Error response from daemon: Pool overlaps with other one on this address space (when on VPN)

In Ubuntu I am trying to create a docker network with a specified subnet when on VPN but I get the below error:

$ docker network create my-network --subnet 172.17.24.0/18
Error response from daemon: Pool overlaps with other one on this address space

Looking at the route table:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 cscotun0
0.0.0.0         192.168.0.1     0.0.0.0         UG    20600  0        0 wlp0s20f3
10.174.33.0     0.0.0.0         255.255.255.0   U     0      0        0 cscotun0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 cscotun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlp0s20f3
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
188.64.152.45   192.168.0.1     255.255.255.255 UGH   0      0        0 wlp0s20f3
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 cscotun0
192.168.0.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp0s20f3
192.168.0.1     0.0.0.0         255.255.255.255 UH    0      0        0 wlp0s20f3

I don't see that my VPN (cscotun0) is occupying that range so what is going on?

Unless 172.17.24.0/18 is overlapping with docker0:

172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0

but I assume both docker0 and 172.17.24.0/18 should be able to exist in the same range?

Error response from daemon: The network pool overlaps with another one on this address space.

In my case, I had a docker-compose.yaml file with a hardcoded network IP address, and another container was started with the same network.

networks:
    vpn-net:
        ipv4_address: 172.21.0.2

To solve this, first, find the current container that is using it:

# docker network ls
NETWORK ID     NAME                DRIVER    SCOPE
ca9b2b29a253   bridge              bridge    local
45e9488d9140   host                host      local
5966656f9981   none                null      local
b3edda2ed475   my-service-net      bridge    local
a9eb7c1f3d20   another-network     bridge    local

# docker inspect my-service-net | grep 172.21.0.2
    "IPv4Address": "172.21.0.2/16"

Stop the service for the found network:

# docker stop my-service-net

Finally, start the new container that is failing. You can also remove the IP network configuration or change the IP.

but I assume both docker0 and 172.17.24.0/18 should be able to exist in the same range?

In theory this is allowable, but it would result in a hole in the 172.17.0.0/16 network, where 172.17.24.0/18 via docker0 due to the most specific route winning. The Linux kernel will probably let you configure this, but it's not good form, and it will lead to interesting problems, due to the overlapping network subnets.

The solution is to make address space non-overlapping.