Docker container can't access server by vpn

If I run curl my.server.com from wsl2 response is ok, but if I do from docker container response is curl: (56) Recv failure: Connection reset by peer.

This occurs only for dns are behind vpn, for public dns everything works fine. So there is some conflict with docker container and wsl2/vpn.

compose.yaml

services:
  wildfly:
    image: wildfly18
    build:
      context: ./docker/wildfly
      args:
        UID: ${UID_WILDFLY:-1000}
        GID: ${GID_WILDFLY:-1000}
    env_file:
      - .env
    container_name: wildfly18
    ports:
      - "${HOST_WILDFLY_APPLICATION}:8080"
      - "${HOST_WILDFLY_ADMIN}:9990"
      - "${HOST_WILDFLY_DEBUG}:8787"
    volumes:
      - ./dados:/opt/dados-aplicacao/
      - ./jdk:/opt/openjdk
    networks:
      - rede
networks:
  rede:

Windows 11 network: ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : -windows
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Ethernet Controller (3) I225-V
   Physical Address. . . . . . . . . : 50-EB-F6-2A-C1-AD
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::4cd:11e:ccb8:d883%18(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : sexta-feira, 30 de agosto de 2024 16:33:37
   Lease Expires . . . . . . . . . . : terça-feira, 7 de outubro de 2160 02:30:28
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 340847606
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-A8-4B-F4-50-EB-F6-2A-C1-AD
   DNS Servers . . . . . . . . . . . : 208.67.222.222
                                       208.67.220.220
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter vEthernet (Default Switch):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
   Physical Address. . . . . . . . . : 00-15-5D-3B-FC-8B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1140:f475:e605:190c%24(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.192.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 402658653
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-A8-4B-F4-50-EB-F6-2A-C1-AD
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter vEthernet (WSL (Hyper-V firewall)):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
   Physical Address. . . . . . . . . : 00-15-5D-C2-80-86
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9ec8:da74:b4b9:de09%66(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.29.176.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 1107301725
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-A8-4B-F4-50-EB-F6-2A-C1-AD
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wsl2 network: ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 10.255.255.254/32 brd 10.255.255.254 scope global lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1280 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:f9:13:05 brd ff:ff:ff:ff:ff:ff
    inet 172.29.189.181/20 brd 172.29.191.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fef9:1305/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:61:e3:bc:f3 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:61ff:fee3:bcf3/64 scope link
       valid_lft forever preferred_lft forever
221: br-525f1d83ccb6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:f4:b6:6c:36 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-525f1d83ccb6
       valid_lft forever preferred_lft forever
    inet6 fe80::42:f4ff:feb6:6c36/64 scope link
       valid_lft forever preferred_lft forever
223: vethee84464@if222: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-525f1d83ccb6 state UP group default
    link/ether 1a:8b:10:5d:c3:10 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::188b:10ff:fe5d:c310/64 scope link
       valid_lft forever preferred_lft forever

Docker network: docker network inspect 525f1d83ccb6

[
    {
        "Name": "ambiente-desenvolvimento-docker_rede",
        "Id": "525f1d83ccb6afafc136cea88636dc818e1ed7093d7c489ab39719ae68d8a79f",
        "Created": "2024-08-30T19:54:46.945604203-03:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",
                    "Gateway": "172.18.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "84d554871de113759c350299f61bbb6f108c577532ef7b9a00e06b1b4f903915": {
                "Name": "wildfly18",
                "EndpointID": "04d278ee802c95df1e6149a6a37ce71c96ac5ca4117023718d85a4356b5817e2",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {
            "com.docker.compose.network": "rede",
            "com.docker.compose.project": "ambiente-desenvolvimento-docker",
            "com.docker.compose.version": "2.29.1"
        }
    }
]

