Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WSL2 , problem with network connection when VPN used (PulseSecure) #5068

Open
fibu79 opened this issue Apr 10, 2020 · 371 comments
Open

WSL2 , problem with network connection when VPN used (PulseSecure) #5068

fibu79 opened this issue Apr 10, 2020 · 371 comments
Labels

Comments

@fibu79
Copy link

fibu79 commented Apr 10, 2020

I'm using MS v. 2004 (build 19041) with UBUNTU linux on WSL2.
When I don't use VPN on windows , everything is fine - I have internet connection on windows and wsl2 ubuntu.
But when established connection via VPN (on windows) then on windows still is OK - I have both internet and vpn connection , but on Ubuntu there is no network connection at all (no internet , no vpn access).
I suspect there is a problem with NAT (on Hyper-V default switch)
Any idea what could be wrong ?
Additionally: on wsl1 everything worked fine (also when VPN enabled)

Currently on wsl2 it looks like this :
fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.30.123.209 netmask 255.255.240.0 broadcast 172.30.127.255
inet6 fe80::215:5dff:fe41:b550 prefixlen 64 scopeid 0x20
ether 00:15:5d:41:b5:50 txqueuelen 1000 (Ethernet)
RX packets 263 bytes 27705 (27.7 KB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 223 bytes 34352 (34.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 2 bytes 56 (56.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 56 (56.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$
fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$ ping google.com
ping: google.com: Temporary failure in name resolution
fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$
fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.30.112.1 0.0.0.0 UG 0 0 0 eth0
172.30.112.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$ cat /etc/resolv.conf
nameserver 172.30.112.1
fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$

@fibu79
Copy link
Author

fibu79 commented Apr 18, 2020

Does anyone can help ...?

@WangHaiYang874
Copy link

I'm troubling with the samilar problem here. It's frustrating

@aaemon
Copy link

aaemon commented May 1, 2020

same problem, wsl1 working fine, all the distros in wsl2 is not connecting to internet

@akulbe
Copy link

akulbe commented May 4, 2020

I am having a similar issue when I'm on the GlobalProtect VPN connection to our corporate network. One workaround I've found is to add the IP for your router to /etc/resolv.conf as a nameserver entry.

@dys152
Copy link

dys152 commented May 4, 2020

Same here, seems to be intermittent though. Also have docker desktop running and stopping that has fixed it a couple of times but not always.

@yanke1311
Copy link

i have the same problem

@carl-berg
Copy link

Same problem here. WSL2 can't access internet after connecting to VPN. If I turn it off, things are OK again. Using windows VPN configuration (IKEv2), no special VPN app.

@peterhorvath
Copy link

Latest pulse secure vpn client for corp vpn connection and experiencing the same issue.
WSL2 has almost none existent internet connection when connected on VPN

@honeway
Copy link

honeway commented May 28, 2020

Same issue happens on released Windows 10 2004, run Ubuntu 20.04 on WSL2 when connect to Pulse Secure.

I have tried solutions mentioned in
#1350
Didn’t work to me.

@peterhorvath
Copy link

#4277

@petersonsbuild
Copy link

petersonsbuild commented May 29, 2020

same problem for me, cisco anyconnect vpn client running Windows 10 2004 WSL2 Ubuntu 18.04 and 20.04

@peterhorvath
Copy link

Interestingly i can curl http sites while on vpn but not https.

@peterhorvath
Copy link

okay it is resolve for me, apparently IT had a transparent url filtering proxy when i am connected to VPN and needed bypass, it also works when i set http_proxy/https_proxy and proxy for apt within WSL2 to the corp proxy.

@chazt3n
Copy link

chazt3n commented Jun 2, 2020

@peterhorvath is your anyconnect setup to use full tunnel?

