Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DNS server coming from vpn network is not reflected in WSL #1350

Closed
asvetliakov opened this issue Nov 12, 2016 · 113 comments
Closed

DNS server coming from vpn network is not reflected in WSL #1350

asvetliakov opened this issue Nov 12, 2016 · 113 comments

Comments

@asvetliakov
Copy link

  • A brief description
    I've L2TP/IPsec vpn connection without default gateway set and own DNS server

  • Expected results
    Bash should add VPN DNS IP to /etc/resolv.conf

  • Actual results (with terminal output if applicable)
    No VPN DNS IP in /etc/resolve.conf . It works though if i set "use default gateway on remote network" (generally i don't want) setting in vpn configuration.

  • Your Windows build number
    14965.1001

2016-11-12

@sunilmut
Copy link
Member

@asvetliakov - Thanks for reporting the issue. Yes, we are aware of issues with VPN, as you can also see in #416. We are actively working on a solution for this. @misenesi as FYI.

@misenesi
Copy link

Hi @asvetliakov, could you please provide output when you do:

ipconfig /all

?

I have a fix prepared for this, but need to verify that your VPN networking interface is reported as point-to-point interface.

@asvetliakov
Copy link
Author

@misenesi

PS C:\Users\asvet> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Alexey-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Home

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : Home
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-V
   Physical Address. . . . . . . . . : E0-3F-49-AC-04-1E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5867:7e40:cdf2:456a%25(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.33(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, November 30, 2016 2:28:47 AM
   Lease Expires . . . . . . . . . . : Wednesday, November 30, 2016 2:28:47 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 65027913
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-92-04-D1-E0-3F-49-AC-04-1E
   DNS Servers . . . . . . . . . . . : 80.58.61.250
                                       80.58.61.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

PPP adapter freechat.com:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : freechat.com
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.61.0.5(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.60.10.121
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-2F-01-1A-D1
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 10:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:2cca:22a9:3f57:fede(Preferred)
   Link-local IPv6 Address . . . . . : fe80::2cca:22a9:3f57:fede%19(Preferred)
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 318767104
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-92-04-D1-E0-3F-49-AC-04-1E
   NetBIOS over Tcpip. . . . . . . . : Disabled

The one with name 'freechat.com' is my VPN

@misenesi
Copy link

misenesi commented Dec 2, 2016

Thank you @asvetliakov . I have checked in a fix that will address some of the VPN DNS resolving issues, including yours. Currently for DNS resolving we update /etc/resolv.conf from the service. In this fix I added the capability to manually modify the /etc/resolv.conf file if you wish so, disabling its automatic regeneration.

However, due to how DNS resolving works for various VPN solutions, this fix will only work with strict force tunnel VPN that do not hide their DNS servers for privacy or security reasons. I have a proposal for better solution that is currently under discussion that would work for all VPN scenarios.

@blemasle
Copy link

@misenesi With creators update installed, the automic generation cannot be disabled on my system. Even if I remove the first line, it still get regenerated every single time. It's working for /etc/hosts though.

@sunilmut
Copy link
Member

@blemasle - @misenesi is no longer with MSFT.
It looks like we screwed up the /etc/resolv.conf auto-generation logic, see @benhillis comment in #1908.

Here is the background. By default, bash.exe will auto-generate /etc/resolv.conf every time you launch bash.exe. Then it will try to keep it up to date with changes from Windows, when bash is running. It looks like if you remove the first line, we stop auto-update of the file while bash is running, but forgot to disable the logic to auto-generate during bash launch. We do apologize for the inconvenience and as @benhillis mentions in #1908, we are looking to improve the experience here.

@johnarban
Copy link

I don't know if this is still a problem for anyone else. I am on build 16232.rs_prerelease.170624-1334 using WSL with Ubuntu 16.04.2 LTS from the Windows Store and CISCO AnyConnect version 21.12020 , and I still can't connect. I tried removing the commented line in /etc/resolv.conf, but it still get's reset. I don't know if there has a been a fix posted yet, but I haven't found it online if it exists.

@mo18
Copy link

mo18 commented Jul 22, 2017

The problem I'm seeing is that the ordering of the dns servers is incorrect when the vpn is connected. as a reslult, I can't resolve any of the hosts behind the vpn. I'm running windows 15063.483 with Cisco Anyconnect. The dns bindings in windows are the following:

> Get-DnsClientServerAddress -AddressFamily ipv4 | Select-Object -ExpandProperty ServerAddresses
10.0.0.51
10.0.0.52
192.168.1.1

in ubuntu the are the following:

$ cat /etc/resolv.conf
# This file was automatically generated by WSL. To stop automatic generation of this file, remove this line.
nameserver 192.168.1.1
nameserver 10.0.0.51
nameserver 10.0.0.52
search home xyz.vpn

@sunilmut
Copy link
Member

If you are connected to a VPN and lose connectivity within bash, please try the workaround posted here. It should work for Creators Update and above. Post Fall Creators Update, we will be looking at a better support for other VPN solutions.

