WSL2 - Podman Desktop - Access to internal services (VPN) from containers triggered in Windows are failing (running container in WSL works)

Question

Access to internal services via curl is failing when using podman under Windows:

PS C:\Users\<USER>> podman run docker.io/nicolaka/netshoot curl https://<INTERNAL_IP_OR_HOST>:6443/version --insecure
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) Recv failure: Connection reset by peer

When triggering the same internal curl request directly in the podmans WSL distribution everything works out as well:

PS C:\Users\<USER>> wsl -d podman-machine-default

You will be automatically entered into a nested process namespace where
systemd is running. If you need to access the parent namespace, hit ctrl-d
or type exit. This also means to log out you need to exit twice.

[<USER>@<HOSTNAME> ~]$ podman run docker.io/nicolaka/netshoot curl https://<INTERNAL_IP_OR_HOST>:6443/version --insecure
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
100   157  100   157    0     0   2474      0 --:--:-- --:--:-- --:--:--  2492

A ping directly from the container running under Windows is working fine (curl fails):

PS C:\Users\<USER>> podman run docker.io/nicolaka/netshoot ping <INTERNAL_IP_OR_HOSTNAME>
PING <INTERNAL_IP_OR_HOSTNAME> (<INTERNAL_IP_OR_HOSTNAME>) 56(84) bytes of data.
64 bytes from <INTERNAL_IP_OR_HOSTNAME>: icmp_seq=1 ttl=60 time=12.2 ms

Access to other external services from Windows via podman are working fine:

PS C:\Users\<USER>> podman run docker.io/nicolaka/netshoot curl https://google.com
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
100   220  100   220    0     0   1524      0 --:--:-- --:--:-- --:--:--  1527

Has anyone seen a similar behaviour?

Environment

• Podman: 4.6.1
• Podman Desktop: 1.2.1
• Node OS: Windows 10
• WSL version: 2
• WSL Distribution: Default Podman Desktop distro (podman-machine-default) with enabled root privileges

Adaptions

Added DNS server of my internal domain to enable resolving of internal hostnames

• /etc/wsl.conf > generateResolvConf=false
• /etc/resolv.conf > contains internal DNS servers

Therefore internal hostnames can be resolved from both the Windows machine, as well as inside WSL. This is not a DNS resolution problem!

Once VPN is disconnected and I can directly reach the internal services everything is OK.

UPDATE

The difference between starting the container in Windows compared to WSL seems to be that the packets are fragmented. Need to investigate further in this direction. Here a Wireshark Trace:

Wireshark Trace

Answer 1

It ist Not nessesary to workarround If you Set Up Default Maschine by using Usermode Networking: true

Answer 2

FINAL SOLUTION

The problem was as indicated in the EDIT section the mtu size. Podman network supports the configuration of MTU sizes:

• Create new podman network with adapted MTU size:

podman network create podman-lower-mtu --disable-dns --opt mtu=1300

• Set default_network to podman-lower-mtu in wsl under path /usr/share/containers/containers.conf
• Restart WSL