Login/Register
WSL-2 DNS is not working with VPN connection on Win 10 [closed]
Asked Answered
ubuntuwindows-10vpnwindows-subsystem-for-linux
B

4

37

I have WSL Version 2 running on my Windows 10 Laptop. I'm using the WSL distribution Ubuntu-20.04. When I connect to a VPN network domain name resolution doesn't work so I can't access the Internet.

VPN Client in use is "Cisco AnyConnect Secure Mobility Client"

I tried the following steps to resolve this problem.

  1. Opening the Windows command prompt in admin mode
  2. Execute following commands
netsh winsock reset
netsh int ip reset all
netsh winhttp reset proxy
ipconfig /flushdns
reboot

That worked once, I had access to the internet. But as soon as I disconnected the VPN connection and connected again, I had the same problem all over again. I tried to just execute the commands again and rebooted, but now thats not working anymore.

What is a permanent fix for this problem?

Buckner answered 2/3, 2021 at 18:8 Comment(6)
I'd recommend moving this over to Super User since it isn't directly programming related, and thus off-topic for Stack Overflow.Cowpuncher
Does this answer your question? PulseSecure VPN prevents WSL2 internet connectivityMarxmarxian
@piouson: the mention question not available, can you open this question or share another similar question please? I have exactly same issue.Arcuation
@Arcuation I fixed my issue with wsl-vpnfixMarxmarxian
This answer here -> superuser.com/a/1718953/953434 works for sure irrespective of your distribution. Ubuntu or Debian or any otherBicameral
Just reinstall AnyConnect: superuser.com/a/1723900/868946Siana
S
56

There is an issue with DNS Forwarding in WSL2 when using VPN (see github Issue). Plus there is a issue with the Cisco AnyConnect. So here is a workaround for these problems. Should work for Ubuntu and Debian.

Workaround (new - automatic)

This solution is automatic and was created by EdwardCooke (see https://www.frakkingsweet.com/automatic-dns-configuration-with-wsl-and-anyconnect-client/). This is just the first part of his solution updating resolv.conf when starting WSL.

  1. Re-enable auto generation of resolv.conf (if disabled)

    by commented the disable with #

    sudo nano /etc/wsl.conf

    #[network]
#generateResolvConf = false

  2. Create the script

    sudo nano /bin/vpn-dns.sh

    #!/bin/bash

echo "Getting current DNS servers, this takes a couple of seconds"

/mnt/c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -Command '
$ErrorActionPreference="SilentlyContinue"
Get-NetAdapter -InterfaceDescription "Cisco AnyConnect*" | Get-DnsClientServerAddress | Select -ExpandProperty ServerAddresses
Get-NetAdapter | ?{-not ($_.InterfaceDescription -like "Cisco AnyConnect*") } | Get-DnsClientServerAddress | Select -ExpandProperty ServerAddresses
' | \
        awk 'BEGIN { print "# Generated by vpn fix func on", strftime("%c"); print } { print "nameserver", $1 }' | \
        tr -d '\r' > /etc/resolv.conf
clear

  3. Make it executable/run as sudo

    sudo chmod +x /bin/vpn-dns.sh
echo "$(whoami) ALL=(ALL) NOPASSWD: /bin/vpn-dns.sh" | sudo tee /etc/sudoers.d/010-$(whoami)-vpn-dns

  4. Make it run on wsl startup

    echo "/bin/vpn-dns.sh" | sudo tee /etc/profile.d/vpn-dns.sh

You can also run it manually: sudo /bin/vpn-dns.sh

Workaround (old manual)

  1. Find out nameserver with windows powershell (during VPN Session)

    nslookup

    You'll get the IPv4 adress of your corporate nameserver Copy this address.

  2. Disable resolv.conf generation in wsl:

    sudo nano /etc/wsl.conf

    copy this text to the file (to disable resolve.conf generation, when wsl starts up)

    [network]                                                                        
generateResolvConf = false

  3. In wsl Add your corporate nameserver to resolv.conf

    sudo nano /etc/resolv.conf

    Remove other entries and add your corporate nameserver IP (if you have a secondary nameserver, add it in a separate line)

    • nameserver X.X.X.X (where X.X.X.X is your address obtained in step 1)

  4. Set your VPN adapter (if you have Cisco AnyConnect) open a admin powershell

    • Find out your VPN adapter name: Get-NetIPInterface (in my case: "Cisco AnyConnect")
    • Set adapter metric (Replace -Match with your name), in my case I have to run this after ever reboot or VPN reconnect:
    Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

    (What is interface metric: Used to determine route, windows use interface with lowest metric)

  5. Restart wsl in powershell: wsl.exe --shutdown

  6. Test it in wsl run: wget google.com - if this command works, you are done.

In my case I get DNS issues when try to connect to internal stuff via browser (on Windows 10, f.e.: intranet), caused by the high metric value set in step 4 (basically kind of disabling VPN Route). So here is the workaround for the workaround:

