ping 15,ping-restart 120,ifconfig 10.10.63.194 255.255.255.192,peer-id 0,cipher AES-256-GCM'
2025-08-20 21:54:20 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: block-outside-dns (2.5.11)
2025-08-20 21:54:20 OPTIONS IMPORT: timers and/or timeouts modified
2025-08-20 21:54:20 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
2025-08-20 21:54:20 OPTIONS IMPORT: --ifconfig/up options modified
2025-08-20 21:54:20 OPTIONS IMPORT: route options modified
2025-08-20 21:54:20 OPTIONS IMPORT: route-related options modified
2025-08-20 21:54:20 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2025-08-20 21:54:20 OPTIONS IMPORT: peer-id set
2025-08-20 21:54:20 OPTIONS IMPORT: adjusting link_mtu to 1626
2025-08-20 21:54:20 OPTIONS IMPORT: data channel crypto options modified
2025-08-20 21:54:20 Data Channel: using negotiated cipher 'AES-256-GCM'
2025-08-20 21:54:20 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2025-08-20 21:54:20 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2025-08-20 21:54:20 net_route_v4_best_gw query: dst 0.0.0.0
2025-08-20 21:54:20 net_route_v4_best_gw result: via 172.22.0.1 dev eth0
2025-08-20 21:54:20 ROUTE_GATEWAY 172.22.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:16:00:02
2025-08-20 21:54:20 TUN/TAP device tun0 opened
2025-08-20 21:54:20 net_iface_mtu_set: mtu 1500 for tun0
2025-08-20 21:54:20 net_iface_up: set tun0 up
2025-08-20 21:54:20 net_addr_v4_add: 10.10.63.194/26 dev tun0
2025-08-20 21:54:20 net_route_v4_add: 45.87.212.124/32 via 172.22.0.1 dev [NULL] table 0 metric -1
2025-08-20 21:54:20 sitnl_send: rtnl: generic error (-101): Network is unreachable
2025-08-20 21:54:20 ERROR: Linux route add command failed
2025-08-20 21:54:20 net_route_v4_add: 0.0.0.0/1 via 10.10.63.193 dev [NULL] table 0 metric -1
2025-08-20 21:54:20 net_route_v4_add: 128.0.0.0/1 via 10.10.63.193 dev [NULL] table 0 metric -1
2025-08-20 21:54:20 net_route_v4_add: 45.87.212.124/32 via 172.22.0.1 dev [NULL] table 0 metric -1
2025-08-20 21:54:20 sitnl_send: rtnl: generic error (-101): Network is unreachable
2025-08-20 21:54:20 ERROR: Linux route add command failed
Up script executed with device=tun0 ifconfig_local=10.10.63.194
Updating TRANSMISSION_BIND_ADDRESS_IPV4 to the ip of tun0 : 10.10.63.194
Using Flood for Transmission UI, overriding TRANSMISSION_WEB_HOME
Enforcing ownership on transmission directories
Applying permissions to transmission directories
Setting owner for transmission paths to 1001:1000
Setting permissions for download and incomplete directories
umask: 2
Directories: 775
Files: 664
Setting permission for watch directory (775) and its files (664)

-------------------------------------
Transmission will run as
-------------------------------------
User name:   abc
User uid:    1001
User gid:    1000
-------------------------------------

Updating Transmission settings.json with values from env variables
Attempting to use existing settings.json for Transmission
Successfully used existing settings.json /data/transmission-home/settings.json
Overriding bind-address-ipv4 because TRANSMISSION_BIND_ADDRESS_IPV4 is set to 10.10.63.194
Overriding download-dir because TRANSMISSION_DOWNLOAD_DIR is set to /data/completed
Overriding incomplete-dir because TRANSMISSION_INCOMPLETE_DIR is set to /data/incomplete
Overriding rpc-authentication-required because TRANSMISSION_RPC_AUTHENTICATION_REQUIRED is set to true
Overriding rpc-password because TRANSMISSION_RPC_PASSWORD is set to [REDACTED]
Overriding rpc-port because TRANSMISSION_RPC_PORT is set to 9091
Overriding rpc-username because TRANSMISSION_RPC_USERNAME is set to ******
Overriding watch-dir because TRANSMISSION_WATCH_DIR is set to /data/watch
sed'ing True to true
STARTING TRANSMISSION
Transmission startup script complete.
2025-08-20 21:54:21 Initialization Sequence Completed

The route inside the container :

# ip route
0.0.0.0/1 via 10.10.63.193 dev tun0 
default via 172.22.0.1 dev eth0 
10.10.63.192/26 dev tun0 proto kernel scope link src 10.10.63.194 
10.10.63.193 dev tun0 scope link 
80.67.14.78 dev tun0 scope link 
128.0.0.0/1 via 10.10.63.193 dev tun0 
172.22.0.0/16 via 172.22.0.1 dev eth0

The IP :

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.10.63.194/26 scope global tun0
       valid_lft forever preferred_lft forever
2805: eth0@if2806: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:16:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.22.0.2/16 brd 172.22.255.255 scope global eth0
       valid_lft forever preferred_lft forever

I tried things like that :

# ip route add 77.243.183.164/32 via 172.22.0.1
Error: Nexthop has invalid gateway.

Do you have any idea what's going wrong ?