Thanks to @bradley101, who first pointed out the workaround.

@johnarban
Copy link

Thank you that works around that. The only other thing is to get the list of domain suffixes, but that is 2nd order.

@nimbixler
Copy link

here's a more automatic workaround that works for me - in my case I only ever connect to one VPN at a time and its nameserver is at the very end of /etc/resolv.conf, which of course is no good.

YMMV but, first...

create a file in /etc/sudoers.d with allowing your username to run sudo with no password; you can restrict this to specific commands if you want but I do it for all (please adjust for your needs). For example let's say your username is linux, so create the file /etc/sudoers.d/00-linux (you can call this whatever you want), with the following text in it:

linux ALL=(ALL) NOPASSWD: ALL

you'll need to of course sudo to root to create that file. Be sure to replace "linux" with whatever your username is in WSL.

Close the shell and all instances of WSL and run a new one, and try it - type sudo -s
if you are not prompted for password, it worked. Otherwise please check the syntax.

Next, create this python file in your home directory = call it resolv_flip.py :

#!/usr/bin/python

if __name__ == '__main__':
    with open('/etc/resolv.conf', 'r') as f:
        lines = f.read().splitlines()
    ns = []
    other = []
    for i in lines:
        if i[:11] != 'nameserver ':
            other.append(i)
        elif i[11:][:2] == '8.':
            ns.append(i)
        else:
            ns.insert(0, i)
    with open('/etc/resolv.conf', 'w') as f:
        f.write('\n'.join(other) + '\n')
        f.write('\n'.join(ns) + '\n')

finally, add this to the end of your ~/.bashrc file:

sudo ~/resolv_flip.py

from that point forward every time you run the WSL shell it will flip the nameservers so that anything that doesn't start with 8. will be at the top, but it won't disturb the comment header that is used to autogenerate the file (because we need that information in order for this to work).

It's not perfect but it works fine for me, and it's dead simple.

Enjoy,
Leo Reiter

@spookyrecharge
Copy link

Don't forget to make /etc/resolv.conf file immutable after editing to avoid Windows overwrite it

chattr +i /etc/resolv.conf

I also was struggling with using wireguard tunnel
It was important to me since I'm using DoH on MikroTik wireguard server

@chrisdlangton
Copy link

This comment has the solution that worked best for me on WSL2
#2884 (comment)
Hope wsl-vpnkit helps you too

@marwin1991
Copy link

  1. Find out nameserver with windows powershell (during VPN Session and without) using nslookup
  2. USe sudo touch /etc/wsl.conf and sudo vim /etc/wsl.conf to add:
[network]                                                                        
generateResolvConf = false
  1. Restart wsl (Windows powershell) using wsl --shutdown
  2. Open WSL and remove using rm -f /etc/resolv.conf
  3. Add new file sudo touch /etc/resolv.conf and sudo vim /etc/resolv.conf with:
nameserver X.X.X.X

nameserver Y.Y.Y.Y
  1. Restart wsl (Windows powershell) using wsl --shutdown
  2. Open WSL and remove using wget google.com and test some you corporate domain.

@2-X
Copy link

2-X commented Nov 14, 2022

don't forget to make sure your VPN's nameserver comes first in your /etc/resolv.conf file
i was losing my sanity to this issue lol
luckily this seems to have done the trick for me

@EdwardCooke
Copy link

Here's my solution, it takes what @cod3monk3y did, and makes it automatic it so you don't have to run anything manually anymore. It's geared towards the Cisco AnyConnect client, so if you you're using something different, you would just need to figure out the events in the event log to trigger off of.

https://www.frakkingsweet.com/automatic-dns-configuration-with-wsl-and-anyconnect-client/

@Kraego
Copy link

Kraego commented Jan 11, 2023

Here's my solution, it takes what @cod3monk3y did, and makes it automatic it so you don't have to run anything manually anymore. It's geared towards the Cisco AnyConnect client, so if you you're using something different, you would just need to figure out the events in the event log to trigger off of.

https://www.frakkingsweet.com/automatic-dns-configuration-with-wsl-and-anyconnect-client/

Works like a charm, thanks.

@githubuser6000

This comment was marked as outdated.

@sanarena
Copy link

isn’t wsl-vpnkit working for you?

@githubuser6000
Copy link

A reboot fixed it 🤷‍♂️

@ajgrier
Copy link

ajgrier commented Feb 6, 2023

All the presented "solutions" seem to involve modifying resolv.conf. The default(?) WSL setup has resolv.conf pointing to an internal IP address, and the same address is also used as default route. The failure seems to be that WSL (which handles this internal routing and DNS server / proxy) is not tracking resolver changes on the windows side. All the modifications to resolv.conf are just workarounds for WSL's failure, not fixes to WSL.

Why are windows applications able to track resolver changes, but WSL isn't?

@Jan-Pleva
Copy link

Hi, is the VPN in development plan? We are waiting for this.

