WSL2 , problem with network connection when VPN used (PulseSecure)

[fibu79]

I'm using MS v. 2004 (build 19041) with UBUNTU linux on WSL2.
When I don't use VPN on windows , everything is fine - I have internet connection on windows and wsl2 ubuntu.
But when established connection via VPN (on windows) then on windows still is OK - I have both internet and vpn connection , but on Ubuntu there is no network connection at all (no internet , no vpn access).
I suspect there is a problem with NAT (on Hyper-V default switch)
Any idea what could be wrong ?
Additionally: on wsl1 everything worked fine (also when VPN enabled)

Currently on wsl2 it looks like this :
fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.30.123.209 netmask 255.255.240.0 broadcast 172.30.127.255
inet6 fe80::215:5dff:fe41:b550 prefixlen 64 scopeid 0x20
ether 00:15:5d:41:b5:50 txqueuelen 1000 (Ethernet)
RX packets 263 bytes 27705 (27.7 KB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 223 bytes 34352 (34.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 2 bytes 56 (56.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 56 (56.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$
fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$ ping google.com
ping: google.com: Temporary failure in name resolution
fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$
fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.30.112.1 0.0.0.0 UG 0 0 0 eth0
172.30.112.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$ cat /etc/resolv.conf
nameserver 172.30.112.1
fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$

[fibu79]

Does anyone can help ...?

[WangHaiYang874]

I'm troubling with the samilar problem here. It's frustrating

[aaemon]

same problem, wsl1 working fine, all the distros in wsl2 is not connecting to internet

[akulbe]

I am having a similar issue when I'm on the GlobalProtect VPN connection to our corporate network. One workaround I've found is to add the IP for your router to /etc/resolv.conf as a nameserver entry.

[dys152]

Same here, seems to be intermittent though. Also have docker desktop running and stopping that has fixed it a couple of times but not always.

[yanke1311]

i have the same problem

[carl-berg]

Same problem here. WSL2 can't access internet after connecting to VPN. If I turn it off, things are OK again. Using windows VPN configuration (IKEv2), no special VPN app.

[peterhorvath]

Latest pulse secure vpn client for corp vpn connection and experiencing the same issue.
WSL2 has almost none existent internet connection when connected on VPN

[honeway]

Same issue happens on released Windows 10 2004, run Ubuntu 20.04 on WSL2 when connect to Pulse Secure.

I have tried solutions mentioned in
#1350
Didn’t work to me.

[peterhorvath]

#4277

[petersonsbuild]

same problem for me, cisco anyconnect vpn client running Windows 10 2004 WSL2 Ubuntu 18.04 and 20.04

[peterhorvath]

Interestingly i can curl http sites while on vpn but not https.

[peterhorvath]

okay it is resolve for me, apparently IT had a transparent url filtering proxy when i am connected to VPN and needed bypass, it also works when i set http_proxy/https_proxy and proxy for apt within WSL2 to the corp proxy.

[chazt3n]

@peterhorvath is your anyconnect setup to use full tunnel?

[peterhorvath]

it is pulse secure vpn but yes it is full tunnel.

[luvwagn]

I'm having same issues, have read multiple reports on here and elsewhere. Everything worked against Cisco AnyConnect when using WSL v1. After upgrading to latest Windows and updating to WSL v2, my internet connectivity inside WSL is broken. I'm in split-tunnel mode, but will try full-tunnel.

[honeway]

When WSL2 is started after connecting to VPN through Pulse Secure, WSL2 can access the Internet, but not https.

[peterhorvath]

if you have corporate proxy try to set http_proxy in WSL2
I had to do

export http_proxy=whatever.com:9091
export https_proxy=whatever.com:9091
export no_proxy=*.internal.domain.com,10.0.0.0/8 

talk to your IT team, (out comapny using mcafee web gateway and client proxy)

[DadongZ]

I have same problem..frustrated

[crisrise]

Same problem here, with CiscoAnyconnect...

[DadongZ]

I have exactly same issue and solved it by

1. uninstall anyconnect
2. download and reinstall anyconnect from Windows Store

No issue so far

[chazt3n]

our windows store is blocked O_o

[daviddyball]

I'm using a straight Windows IPSec VPN connection to my organisation and I too am unable to do anything from my WSL2 container once the VPN is initiated.