Windows 11 routes: route print

===========================================================================
Interface List
 10...54 7b 9e 77 7d 12 ......Check Point Virtual Network Adapter For Endpoint VPN Client
 19...02 50 04 fa c7 13 ......Famatech Radmin VPN Ethernet Adapter
 18...50 eb f6 2a c1 ad ......Intel(R) Ethernet Controller (3) I225-V
 22...44 e5 17 0d a7 e6 ......Intel(R) Wi-Fi 6 AX201 160MHz
  7...44 e5 17 0d a7 e7 ......Microsoft Wi-Fi Direct Virtual Adapter
 14...46 e5 17 0d a7 e6 ......Microsoft Wi-Fi Direct Virtual Adapter #2
 11...44 e5 17 0d a7 ea ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
 21...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
 24...00 15 5d 3b fc 8b ......Hyper-V Virtual Ethernet Adapter
 66...00 15 5d c2 80 86 ......Hyper-V Virtual Ethernet Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.100     25
          0.0.0.0          0.0.0.0         26.0.0.1     26.59.25.229   9257
         10.0.0.0      255.224.0.0     10.62.53.192     10.62.53.193      1
        10.32.0.0      255.240.0.0     10.62.53.192     10.62.53.193      1
        10.48.0.0      255.248.0.0     10.62.53.192     10.62.53.193      1
        10.56.0.0      255.252.0.0     10.62.53.192     10.62.53.193      1
        10.60.0.0      255.254.0.0     10.62.53.192     10.62.53.193      1
        10.62.0.0    255.255.240.0     10.62.53.192     10.62.53.193      1
       10.62.52.0    255.255.252.0         On-link      10.62.53.193    256
     10.62.53.193  255.255.255.255         On-link      10.62.53.193    256
     10.62.55.255  255.255.255.255         On-link      10.62.53.193    256
        10.63.0.0      255.255.0.0     10.62.53.192     10.62.53.193      1
        10.64.0.0      255.192.0.0     10.62.53.192     10.62.53.193      1
       10.128.0.0      255.128.0.0     10.62.53.192     10.62.53.193      1
         26.0.0.0        255.0.0.0         On-link      26.59.25.229    257
     26.59.25.229  255.255.255.255         On-link      26.59.25.229    257
   26.255.255.255  255.255.255.255         On-link      26.59.25.229    257
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     172.29.176.0    255.255.240.0         On-link      172.29.176.1   5256
     172.29.176.1  255.255.255.255         On-link      172.29.176.1   5256
   172.29.191.255  255.255.255.255         On-link      172.29.176.1   5256
      192.168.0.0    255.255.255.0         On-link     192.168.0.100    281
    192.168.0.100  255.255.255.255         On-link     192.168.0.100    281
    192.168.0.255  255.255.255.255         On-link     192.168.0.100    281
    192.168.192.0    255.255.240.0         On-link     192.168.192.1   5256
    192.168.192.1  255.255.255.255         On-link     192.168.192.1   5256
  192.168.207.255  255.255.255.255         On-link     192.168.192.1   5256
    200.122.113.0    255.255.255.0     10.62.53.192     10.62.53.193      1
    200.122.114.0  255.255.255.192     10.62.53.192     10.62.53.193      1
   200.122.114.64  255.255.255.240     10.62.53.192     10.62.53.193      1
   200.122.114.80  255.255.255.248     10.62.53.192     10.62.53.193      1
   200.122.114.88  255.255.255.254     10.62.53.192     10.62.53.193      1
   200.122.114.90  255.255.255.255     10.62.53.192     10.62.53.193      1
   200.122.114.92  255.255.255.254     10.62.53.192     10.62.53.193      1
   200.122.114.94  255.255.255.255     10.62.53.192     10.62.53.193      1
   200.122.114.96  255.255.255.224     10.62.53.192     10.62.53.193      1
  200.122.114.129  255.255.255.255     10.62.53.192     10.62.53.193      1
  200.122.114.130  255.255.255.254     10.62.53.192     10.62.53.193      1
  200.122.114.132  255.255.255.252     10.62.53.192     10.62.53.193      1
  200.122.114.136  255.255.255.248     10.62.53.192     10.62.53.193      1
  200.122.114.144  255.255.255.240     10.62.53.192     10.62.53.193      1
  200.122.114.160  255.255.255.224     10.62.53.192     10.62.53.193      1
  200.122.114.192  255.255.255.192     10.62.53.192     10.62.53.193      1
    200.122.116.0    255.255.255.0     10.62.53.192     10.62.53.193      1
    200.122.121.0    255.255.255.0     10.62.53.192     10.62.53.193      1
   200.122.123.30  255.255.255.255     10.62.53.192     10.62.53.193      1
  200.122.123.160  255.255.255.255     10.62.53.192     10.62.53.193      1
  200.122.123.165  255.255.255.255     10.62.53.192     10.62.53.193      1
  200.122.123.181  255.255.255.255     10.62.53.192     10.62.53.193      1
  200.122.123.182  255.255.255.255     10.62.53.192     10.62.53.193      1
  200.122.123.196  255.255.255.255     10.62.53.192     10.62.53.193      1
  200.122.123.198  255.255.255.255     10.62.53.192     10.62.53.193      1
   200.122.124.24  255.255.255.255     10.62.53.192     10.62.53.193      1
   200.122.124.80  255.255.255.240     10.62.53.192     10.62.53.193      1
  200.201.113.216  255.255.255.255     10.62.53.192     10.62.53.193      1
      201.77.18.0    255.255.255.0     10.62.53.192     10.62.53.193      1
     201.77.19.32  255.255.255.240     10.62.53.192     10.62.53.193      1
    201.77.19.192  255.255.255.192     10.62.53.192     10.62.53.193      1
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.0.100    281
        224.0.0.0        240.0.0.0         On-link     192.168.192.1   5256
        224.0.0.0        240.0.0.0         On-link      172.29.176.1   5256
        224.0.0.0        240.0.0.0         On-link      26.59.25.229    257
        224.0.0.0        240.0.0.0         On-link      10.62.53.193    256
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.0.100    281
  255.255.255.255  255.255.255.255         On-link     192.168.192.1   5256
  255.255.255.255  255.255.255.255         On-link      172.29.176.1   5256
  255.255.255.255  255.255.255.255         On-link      26.59.25.229    257
  255.255.255.255  255.255.255.255         On-link      10.62.53.193    256
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0         26.0.0.1    9256
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
 21    331 2001::/32                On-link
 21    331 2001:0:2877:7aa:201e:afa1:4486:8098/128
                                    On-link
 19    291 fdfd::/64                On-link
 19    291 fdfd::1a3b:19e5/128      On-link
 18    281 fe80::/64                On-link
 24   5256 fe80::/64                On-link
 66   5256 fe80::/64                On-link
 19    291 fe80::/64                On-link
 10    281 fe80::/64                On-link
 21    331 fe80::/64                On-link
 18    281 fe80::4cd:11e:ccb8:d883/128
                                    On-link
 24   5256 fe80::1140:f475:e605:190c/128
                                    On-link
 21    331 fe80::201e:afa1:4486:8098/128
                                    On-link
 10    281 fe80::26d4:6b91:b1e4:7a86/128
                                    On-link
 19    291 fe80::98dd:a3fe:a46f:b4cc/128
                                    On-link
 66   5256 fe80::9ec8:da74:b4b9:de09/128
                                    On-link
  1    331 ff00::/8                 On-link
 18    281 ff00::/8                 On-link
 24   5256 ff00::/8                 On-link
 21    331 ff00::/8                 On-link
 66   5256 ff00::/8                 On-link
 19    291 ff00::/8                 On-link
 10    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Firewall hyper-v: Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}'