  1. Check your default metric (of VPNs Interface) in powershell (replace -Match with your interface name)
Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Get-NetIPInterface
  1. When running into problems on Windows 10 restore this default value with admin powershell (replace value at the end with your default value):
Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 1
Section answered 29/7, 2021 at 10:3 Comment(10)
wget : The underlying connection was closed: An unexpected error occurred on a receive. At line:1 char:1 + wget google.com + ~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc eption + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommandCirone
It seems like you‘re running whet in powershell, you should try that in the wsl instance not on windowsSection
My personal solution (1/2 based on yours)Cirone
I was having a lot of trouble with this issue... and with AlmaLinux and Sophos Connect as VPN. Your solution worked for me! At least part of it... just steps 1-3 and restarting WSL did the trick. Thanks a lot!Ratiocinate
When I run Get-NetAdapter | Where-Object -FilterScript {$_.InterfaceDescription -Match "Cisco AnyConnect"}| Set-NetIPInterface -InterfaceMetric, I get the error Set-NetIPInterface : No matching MSFT_NetIPInterface objects found by CIM query for instances of the ROOT/StandardCimv2/MSFT_NetIPInterface class on the CIM server: SELECT * FROM MSFT_NetIPInterface WHERE ((InterfaceIndex = 19)) AND ((InterfaceAlias LIKE 'Ethernet 2')). Verify query parameters and retry.Dinka
@Dinka you can run Get-NetAdapter -Name * to find out the name of the corresponding vpn network adapterSection
Getting permission denied on startup. Not working.Calceolaria
The updated fix does not work. Please include the process to undo the changes so it doesn't appear at every startup.Glottalized
it helps only before you restart openvpn connectionLeffen
and also I found it fixes dns only inside wsl, outside windows dns still broken... /me thinking to return back to linux desktop, it is really flustrateLeffen
C
10

This worked for me.

How Anyconnect v4.9 breaks it: It adds a route for wsl2 with a low metric 2, lower than 5256, which causes vpn becomes the chosen route, and of course that will never work. As seen below. c:> route.exe print Note: “172.17.228.192 255.255.255.240” is the wsl2 destination subnet. 172.17.228.192 255.255.255.240 On-link 172.17.228.193 5256 172.17.228.192 255.255.255.240 10.255.0.1 10.255.0.71 2 This problem is solved when I change the vpn route metric to 5500, higher than 5256, by doing so: Control Panel – network – click the vpn – property – IPv4 – property, advanced – automatic metric: uncheck it and type in 5500.

source: https://riowingwp.wordpress.com/2020/12/13/anyconnect-bug/

Cara answered 27/7, 2021 at 4:7 Comment(2)
TLDR; Control Panel -> Network adapters -> VPN adapter properties -> IPv4 -> Advanced -> Interface metric 5500Calceolaria
While this does fix the issue, the value gets reset every time you disconnect and reconnect to the VPN. How to set permanently?Sturm
M
5

There is an issue with VPN integration in WSL running on my Windows 10. You need to redirect WSL to VPN, please follow these steps:

STEP-1: Obtain DNS address from Windows Power Shell

>nslookup
Servidor predeterminado:  yyyy.com
Address:  x.x.x.x

or

>ipconfig /all

STEP-2 Open Ubuntu-20.04 Version 2 WSL and open /etc/resolv.conf

STEP-3 Modify /etc/resolv.conf . Add the VPN Address in the first position(I deleted the others directions but it is not necessary), save the file, and try to access again. My file looks like:

nameserver X.X.X.X
Mezereon answered 14/4, 2021 at 14:8 Comment(3)
I must add the VPN IP assigned my PC or the VPN GW?Margarita
Thank you @Poropb, this solved the problem for me. Just moved in /etc/resolv.conf the VPN IP at the top of the others. BTW in my case at the top was my local router IP - 192.168.0.1.Trimaran
The IP address was already at first position, still not working.Calceolaria
Q
1

All that i needed from @kraego answer is

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Get-NetIPInterface

I couldn't ping 8.8.8.8, but with the metric change it started to work.

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match 'Cisco AnyConnect'} | Set-NetIPInterface -InterfaceMetric 6000

And added it in a window task

Event trigger

Action start Powershell.exe. Parameters: -ExecutionPolicy Bypass "Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match 'Cisco AnyConnect'} | Set-NetIPInterface -InterfaceMetric 6000"

But always i need to start wsl before connect VPN

Quetzal answered 6/1, 2022 at 19:32 Comment(2)
Your quote doesn't even include the metric change that helped youUndershorts
You are rigth, editedQuetzal

© 2022 - 2024 — McMap. All rights reserved.