Is there anything settings I can change on the Hyper-v vEthernet adapter to work around this?

EDIT: A little more context:

ip addr output from my Ubuntu-20.04 WSL 2 instance

ip addr                                                                   <aws:saml>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 3a:01:48:88:dc:a3 brd ff:ff:ff:ff:ff:ff
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 3e:20:cb:a5:6f:8f brd ff:ff:ff:ff:ff:ff
4: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:18:7f:df brd ff:ff:ff:ff:ff:ff
    inet 172.24.183.172/20 brd 172.24.191.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fe18:7fdf/64 scope link
       valid_lft forever preferred_lft forever

ipconfig from Windows (while I have the VPN initiated

ipconfig

Windows IP Configuration


Wireless LAN adapter Local Area Connection* 1:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

PPP adapter Company-VPN:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 172.17.15.206
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : lan
   IPv6 Address. . . . . . . . . . . : xxxx:xxxx:xxxx:xxxx::xxxx
   Link-local IPv6 Address . . . . . : xxxx::xxxx:xxxx:xxxx
   IPv4 Address. . . . . . . . . . . : 192.168.8.128
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.8.1

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::8488:c784:edd4:bb17%21
   IPv4 Address. . . . . . . . . . . : 172.24.176.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

I don't think the VPN and vEthernet adapters are clashing.... VPN is on 172.17.15.206/32 and WSL is on 172.24.176.1/20

[peterhorvath]

@daviddyball check route print on your windows. you might have clash in your routing table

[daviddyball]

Looking into it more I'm starting to think that the issue is that my VPN is using a clashing subnet (thanks @peterhorvath for pointing me in that direction)

Given that I think this issue also relates to #4467, in that we need some form of configurability on the Hyper-V vSwitch to say "I want this subnet". Right now it appears that it's completely up to chance whether we get a conflicting network segment or not.

[rohanrajpal]

if you have corporate proxy try to set http_proxy in WSL2
I had to do

export http_proxy=whatever.com:9091
export https_proxy=whatever.com:9091
export no_proxy=*.internal.domain.com,10.0.0.0/8 

talk to your IT team, (out comapny using mcafee web gateway and client proxy)

Hey, thanks for sharing this. Here whatever.com is the VPN gateway, right? And do we mean by *.internal.domain.com

[peterhorvath]

in my case whatever.com is not the vpn gateway but the corporate web proxy on the VPN network.
no_proxy is a list of internal resources which don't need to go through the proxy as they are directly routed via vpn.
no_proxy=.you.corp.internal.domain.com,10.0.0.0/8 (your internal network address range)

[pmakholm]

My corporate VPN forces setting routes to 172.16.0.0/12 to use the VPN as gateway. This means that if VPN is started after the WSL vEthernet, adapter I lose all network connectivity inside my WSL2 distributions.

The only workaround I've found (that doesn't require administratore rights) is to start the VPN before any WSL distribution and reboot after disconnecting from the VPN.

It would be great if it was possible to configure WSL to another range of networks.

[daviddyball]

@pmakholm I know it's not ideal, but your steps have at least got me the ability to use WSL, so thanks ❤️

[rohanrajpal]

in my case whatever.com is not the vpn gateway but the corporate web proxy on the VPN network.
no_proxy is a list of internal resources which don't need to go through the proxy as they are
no_proxy=.you.corp.internal.domain.com,10.0.0.0/8 (your internal network address range)

Hmm well, I only have the gateway and my credentials to connect to my VPN. Guess I gotta figure out something else. Thanks!

[Comnenus]

Until Microsoft fixes and supports this, and it works out of the box, it is a blocker.

[Parv621]

same problem for me, cisco anyconnect vpn client running Windows 10 2004 WSL2 Ubuntu 18.04 and 20.04

I have the solution to the Cisco VPN Anyconnect thanks to this blog post: https://jamespotz.github.io/blog/how-to-fix-wsl2-and-cisco-vpn

Given that you have the correct DNS server in the /etc/resolv.conf, the solution in the blog will work.