Name                  : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
Enabled               : False
DefaultInboundAction  : Allow
DefaultOutboundAction : Allow
LoopbackEnabled       : True
AllowHostPolicyMerge  : True

“Connection reset by peer” doesn’t look like a DNS issue to me. I think you should get “Could not resolve host” in that case.

How did you test that only the DNS were not behind VPN?

You can use nicolaka/netshoot to find out more about the network. Check if you can ping external IP addresses, not domains. Check if you can curl does addresses i ping is not allowed. Make sure your container network is not intersecting with the VPN network. If the VPN network was in the output of ifconfig on Windows, then it is not likely.

You can try restarting Docker after connecting to the VPN.

Which one is the VPN network?

I was meaning that this occurs only for internal servers, that is my company my.server.com, that are accessible only by vpn.

ping/traceroute works fine for my.server.com, but curl not. If I do a curl to www.google.com works fine.

Already did, connected vpn before docker and after docker started.

Check Point

Sounds like vpn is messing up route table and packages from container is getting lost

for the domain name or IP address?

For both. This is weird because only curl not work.

Is it possible that your domain is not actually my.server.com ending with .com but something like my.server.local ending with .local? If I remember correctly, those would not work with curl, although in that case it would forward the query to localhost.

On the other hand, VPN would not matter then.

Domain are right because from wsl2 everything works fine: ping, traceroute and curl

Problem solved, the issue was MTU size:

vpn MTU: 1300
wsl2 eth0 MTU: 1280
wsl2 docker0 MTU: 1500
wsl2 br-ecf9804545ca MTU: 1500 (docker subnet)

Because this wsl2 works fine(1280mtu < 1300mtu vpn) and docker containers doesn’t work (1500mtu > 1300mtu vpn), this was a really annoying problem, difficult to debug but luckily it was resolved.

Bad part is config docker mtu on wsl2 change mtu to clients of my docker compose. Are there some easy way to config this?

1 Like

1500 is a pretty standard value as far as I know, but dockerd lets you change it:

Nice, so changing daemon.json I can fix docker and network mtu in one file.

I can’t understand what the hell checkpoint vpn use 1300mtu and wsl2 use 1280mtu.