WinApps setup throws repeated error 14 with pre-existing podman Windows VM -- using default IP instead of given VM IP

[coding-opossum]

Description

I keep getting an error 14 when running setup.sh as instructed. The log shows it's trying to RDP connect to 127.0.0.1 during setup despite me having gone through winapp.conf, setup.sh, and /bin/winapps and having changed RDP_IP and DOCKER_IP to the VM's IP. I've attempted using /cert:tofu and (separately) /cert:ignore in setup.sh in RDP_FLAGS and neither worked during setup. But /cert:tofu works outside of setup when I'm simply using xfreerdp3 directly in the terminal to connect to the VM.

I saw #391 and #244 which had very similar issues as I do, so I removed the quotation in line 1049 of setup.sh as described in #244 but it didn't fix my issue.

Set up

• Host: Ubuntu 24.04 LTS
• VM: Windows 11 Pro in podman container with VM named RDPWindows
• Tailscale VPN on both host and VM - IPs of 100.xxx.xxx.AB and 100.xxx.xxx.YZ respectively with local network access allowed
• Port: 3389
• RDP enabled in VM Windows settings and in the firewall
• compose.yaml has unique USERNAME and PASSWORD which is reflected in winapps.conf.
• changed RDP_FLAGS's /sec:tls to /sec:nla as that is required by Windows.

Steps to Reproduce

1. Set up tiny11 using podman following the installation documentation, having changed USERNAME and PASSWORD in compose.yaml from the defaults. It'll be easier for you if you use "redacted" as both USERNAME and PASSWORD as that's what's in files I've linked for replication.
2. Access VM via browser using the link given in spinning up the podman container. Installed Tailscale for Windows, connecting to the same location as host machine, and enabled local network access to get an IP for the VM that's within network wherever the host machine (my laptop) may be.
3. In the VM, download virtio-win-gt-x64.msi, RDPApps.reg, install.bat, and NetProfileCleanup.ps1, install QEMU Guest Agent, and install.bat Run as Administrator.
4. Log out of and close VM desktop while keeping podman container up.
5. Verify FreeRDP can connect. In host terminal input xfreerdp3 /sec:nla /u:"redacted" /p:"redacted" /v:"100.xx.xxx.YX:3389" /cert:tofu, using the VM's IP address obtained from ipconfig. FreeRDP will connect and open Windows VM desktop in new window. Log out and close VM window.
6. Download provided files above, replacing /bin/winapps with /bin/winapps (remove .txt). Replace winapps.conf with winapps.conf changing .txt to .conf. Replace setup.sh with setup.txt changing .txt to .sh. Make sure to replace 100.xx.xxx.YZ with the IP of the Windows VM obtained from ipconfig in the following locations:
   • setup.sh on line 78
   • winapps.conf on line 21
   • /bin/winapps on line 35
7. In the host terminal, follow installation documentation and input bash <(curl https://raw.githubusercontent.com/winapps-org/winapps/main/setup.sh). Output:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 81478  100 81478    0     0  1659k      0 --:--:-- --:--:-- --:--:-- 1692k
################################################################################
#                                                                              #
#                            WinApps Install Wizard                            #
#                                                                              #
################################################################################

Q) Install or uninstall WinApps? --> Install
Q) Configure WinApps for the current user 'iz_avery' or the whole system? --> Current User
Q) Automatically install supported applications or choose manually? --> Manual (Default)

WinApps installation already present at /home/user/.local/bin/winapps-src. Updating...
Already up to date.
Installing WinApps.
Checking for existing conflicting WinApps installations... Done!
Attempting to load WinApps configuration file... Done!
Checking whether dependencies are installed... Done!
Checking container status... Done!
Checking for an open RDP Port on Windows... Done!
Attempting to establish a Remote Desktop connection with Windows... Failed!

ERROR: REMOTE DESKTOP PROTOCOL FAILURE.
FreeRDP failed to establish a connection with Windows.
--------------------------------------------------------------------------------
Please view the log at /home/user/.local/share/winapps/FreeRDP_Test_20250723_1801_475717144.log.
Troubleshooting Tips:
  - Ensure the user is logged out of Windows prior to initiating the WinApps installation.
  - Ensure the credentials within the WinApps configuration file are correct.
  - Utilise a new certificate by removing relevant certificate(s) in /home/user/.config/freerdp/server.
  - Try increasing the RDP_TIMEOUT in /home/user/.config/winapps/winapps.conf.
  - If using 'libvirt', ensure the Windows VM is correctly named as specified within the README.
  - If using 'libvirt', ensure 'Remote Desktop' is enabled within the Windows VM.
  - If using 'libvirt', ensure you have merged 'RDPApps.reg' into the Windows VM's registry.
  - If using 'libvirt', try logging into and back out of the Windows VM within 'virt-manager' prior to initiating the WinApps installation.
--------------------------------------------------------------------------------
Exiting with status '14'.