[gideao-domingos]

look at this:
https://askubuntu.com/questions/1369455/cant-connect-to-server-over-https-in-wsl

[komkomissarov]

It's helped me, thank you
#5068 (comment)

[Pit-Storm]

You shouldn't change the Interface-Metric due to the than different routing. See the following blogpost for explanation: https://janovesk.com/wsl/2022/01/21/wsl2-and-vpn-routing.html
TLDR: If it works, it doesn't mean that it doesn't have side effects. And it's not only solving the thing that you was intended to fix.

The problem of not using the correct DNS-Server is properly explained and the suggested solution should be used from networking point of view.

For the IP-Range problem you have only the following two options:

1. Changing the routing table (see blogpost above)
2. Changing the subnet-range that WSL is using

How second could work, is shown in this Microsoft Q&A: https://learn.microsoft.com/en-us/answers/questions/1123820/set-wsl2-subnet

TLDR: Change SubNet of WSL NAT-Router to a different one which does not collide with your Company-VPN subnet. To do so got to regedit and edit the following entries:
Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss
Entries: NatGatewayIpAddress and NatNetwork
Values e.g.: 19.16.0.1 and 19.16.0.0/16

Again: Please don't change the InterfaceMetric!

[ku3mich]

had same problem before the latest(windows 11 7/12/2023) updates I've installed today, now wsl2 work under GlobalProtect

[funes79]

For me the update did not helped, just updated (12th July 2023) Win11 Pro to Version 10.0.22621 Build 22621
and I still need to run the workaround script to get internet connectivity.

[gbwebdev]

I've had issues with SSH over VPN in the past, where specifying alternative ciphers or key algorithms was a fix/workaround. You can validate if this is applicable to you by passing -v to your SSH connection, where it hangs; debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

Test the fix/workaround with the following; (please consider and research any compliance/security with these options)

-c aes128-ctr or -oKexAlgorithms=curve25519-sha256@libssh.org

This particular cipher, and algorithm, are the second priority default OpenSSH (OpenSSH_8.4p1), and it allows me to connect.

I believe this is a MTU issue, and not a bug/fault with WSL/2. It's probably best to consider the above a workaround until a root cause is detailed.

Windows 11
WSL2
Linux $$ 5.10.102.1-microsoft-standard-WSL2 #1 SMP Wed Mar 2 00:30:59 UTC 2022 x86_64 GNU/Linux
/etc/debian_version
11.5

Thank you !!!!

That was EXACTLY my problem : could not SSH to my home server from WSL when using WireGuard on my Windows host.
Using a different cipher works like a charm.

So if I understand well it would be a MTU problem ?
Meaning (roughly) that the packets resulting from the preferred encryption algorithm are too large and/or "indivisible" to be bundled into the VPN tunnel ?

I would be interested in finding the root cause but I am not sure this issue is the right place ?

[dylangovender]

+1 when using Citrix Secure Access (VPN). I downgraded to WSL V1 for now.

UPDATE: Found a way for this to work (WSL2). Details here: #10104

[zba]

I had problem with openvpn connect, changed to openvpn community client and problem disappear.

[ascheel]

@dylangovender , downgrading to WSL v1 is not a feasible option for most everybody. My understanding is that it uses a vastly different network stack.

[dylangovender]

I was not suggesting others downgrade, I was merely explaining what worked for me.

Also, I did update my post later with a fix that is working with WSL2.

[uslbmplatformslee]

2. Create a Task in the Task Scheduler that would be trigger by the event of VPN successful connection

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-NetworkProfile/Operational">
    <Select Path="Microsoft-Windows-NetworkProfile/Operational">
      *[System[(EventID=10000)] and EventData[Data[@Name='Guid'] and (Data='{6741631e-1eff-41d5-9fc0-ac31e3b0276e}')]]
    </Select>
  </Query>
</QueryList>

Your XML query structure needs tweaked a bit. Naturally, use your GUID, but try:

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-NetworkProfile/Operational">
    <Select Path="Microsoft-Windows-NetworkProfile/Operational">
      *[System[(EventID=10000)]] 
      and 
      *[EventData[Data[@Name='Guid'] and (Data='{6741631e-1eff-41d5-9fc0-ac31e3b0276e}')]]
    </Select>
  </Query>
</QueryList>

Great lead though!

[craigloewen-msft]

Hi folks, we have put out a new update that aims to address networking issues in WSL. In your .wslconfig file you can set experimental.networkingMode=mirrored, as well as some other key settings that should improve your network compatibility! Please try them out and let us know what you think.