@peterhorvath
Copy link

peterhorvath commented Jun 2, 2020 via email

@luvwagn
Copy link

luvwagn commented Jun 3, 2020

I'm having same issues, have read multiple reports on here and elsewhere. Everything worked against Cisco AnyConnect when using WSL v1. After upgrading to latest Windows and updating to WSL v2, my internet connectivity inside WSL is broken. I'm in split-tunnel mode, but will try full-tunnel.

@honeway
Copy link

honeway commented Jun 3, 2020

When WSL2 is started after connecting to VPN through Pulse Secure, WSL2 can access the Internet, but not https.

@peterhorvath
Copy link

if you have corporate proxy try to set http_proxy in WSL2
I had to do

export http_proxy=whatever.com:9091
export https_proxy=whatever.com:9091
export no_proxy=*.internal.domain.com,10.0.0.0/8 

talk to your IT team, (out comapny using mcafee web gateway and client proxy)

@DadongZ
Copy link

DadongZ commented Jun 3, 2020

I have same problem..frustrated

@crisrise
Copy link

crisrise commented Jun 3, 2020

Same problem here, with CiscoAnyconnect...

@DadongZ
Copy link

DadongZ commented Jun 3, 2020

I have exactly same issue and solved it by

  1. uninstall anyconnect
  2. download and reinstall anyconnect from Windows Store

No issue so far

@chazt3n
Copy link

chazt3n commented Jun 3, 2020

our windows store is blocked O_o

@daviddyball
Copy link

daviddyball commented Jun 3, 2020

I'm using a straight Windows IPSec VPN connection to my organisation and I too am unable to do anything from my WSL2 container once the VPN is initiated.

Is there anything settings I can change on the Hyper-v vEthernet adapter to work around this?

EDIT: A little more context:

ip addr output from my Ubuntu-20.04 WSL 2 instance

ip addr                                                                   <aws:saml>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 3a:01:48:88:dc:a3 brd ff:ff:ff:ff:ff:ff
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 3e:20:cb:a5:6f:8f brd ff:ff:ff:ff:ff:ff
4: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:18:7f:df brd ff:ff:ff:ff:ff:ff
    inet 172.24.183.172/20 brd 172.24.191.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fe18:7fdf/64 scope link
       valid_lft forever preferred_lft forever

ipconfig from Windows (while I have the VPN initiated

ipconfig

Windows IP Configuration


Wireless LAN adapter Local Area Connection* 1:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

PPP adapter Company-VPN:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 172.17.15.206
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : lan
   IPv6 Address. . . . . . . . . . . : xxxx:xxxx:xxxx:xxxx::xxxx
   Link-local IPv6 Address . . . . . : xxxx::xxxx:xxxx:xxxx
   IPv4 Address. . . . . . . . . . . : 192.168.8.128
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.8.1

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::8488:c784:edd4:bb17%21
   IPv4 Address. . . . . . . . . . . : 172.24.176.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

I don't think the VPN and vEthernet adapters are clashing.... VPN is on 172.17.15.206/32 and WSL is on 172.24.176.1/20

@peterhorvath
Copy link

@daviddyball check route print on your windows. you might have clash in your routing table

@daviddyball
Copy link

Looking into it more I'm starting to think that the issue is that my VPN is using a clashing subnet (thanks @peterhorvath for pointing me in that direction)

Given that I think this issue also relates to #4467, in that we need some form of configurability on the Hyper-V vSwitch to say "I want this subnet". Right now it appears that it's completely up to chance whether we get a conflicting network segment or not.

@rohanrajpal
Copy link

if you have corporate proxy try to set http_proxy in WSL2
I had to do

export http_proxy=whatever.com:9091
export https_proxy=whatever.com:9091
export no_proxy=*.internal.domain.com,10.0.0.0/8 

talk to your IT team, (out comapny using mcafee web gateway and client proxy)

Hey, thanks for sharing this. Here whatever.com is the VPN gateway, right? And do we mean by *.internal.domain.com

@peterhorvath
Copy link

in my case whatever.com is not the vpn gateway but the corporate web proxy on the VPN network.
no_proxy is a list of internal resources which don't need to go through the proxy as they are directly routed via vpn.
no_proxy=.you.corp.internal.domain.com,10.0.0.0/8 (your internal network address range)

@pmakholm
Copy link

pmakholm commented Jun 9, 2020

My corporate VPN forces setting routes to 172.16.0.0/12 to use the VPN as gateway. This means that if VPN is started after the WSL vEthernet, adapter I lose all network connectivity inside my WSL2 distributions.

