I have been waiting in anticipation for WSL2 (Windows Subsystem for Linux) and on May 28th when the update released for general availability I updated immediately.
At first I was super hyped. WSL2 and the Ubuntu 20.04 image just worked and ran smoothly and quickly. Combined it with the release version of Windows Terminal it was a real delight.
After some struggle I figured out how to fix my WSL2 environment when using a VPN connection in parallel. No PC or WSL2 reboot required! More details here: h. My case it is unable to ping to any of the addresses from WSL 2 when I connect to VPN (Cisco Anyconnect VPN client). I am running Windows 10 Enterprise Version 2004 (OS Build 19041.264) It did work after conversion from WSL1 to 2 and before reboot. After reboot it screwed up. WSL2 enables a 'full' Linux development environment in Windows. Tagged with linux, windows, wsl. CISCO AnyConnect, Checkpoint VPN.
I also went and grabbed Docker Desktop for Windows as it now has support for WSL2 as the underlying system. And joy it just installed and worked. Now being capable of running Docker containers directly from my shell without doing some of doing it the way I did before having a Ubuntu VM running in VMware Workstation and connecting to it via docker-machine on my WSL1 Ubuntu image. A hassle to get to work and not a very smooth operation.
Having the option to just start Docker containers is amazing!
But then I had to get some actual work done and booted up VMware Workstation to boot a VM. And it failed. With a Device Guard error. I followed the guides and attempted to disable Device Guard to no avail. Then it dawned on my. WSL2 probably enables the Hyper-V role! And that is exactly what happened.
Hyper-V and Workstation (or VirtualBox for that matter) do not mix well – that is until VMware released Workstation 15.5.5 to fix this exact problem just the day after WSL2 released. Perfect timing!
Simple fix – just update Workstation to 15.5.5 and reboot and WSL2 and Workstation now coexisted fine!
I played a bit more with WSL2 in the following days but ended up hitting some wierd issues where networking would stop working in the WSL2 image. No real fixes found. Many indicate DNS issues and stuff like that. Just Google “WSL2 DNS not working” and look at the mountains of issues.
But I suspected something else because DNS not working was just a symptom – routing out of the WSL2 image was not working. Pinging IPs outside the image did not work. Not even the gateway IP. And if the default gateway is not working of course DNS is not working.
I found that restarting fixed the issue so got past it that way but today it was back. I was very interested in figuring out what happened. And then I realized the potential problem and tested the fix. I was connected to my work network via Cisco AnyConnect. I tried disconnecting from VPN and testing connectivity in WSL again – now it works. Connected to VPN again and connectivity was gone.
Okay – source found – what’s the fix? I found this thread on Github that mentions issues with other VPN providers even when not connected. Looking through the comments I found a reference to a different issue of the same problem but regarding AnyConnect specifically.
I looked through the comments and many fixes around changing DNS IP and other things but the fix that seem to do the trick was running the following two lines of Powershell in an elevated shell after connecting to VPN
Those two lines change the Interface Metric so that the WSL interface has a higher priority than the VPN connection. This inadvertently also fixed an issue that I had with local breakout when on VPN not working correctly.
Downside of the fix is that this needs to be run every time you connect to VPN. I implemented a simple Powershell function in my profile so I just have to open an elevated shell and type “Fix-WSLNet”.
That is all for now!
Internet connection and DNS routing are broken from WSL2 instances, when some VPNs are active.The workaround breaks down into two problems:
- Network connection to internet
- DNS in WSL2
Wsl2 Vpn Anyconnect Free
This problem is tracked in multiple microsoft/WSL issues including, but not limited to:
- microsoft/WSL#5068
- microsoft/WSL#4277
- microsoft/WSL#4246
Network connection
When the VPN connection is active, network traffic out of WSL2 is not passed to the internet.
Changing the Interface Metric 1 -> 6000 for AnyConnect VPN Adapter resolves the connection issue, but this has to be done after each time the VPN connects.
By default, the Interface Metrics for AnyConnect are:
- IPv6: 6000
- IPv4: 1
Wsl2 Vpn Anyconnect Client
ping
times out from WSL Shell.
Changing the Interface Metrics for AnyConnect to:
- IPv6: 6000
- IPv4: 6000
ping
to IP Addresses succeed, but still no DNS Resolution.
DNS Resolution
When the VPN is active, the autogenerated /etc/resolv.conf
does not work. The list of nameservers must be manually built to include some sane default DNS Name Servers and the DNS from the VPN.
First, disable automatically generating /etc/resolv.conf
.Add the following configuration, or create the file if it doesn't exist. The path to this file is from the shell prompt of your WSL2 instance.
/etc/wsl.conf
Next, manually add the corportate DNS Server as the first nameserver
in /etc/resolv.conf
.
/etc/resolv.conf
To get <corporateDNS>
addresses, use ipconfig /all
from CMD
or Powershell
prompt, and check the details of the VPN adapter:
Automatically update Interface Metric
To automate this, I put the PS command in a script and created a Scheduled Task to run every time there is a network change.
Save the script in a file
Wsl2 Vpn Anyconnect Client
First, create the script. I have a 'scripts' directory in my Windows user home, so I put it at:
%HOMEPATH%scriptsUpdateAnyConnectInterfaceMetric.ps1
You can save it where you want, just make sure to use that path in step 13 below.
Create the scheduled task:
Wsl2 Anyconnect Vpn
- Open 'Task Scheduler'
- Click 'Create Task' on Right Sidebar
- Name: Update Anyconnect Adapter Interface Metric for WSL2
- Set Security Options
- Check box: 'Run with highest priveleges'
- Select 'Triggers' Tab
- Click 'New' at bottom of Window
- Open 'Begin the task' drop-down
- Select 'On an Event'
- Configure Event:
- option 1: Trigger on any Network Change
- Log: 'Microsoft-Windows-NetworkProfile/Operational'
- Source: 'NetworkProfile'
- Event ID: '10000'
- option 2: Trigger only when AnyConnect Client successfully connects to VPN
- Log: 'Cisco AnyCOnnect Secure Mobility Client'
- Source: 'acvpnagent'
- Event ID: '2039'
- option 1: Trigger on any Network Change
- Click 'OK'
- Select 'Actions' Tab
- Click 'New'
- Configure Action:
- Action: 'Start a Program'
- Program/script: 'Powershell.exe'
- Add arguments: '-ExecutionPolicy Bypass -File %HOMEPATH%scriptsUpdateAnyConnectInterfaceMetric.ps1'
- Click 'OK'
- Select 'Conditions' Tab
- Uncheck box:
- Power -> Start the task only if the computer is on AC Power
- Click 'OK'
Vpn Anyconnect Download
When AnyConnect finishes connecting, a Powershell window pops up for a couple seconds and WSL can reach the network.
Comments are closed.