More info on this release and the changes can be found here in the blog post.

[aentwist]

wsl: Mirrored networking mode is not supported, falling back to NAT networking
wsl: Hyper-V firewall is not supported

this feature is currently only available to Windows Insiders canary and Release Preview Channel with the latest Windows 11, version 22H2

lol

[jcpoconnor]

Any indication when the WSL2 changes are going to move beyond Canary ?

[craigloewen-msft]

These new networking features are now available on the latest version of Win11 22H2!

Please make sure you're on the latest build to get these features, you can do that by clicking "Check for Updates" in Windows settings. You can check you have the right build by either ensuring you have KB5031354 installed, or run cmd.exe /c ver and ensure that your build number is 22621.2428 or higher (Including the minor build number which is after the . as this was a backport!)

[NicolasRouquette]

Are there any plans to make these new networking features available in Win10 22H2?

[craigloewen-msft]

Currently these features are Win11 only, we are investigating ways to see if we can make them available to earlier versions as well.

[terlar]

I have Win11 now with build number is 22621.2428, I tried out these new features (networkingMode=mirrored and dnsTunneling=true). Unfortunately it still didn't work with Citrix Secure Access (VPN). So still have to resort to wsl-vpnkit (which doesn't work together with dnsTunneling). Would be really nice if things could work without third party hacks.

[NicolasRouquette]

Ditto here, I ran into the same problem after updating to the same version of Win11.

It would be helpful if someone could show an example of a .wslconfig file as I've seen such features prefixed as experimental.networkingMode=....

[keith-horton]

Sorry for the VPN compat issues. It's a hard problem with some VPNs.
Please see some troubleshooting we have added for VPNs here: https://github.com/MicrosoftDocs/WSL/blob/main/WSL/troubleshooting.md#wsl-has-no-network-connectivity-once-connected-to-a-vpn

I would consider trying changing the interface metrics & route metrics so that the WSL virtual NIC is preferred over the VPN interface.

Thanks.

[lbenz]

Same as folks here, we are using corporate VPN IvantiSecure (formerly Pulse secure), we fixed the issue thanks to experimental features as @craigloewen-msft advised.

.wslconfig:

[experimental]
autoProxy=true
dnsTunneling=true
networkingMode=mirrored

Version:

WSL version: 2.0.9.0
Kernel version: 5.15.133.1-1
WSLg version: 1.0.59
MSRDC version: 1.2.4677
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windows version: 10.0.22621.2428

Version 2.0.9 is pre-release, install it with wsl --update --pre-release.

Edit [2023.11.19]: Now it's my docker containers with port forwarding that are not working 😫, workaround above is not ready for Docker users.

[terlar]

A warning to people, not sure if it is due to some corporate configuration. But my system became unusable after enabling networkMode mirrored and it didn't work when disabling again. So I had to reinstall my system (did this twice to realise this was the cause). After I have used networkMode mirrored, processes that normally idle was eating all the CPU with Network Store Interface Service clearly taking the lead. Rebooting the computer didn't help and same behaviour occurred as soon as Windows was launched. Any operation was lagging, clicking the start menu, sometimes even right click anywhere resulting in a crashed process.

Uninstalling WSL didn't resolve this either. Me or the technicians couldn't find any way to get it back in a working state.

So networkMode=mirrored is doing something that it doesn't revert after being disabled.

Edit/Update:
The issue was that network mode mirrored enabled taskoffload. If you have this issue you can do:

netsh int ip set global taskoffload=disabled

[dil-mezzy]

This Worked for me

https://www.frakkingsweet.com/work-around-for-anyconnect-client-and-windows-subsystem-for-linux-2/

[earizon]

Related problem "here" with CheckPoint VPN. When the network is enabled, the Ubuntu machine can use the VPN network, but it "slows down" when packets start to walk the VPN. If I try to copy a "big" file (hundreds of megabytes) from the WSL guest to a remote machine, it initially works properly (about 10Mb/sec), then it progressively slows down to just a few Kb/sec.

[Rhinogradentia]

Don't know if anyone still needs this, but this helped me https://jamespotz.github.io/blog/how-to-fix-wsl2-and-cisco-vpn (Cisco AnyConnect)