The only workaround I've found (that doesn't require administratore rights) is to start the VPN before any WSL distribution and reboot after disconnecting from the VPN.

It would be great if it was possible to configure WSL to another range of networks.

@daviddyball
Copy link

@pmakholm I know it's not ideal, but your steps have at least got me the ability to use WSL, so thanks ❤️

@rohanrajpal
Copy link

in my case whatever.com is not the vpn gateway but the corporate web proxy on the VPN network.
no_proxy is a list of internal resources which don't need to go through the proxy as they are
no_proxy=.you.corp.internal.domain.com,10.0.0.0/8 (your internal network address range)

Hmm well, I only have the gateway and my credentials to connect to my VPN. Guess I gotta figure out something else. Thanks!

@Parv621
Copy link

Parv621 commented May 13, 2023

same problem for me, cisco anyconnect vpn client running Windows 10 2004 WSL2 Ubuntu 18.04 and 20.04

I have the solution to the Cisco VPN Anyconnect thanks to this blog post: https://jamespotz.github.io/blog/how-to-fix-wsl2-and-cisco-vpn

Given that you have the correct DNS server in the /etc/resolv.conf, the solution in the blog will work.

@gideao-domingos
Copy link

gideao-domingos commented Jun 1, 2023

look at this:
https://askubuntu.com/questions/1369455/cant-connect-to-server-over-https-in-wsl

@komkomissarov
Copy link

It's helped me, thank you
#5068 (comment)

@Pit-Storm
Copy link

You shouldn't change the Interface-Metric due to the than different routing. See the following blogpost for explanation: https://janovesk.com/wsl/2022/01/21/wsl2-and-vpn-routing.html
TLDR: If it works, it doesn't mean that it doesn't have side effects. And it's not only solving the thing that you was intended to fix.

The problem of not using the correct DNS-Server is properly explained and the suggested solution should be used from networking point of view.

For the IP-Range problem you have only the following two options:

  1. Changing the routing table (see blogpost above)
  2. Changing the subnet-range that WSL is using

How second could work, is shown in this Microsoft Q&A: https://learn.microsoft.com/en-us/answers/questions/1123820/set-wsl2-subnet

TLDR: Change SubNet of WSL NAT-Router to a different one which does not collide with your Company-VPN subnet. To do so got to regedit and edit the following entries:
Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss
Entries: NatGatewayIpAddress and NatNetwork
Values e.g.: 19.16.0.1 and 19.16.0.0/16

Again: Please don't change the InterfaceMetric!

@ku3mich
Copy link

ku3mich commented Jul 12, 2023

had same problem before the latest(windows 11 7/12/2023) updates I've installed today, now wsl2 work under GlobalProtect

@funes79
Copy link

funes79 commented Jul 12, 2023

For me the update did not helped, just updated (12th July 2023) Win11 Pro to Version 10.0.22621 Build 22621
and I still need to run the workaround script to get internet connectivity.

@gbwebdev
Copy link

gbwebdev commented Aug 2, 2023

I've had issues with SSH over VPN in the past, where specifying alternative ciphers or key algorithms was a fix/workaround. You can validate if this is applicable to you by passing -v to your SSH connection, where it hangs; debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

Test the fix/workaround with the following; (please consider and research any compliance/security with these options)

-c aes128-ctr or -oKexAlgorithms=curve25519-sha256@libssh.org

This particular cipher, and algorithm, are the second priority default OpenSSH (OpenSSH_8.4p1), and it allows me to connect.

I believe this is a MTU issue, and not a bug/fault with WSL/2. It's probably best to consider the above a workaround until a root cause is detailed.

Windows 11
WSL2
Linux $$ 5.10.102.1-microsoft-standard-WSL2 #1 SMP Wed Mar 2 00:30:59 UTC 2022 x86_64 GNU/Linux
/etc/debian_version
11.5

Thank you !!!!

That was EXACTLY my problem : could not SSH to my home server from WSL when using WireGuard on my Windows host.
Using a different cipher works like a charm.

So if I understand well it would be a MTU problem ?
Meaning (roughly) that the packets resulting from the preferred encryption algorithm are too large and/or "indivisible" to be bundled into the VPN tunnel ?

I would be interested in finding the root cause but I am not sure this issue is the right place ?

@dylangovender
Copy link

dylangovender commented Aug 17, 2023

+1 when using Citrix Secure Access (VPN). I downgraded to WSL V1 for now.

UPDATE: Found a way for this to work (WSL2). Details here: #10104

@zba
Copy link

zba commented Aug 22, 2023

I had problem with openvpn connect, changed to openvpn community client and problem disappear.

@ascheel
Copy link

ascheel commented Aug 22, 2023

@dylangovender , downgrading to WSL v1 is not a feasible option for most everybody. My understanding is that it uses a vastly different network stack.

@dylangovender
Copy link

I was not suggesting others downgrade, I was merely explaining what worked for me.

Also, I did update my post later with a fix that is working with WSL2.

@uslbmplatformslee
Copy link

  1. Create a Task in the Task Scheduler that would be trigger by the event of VPN successful connection
<QueryList>
  <Query Id="0" Path="Microsoft-Windows-NetworkProfile/Operational">
    <Select Path="Microsoft-Windows-NetworkProfile/Operational">
      *[System[(EventID=10000)] and EventData[Data[@Name='Guid'] and (Data='{6741631e-1eff-41d5-9fc0-ac31e3b0276e}')]]
    </Select>
  </Query>
</QueryList>

Your XML query structure needs tweaked a bit. Naturally, use your GUID, but try:

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-NetworkProfile/Operational">
    <Select Path="Microsoft-Windows-NetworkProfile/Operational">
      *[System[(EventID=10000)]] 
      and 
      *[EventData[Data[@Name='Guid'] and (Data='{6741631e-1eff-41d5-9fc0-ac31e3b0276e}')]]
    </Select>
  </Query>
</QueryList>

Great lead though!

@craigloewen-msft
Copy link
Member

Hi folks, we have put out a new update that aims to address networking issues in WSL. In your .wslconfig file you can set experimental.networkingMode=mirrored, as well as some other key settings that should improve your network compatibility! Please try them out and let us know what you think.

More info on this release and the changes can be found here in the blog post.

@aentwist
Copy link

aentwist commented Oct 6, 2023

wsl: Mirrored networking mode is not supported, falling back to NAT networking
wsl: Hyper-V firewall is not supported

this feature is currently only available to Windows Insiders canary and Release Preview Channel with the latest Windows 11, version 22H2

lol

@jcpoconnor
Copy link

Any indication when the WSL2 changes are going to move beyond Canary ?

@craigloewen-msft
Copy link
Member

These new networking features are now available on the latest version of Win11 22H2!

Please make sure you're on the latest build to get these features, you can do that by clicking "Check for Updates" in Windows settings. You can check you have the right build by either ensuring you have KB5031354 installed, or run cmd.exe /c ver and ensure that your build number is 22621.2428 or higher (Including the minor build number which is after the . as this was a backport!)

@NicolasRouquette
Copy link

Are there any plans to make these new networking features available in Win10 22H2?

@craigloewen-msft
Copy link
Member

Currently these features are Win11 only, we are investigating ways to see if we can make them available to earlier versions as well.