@exeral
Copy link

exeral commented Mar 2, 2023

unlike #2884 (comment) which push DNS from Windows to WSL
I have made a script for the other way: pull DNS from WSL.
https://gist.github.com/exeral/87c792d20262026318661fdc03ea8807

hope it helps ;)

@Jan-Pleva
Copy link

Thanks. Still I would need something more instant for enterprise environment.

@saraiva82
Copy link

I just went back to my vm after many hours wasted troubleshooting this.
Afterall....
image

They know and dont care lol

@ccbond
Copy link

ccbond commented Jan 9, 2024

在浪费了很多时间进行故障排除后,我刚刚回到我的虚拟机。 毕竟.... 图像

他们知道但不在乎哈哈

fu*k

@danielwagn3r
Copy link

For me the new WSL2dns tunneling feature solved the problem, see https://learn.microsoft.com/en-us/windows/wsl/wsl-config#main-wsl-settings

Add the following to %UserProfile%\.wslconfig to enable the feature:

# Settings apply across all Linux distros running on WSL 2
[wsl2]
# Changes how DNS requests are proxied from WSL to Windows
dnsTunneling=true

@jaredbrogan
Copy link

For me the new WSL2dns tunneling feature solved the problem, see https://learn.microsoft.com/en-us/windows/wsl/wsl-config#main-wsl-settings

Add the following to %UserProfile%\.wslconfig to enable the feature:

# Settings apply across all Linux distros running on WSL 2
[wsl2]
# Changes how DNS requests are proxied from WSL to Windows
dnsTunneling=true

Thanks for pointing that out. Unfortunately, it's only available in Windows 11. 😢
image

@dendr203
Copy link

dendr203 commented Mar 8, 2024

In my case, i set VPN network interface metric to 6000 and both vpn and internet within wsl is now working: Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000 Cisco AnyConnect mentioned in command above is my VPN. yours could be different. along with the metric number.

and then used @cod3monk3y solution above for fixing DNS.

This was the only think that have worked for me and resolved the issue.

@TuanChauKMS
Copy link

Guys, are there any plans to completely fix this issue in the future?
Thanks all :)

@OneBlue
Copy link
Collaborator

OneBlue commented May 14, 2024

Hi ! Please try the latest networking features that we've added in WSL. Those should greatly improve compatibility with VPN's.

If the issue still remains, please reopen this issue.

@OneBlue OneBlue closed this as completed May 14, 2024
@rgmz
Copy link

rgmz commented May 15, 2024

Hi ! Please try the latest networking features that we've added in WSL. Those should greatly improve compatibility with VPN's.

That link doesn't state it, but the linked page "Advanced settings configuration in WSL" makes it clear that these settings require Windows 11.

@OneBlue do you know if there are plans to support dnsTunneling and autoProxy on Windows 10?

@OneBlue
Copy link
Collaborator

OneBlue commented May 15, 2024

@OneBlue do you know if there are plans to support dnsTunneling and autoProxy on Windows 10?

Unfortunately, those features won't be backported to Windows 10.

@froh
Copy link

froh commented May 16, 2024 via email

@terlar
Copy link

terlar commented May 17, 2024

Don't be too sad about it, it is not sure that it will fix the issues anyways. I am currently using Citrix Secure Access and I still have to use wsl-vpnkit to get connectivity when on the VPN.

[wsl2]
networkingMode=mirrored
firewall=true
dnsTunneling=true
autoProxy=true

@titanofold
Copy link

dnsTunneling=true does help resolve the name to an IP address, but I still can't connect to internal resources. I've tried with and without networkingMode=mirrored.

@zeel01
Copy link

zeel01 commented Aug 20, 2024

Hi ! Please try the latest networking features that we've added in WSL. Those should greatly improve compatibility with VPN's.

If the issue still remains, please reopen this issue.

What about WSL 1? Due to the filesystem performance issue in WSL 2, it remains unusable for my needs. If I'm understanding this new feature correctly, it's only available to WSL 2.

This issue is rather frustrating, as it doesn't always not work with a VPN. I was testing earlier connecting and disconnecting VPN (OpenVPN Connect) and the /etc/resolv.conf magically would update whenever I did. In order to get it "stuck" I had to disconnect VPN, put the computer to sleep, wake it back up, and reconnect - at that point connecting or disconnecting the VPN didn't cause the file to update anymore.

Using wsl --shutdown will do the trick of "fixing" it until the next time my computer goes to sleep (hibernate actually, in case it matters). But that's not a solution, and is really annoying if you have multiple terminals open doing stuff and need to reboot WSL which kills them all.

I would be happy with something as simple as a command that just resets the process that's supposed to sync the DNS settings. At least if I could do that, I could automate it and wouldn't need to shut down WSL entirely. If someone knows a way to do this, it would be greatly appreciated.

I certainly shouldn't need to use my own or a third party script to update the file, when it actually does work some of the time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests