Solving missing network connection with Podman in restrictive corporate VPN

Recently I had a problem in my professional role. While looking into alternatives to Docker Desktop, I gave Podman a shot and was quite satisfied from the start. Although a few tweaks were necessary to solve the transition from docker-compose the only real issue I had was unfortunately also quite severe. Whenever I turned on my corporate VPN connection it was impossible to get any connection to the internet e.g. to download images.

Despite best searching efforts I was always guided towards a solution that comprised an alteration of my podman-machine settings with regards to nameserver usage. And that is how I ended up trying my luck with various nameserver configurations in the /etc/resolv.conf and turned off re-generation of said file via configurations in the /etc/wsl.conf file.

I had a Heureka moment when I started reading the actual documentation provided by Podman instead of trying my luck with Github, StackOverflow and Reddit. I guess sometimes there is good documentation, but many times there is not. And that is certainly why I tried to fast-forward my case to actual solution-oriented discussions on the aforementioned platforms.

Podman itself describes three different methods to proxy the internet connection. I tried the first recommended one without success. It requires the user to make a special type of installation, of which I am not certain what it does. It is called “restricted environment installation method” and materializes in form of another executable that can be downloaded. Unfortunately, It did not help with my problem. But the second recommended solution did. It is the usage of the --user-mode-networking flag. It activates means which relay network traffic through a user-space process on the host machine. The docs actually mention this specifically as a solution for some VPNs: “In some VPN configurations the VPN may drop traffic from alternate network interfaces, including VM network devices”.

For Windows/WSL the --user-mode-networking flag defaults to false but can be easily changed by the following means:

  1. Turn off your current Podman machine
  2. Remove the current Podman machine (or create a new one) via:
podman machine rm
  1. Re-create a new Podman machine with the aforementioned flag:
podman machine init --user-mode-networking

Now, after

wsl -d <podman-machine-name>

a ping to an external system or website should be working regardless of the restrictive corporate VPN. Intriguingly, this simple and easy solution was not prominently discussed.