Log:

[18:01:05:876] [126505:0001ee2a] [WARN][com.freerdp.core.nego] - [nego_enable_aad]: This build does not support AAD security, disabling.
[18:01:20:891] [126505:0001ee2a] [ERROR][com.freerdp.core] - [freerdp_tcp_default_connect]: ERRCONNECT_CONNECT_FAILED [0x00020006]
[18:01:20:891] [126505:0001ee2a] [ERROR][com.freerdp.core] - [freerdp_tcp_default_connect]: failed to connect to 127.0.0.1
[18:01:20:891] [126505:0001ee2a] [ERROR][com.freerdp.core.nego] - [nego_connect]: Failed to connect

This is my first attempt at all of this (including posting to GitHub) so if I've missed anything please let me know.

[oskardotglobal]

I don't understand what you're trying to do here? The RDP_IP is always 127.0.0.1 for podman and there is no such config option as DOCKER_IP

[oskardotglobal]

Are you running the VM and winapps on the same machine?

[coding-opossum]

DOCKER_IP is on line 78 of setup.sh and line 35 of /bin/winapps.

The VM and winapps are on the same machine. But when I was testing xfreerdp on the host machine (my laptop) to verify connection to the VM it kept throwing me errors when I tried other IPs. Admittedly, I had a few errors back then so I tried it again (after making sure to change DOCKER_IP back to 127.0.0.1 in setup.sh and /bin/winapps and changing RDP_ID in winapps.conf back to 127.0.0.1), and I got an error 104 "Connection reset by peer". So of course the installer threw an error 14 again.

I am new at networking, so it's very likely that I'm missing something, but I don't understand

• how podman-compose containers can all be to the same IP
• how winapps would even be able to connect to my VM via 127.0.0.1 (port 3389) if the VM's IP is 100.xx.xxx.YZ. Those are two different addresses. Especially since the VM is on a VPN and thus has secure tunneling between the network and the VM. (I do have Tailscale on the VM set to allow incoming connections though.)

[oskardotglobal]

Ok firstly, you don't need the VPN to connect. Secondly, the traffic on port 3389 is forwarded to localhost given you have not removed the ports key from the compose file. If this is not a case, then podman is probably the issue here

[coding-opossum]

Based on what I was finding online when trying to figure things out, I thought port forwarding--especially through port 3389--isn't that secure and it's more secure to do so on a VPN?

I've found some podman networking articles/documentation I'm going to (re)read now but I want to send this reply off first. For the second point, how would I go about checking that and debugging? Also, I have to admit that I'm a bit uncertain by what you mean when you say "the traffic on port 3389 is forwarded to localhost" -- specifically because I don't understand how there can be traffic on that port in the VM if I don't have the VM open via port 8008 and I can't connect to the VM via xfreerdp3 with IP address 127.0.0.1:3389 (I keep getting [ERROR][com.freerdp.core.transport] - [transport_read_layer]: BIO_read returned a system error 104: Connection reset by peer). In that case, there should be no traffic of port 3389, correct? So then how can traffic on that port be forwarded if there's no traffic on that port?

[ccbadd]

coding-opossum I'm getting the same error with both podman and qemu on Fedora 42. Did you ever figure this out?

[KernelGhost]

@coding-opossum Port-forwarding inside an isolated environment (like your own machine) is safe. The security concerns you may have read about usually apply when ports are exposed to the internet through router-level port-forwarding, or when a port on your local machine is made accessible to other devices on the same network.

In our case with Docker/Podman, we’re simply forwarding port 3389 from the Windows VM to the same port on the host OS. This does not open port 3389 to your local network - it remains accessible only within your system. That’s why there’s no need for a VPN here. Adding one would only serve to complicate the setup.

If you look at compose.yaml, you’ll see:

    ports:
      - 8006:8006 # Map '8006' on Linux host to '8006' on Windows VM --> For VNC Web Interface @ http://127.0.0.1:8006.
      - 3389:3389/tcp # Map '3389' on Linux host to '3389' on Windows VM --> For Remote Desktop Protocol (RDP).
      - 3389:3389/udp # Map '3389' on Linux host to '3389' on Windows VM --> For Remote Desktop Protocol (RDP).

This maps Windows port 3389 to your host OS, for both TCP and UDP, so you can connect via 127.0.0.1:3389.

[KernelGhost]

@coding-opossum Have you been able to resolve this? If not, I’d recommend starting again from scratch without any modifications (e.g. hard-coding IP addresses in the scripts). From your log it looks like you tested the correct VM IP, but the final connection step still fell back to using localhost, where port 3389 might not have been forwarded correctly (possibly due to your manual changes). In any case, WinApps is designed to handle the RDP connection automatically, and you shouldn’t need to edit the scripts or use a VPN. Could you please try a clean setup and let us know if the issue persists?