@terlar
Copy link

terlar commented Nov 10, 2023

I have Win11 now with build number is 22621.2428, I tried out these new features (networkingMode=mirrored and dnsTunneling=true). Unfortunately it still didn't work with Citrix Secure Access (VPN). So still have to resort to wsl-vpnkit (which doesn't work together with dnsTunneling). Would be really nice if things could work without third party hacks.

@NicolasRouquette
Copy link

Ditto here, I ran into the same problem after updating to the same version of Win11.

It would be helpful if someone could show an example of a .wslconfig file as I've seen such features prefixed as experimental.networkingMode=....

@keith-horton
Copy link
Member

Sorry for the VPN compat issues. It's a hard problem with some VPNs.
Please see some troubleshooting we have added for VPNs here: https://github.com/MicrosoftDocs/WSL/blob/main/WSL/troubleshooting.md#wsl-has-no-network-connectivity-once-connected-to-a-vpn

I would consider trying changing the interface metrics & route metrics so that the WSL virtual NIC is preferred over the VPN interface.

Thanks.

@lbenz
Copy link

lbenz commented Nov 18, 2023

Same as folks here, we are using corporate VPN IvantiSecure (formerly Pulse secure), we fixed the issue thanks to experimental features as @craigloewen-msft advised.

.wslconfig:

[experimental]
autoProxy=true
dnsTunneling=true
networkingMode=mirrored

Version:

WSL version: 2.0.9.0
Kernel version: 5.15.133.1-1
WSLg version: 1.0.59
MSRDC version: 1.2.4677
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windows version: 10.0.22621.2428

Version 2.0.9 is pre-release, install it with wsl --update --pre-release.

Edit [2023.11.19]: Now it's my docker containers with port forwarding that are not working 😫, workaround above is not ready for Docker users.

@terlar
Copy link

terlar commented Nov 18, 2023

A warning to people, not sure if it is due to some corporate configuration. But my system became unusable after enabling networkMode mirrored and it didn't work when disabling again. So I had to reinstall my system (did this twice to realise this was the cause). After I have used networkMode mirrored, processes that normally idle was eating all the CPU with Network Store Interface Service clearly taking the lead. Rebooting the computer didn't help and same behaviour occurred as soon as Windows was launched. Any operation was lagging, clicking the start menu, sometimes even right click anywhere resulting in a crashed process.

Uninstalling WSL didn't resolve this either. Me or the technicians couldn't find any way to get it back in a working state.

So networkMode=mirrored is doing something that it doesn't revert after being disabled.

Edit/Update:
The issue was that network mode mirrored enabled taskoffload. If you have this issue you can do:

netsh int ip set global taskoffload=disabled

@dil-mezzy
Copy link

This Worked for me

https://www.frakkingsweet.com/work-around-for-anyconnect-client-and-windows-subsystem-for-linux-2/

@earizon
Copy link

earizon commented Oct 8, 2024

Related problem "here" with CheckPoint VPN. When the network is enabled, the Ubuntu machine can use the VPN network, but it "slows down" when packets start to walk the VPN. If I try to copy a "big" file (hundreds of megabytes) from the WSL guest to a remote machine, it initially works properly (about 10Mb/sec), then it progressively slows down to just a few Kb/sec.

@Rhinogradentia
Copy link

Don't know if anyone still needs this, but this helped me https://jamespotz.github.io/blog/how-to-fix-wsl2-and-cisco-vpn (Cisco AnyConnect)

@jmbyzek
Copy link

jmbyzek commented Nov 22, 2024

I'm not 100% certain, but have just had (temporary?) success in getting all networking functioning when I went from WireGuard back to OpenVPN, and also disabled Split Tunnels.

Since I changed two things, not certain which one helped. But DNS and Internet connectivity available from PS prompt, WSL prompt, and all browsers working again. Suspecting split tunneling, as at one point just before the reboot, I had Chrome browser working, but not Brave browser (they were configured explicitly differently in split tunneling).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests