No internet connection Ubuntu-WSL while VPN

Question

I have a Ubuntu-20.04 Version 2 WSL running on my Windows 10 Laptop. Everything works fine, I have internet connection. But only as long as I am not connected to a VPN network.

If I connect to my the network of my university using Cisco AnyConnect, I can no longer connect to the internet on WSL, while everything works fine using e.g. firefox in the windows system. I get: ping: google.de: Temporary failure in name resolution

I already tried the following:

Open windows cmd in admin mode and type these commands:

netsh winsock reset
netsh int ip reset all
netsh winhttp reset proxy
ipconfig /flushdns
reboot

That worked once, I had access to the internet. But as soon as I disconnected the VPN connection and connected again, I had the same problem all over again. I tried to just execute the commands again and rebooted, but now thats not working anymore.

So I really do not know what else to do. I really need to use WSL while being connected via VPN

Answer 1

There is an issue with DNS Forwarding in WSL2 when using VPN (see github Issue). Plus there is a issue with the Cisco AnyConnect. So here is a workaround for these problems. Should work for Ubuntu and Debian.

Workaround (new - automatic)

This solution is automatic and was created by EdwardCooke (see https://www.frakkingsweet.com/automatic-dns-configuration-with-wsl-and-anyconnect-client/). This is just the first part of his solution updating resolv.conf when starting WSL.

1. Re-enable auto generation of resolv.conf (if disabled)

   by commented the disable with #

   sudo nano /etc/wsl.conf
   

   #[network]
   #generateResolvConf = false
   

2. Create the script

   sudo nano /bin/vpn-dns.sh
   

   #!/bin/bash
   
   echo "Getting current DNS servers, this takes a couple of seconds"
   
   /mnt/c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -Command '
   $ErrorActionPreference="SilentlyContinue"
   Get-NetAdapter -InterfaceDescription "Cisco AnyConnect*" | Get-DnsClientServerAddress | Select -ExpandProperty ServerAddresses
   Get-NetAdapter | ?{-not ($_.InterfaceDescription -like "Cisco AnyConnect*") } | Get-DnsClientServerAddress | Select -ExpandProperty ServerAddresses
   ' | \
           awk 'BEGIN { print "# Generated by vpn fix func on", strftime("%c"); print } { print "nameserver", $1 }' | \
           tr -d '\r' > /etc/resolv.conf
   clear
   

3. Make it executable/run as sudo

   sudo chmod +x /bin/vpn-dns.sh
   echo "$(whoami) ALL=(ALL) NOPASSWD: /bin/vpn-dns.sh" | sudo tee /etc/sudoers.d/010-$(whoami)-vpn-dns
   

4. Make it run on wsl startup

   echo "/bin/vpn-dns.sh" | sudo tee /etc/profile.d/vpn-dns.sh
   

You can also run it manually: sudo /bin/vpn-dns.sh

Workaround (old manual)

1. Find out nameserver with windows powershell (during VPN Session)

   nslookup
   

   You'll get the IPv4 adress of your corporate nameserver Copy this address.

2. Disable resolv.conf generation in wsl:

   sudo nano /etc/wsl.conf
   

   copy this text to the file (to disable resolve.conf generation, when wsl starts up)

   [network]                                                                        
   generateResolvConf = false
   

3. In wsl Add your corporate nameserver to resolv.conf

   sudo nano /etc/resolv.conf
   

   Remove other entries and add your corporate nameserver IP (if you have a secondary nameserver, add it in a separate line)

   • nameserver X.X.X.X (where X.X.X.X is your address obtained in step 1)

4. Set your VPN adapter (if you have Cisco AnyConnect) open a admin powershell

   • Find out your VPN adapter name: Get-NetIPInterface (in my case: "Cisco AnyConnect")
   • Set adapter metric (Replace -Match with your name), in my case I have to run this after ever reboot or VPN reconnect:

   Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000
   

   (What is interface metric: Used to determine route, windows use interface with lowest metric)

5. Restart wsl in powershell: wsl.exe --shutdown

6. Test it in wsl run: wget google.com - if this command works, you are done.

In my case I get DNS issues when try to connect to internal stuff via browser (on Windows 10, f.e.: intranet), caused by the high metric value set in step 4 (basically kind of disabling VPN Route). So here is the workaround for the workaround:

1. Check your default metric (of VPNs Interface) in powershell (replace -Match with your interface name)

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Get-NetIPInterface

2. When running into problems on Windows 10 restore this default value with admin powershell (replace value at the end with your default value):

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 1

Answer 2

This seems to be a bug in WSL 2, see https://github.com/microsoft/WSL/issues/4277.

The workaround offered here worked for me: Uninstall the Cisco AnyConnect client and install the version from the Microsoft Store.

Answer 3

The easiest workaround (before either Microsoft or Cisco come up with a permanent fix) is to launch WSL before connecting to the VPN:

wsl --shutdown
# disconnect VPN
wsl
# connect VPN again

Works on Windows 10 with WSL2+Ubuntu 20.04 and Cisco AnyConnect.

Answer 4

I solved the problem. open Microsoft Store -> Search and Install Anyconnect -> the vpn connection now works with WSL2.

Answer 5

The problem is that the VPN Ethernet Adaptor's DNS server settings are not taken by the WSL. These steps worked for me to add these settings manually:

1. cd ~/../../etc (go to etc folder in WSL).
2. echo "[network]" | sudo tee wsl.conf (Create wsl.conf file and add the first line).
3. echo "generateResolvConf = false" | sudo tee -a wsl.conf (Append wsl.conf the next line).
4. wsl -l (Get the . Debian-XX or Ubuntu-XX (Default) etc.)
5. wsl --terminate (Terminate WSL in Windows cmd, from the step 4).
6. cd ~/../../etc (go to etc folder in WSL).
7. sudo rm -Rf resolv.conf (Delete the resolv.conf file).
8. In windows cmd, ps or terminal with the vpn connected do: Get-NetIPInterface or ipconfig /all for get the dns primary and secondary. Look for Ethernet adaptor with Description "Cisco AnyConnect...". From under it take values for DNS Servers. It has primary and secondary DNS server IPs.
9. Use commands in next two steps by replacing X.X.X.X for values of Primary and Secondary DNS server IPs respectively
10. echo "nameserver X.X.X.X" | sudo tee resolv.conf (Create resolv.conf and append the line.)
11. echo "nameserver X.X.X.X" | sudo tee -a resolv.conf (Append the line in resolv.conf)
12. wsl --terminate (Terminate WSL in Windows cmd, from the step 4).
13. sudo chattr +i resolv.conf
14. And finally in windows cmd, ps or terminal: Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

Credit: @MartinCaccia, @yukosgiti, @machuu and @AlbesK: https://github.com/microsoft/WSL/issues/4277 https://github.com/microsoft/WSL/issues/4246

---

Original resoltuion:

1. Create a file: /etc/wsl.conf.
2. Put the following lines in the file in order to ensure the your DNS changes do not get blown away

[network] generateResolvConf = false

3. In a cmd window, run wsl --shutdown
4. Restart WSL2
5. Create a file: /etc/resolv.conf. If it exists, replace existing one with this new file.
6. Put the following line in the file

nameserver 8.8.8.8 # Or use your DNS server instead of 8.8.8.8 which is a Google DNS server

7. Repeat step 3 and 4. You will see git working fine now.

Credit: https://github.com/microsoft/WSL/issues/4285#issuecomment-522201021 Sign up for free

Steps are also documented here: https://gist.github.com/akshayhiremath/1b3bff527b3eca6cd41cf60ce88f3a56/8570f9fb4dbd681fc7aabcc817fa18cbab5f1e86#file-fix-wsl2-dns-resolution

I have forked and updated the steps by https://gist.github.com/coltenkrauter to make them easier.

Answer 6

Another method that is reliable is to use wsl-vpnkit (https://github.com/sakai135/wsl-vpnkit).

The basic setup installs a WSL distro to handle network traffic from your WSL 2 distros (and containers).

Works with Cisco AnyConnect configuration that restricts local network traffic.

Answer 7

This might be obvious but I did not think of this. Another workaround is to install VPN in wsl if that is an option for the VPN you are using.

Answer 8

I was skeptical at first about hsq_roy's method, but since none of the workarounds worked for me I just did what hsq_roy was suggesting.

1. I deleted my Cisco Anyconnect client
2. I reinstalled it via Windows Store.
3. I opened Anyconnect and clicked on manage VPN which forwarded me to the Windows System settings.
4. I set up a new VPN connection within the Windows settings choosing Anyconnect instead of Windows (integrated).
5. I started WSL and it connected to the internet while using a VPN in Windows. It works perfectly fine for me, with no issues whatsoever.

Answer 9

The answer from @kraego worked for me.

I was though unable to make out the adapter from Get-NetIPInterface

but I used instead Get-NetAdapter

And I verified it by looking at the results with and without the VPN connection active.

Answer 10

In my case, i set VPN network interface metric to 6000 and both vpn and internet within wsl is now working: Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

Cisco AnyConnect mentioned in command above is my VPN. yours could be different. along with the metric number.

and then used following to fix the DNS:
echo "nameserver 8.8.8.8" | tr -d '\r' | sudo tee /etc/resolv.conf
echo "nameserver 8.8.4.4" | tr -d '\r' | sudo tee /etc/resolv.conf

You can also put DNS fix into .bashrc

Answer 11

I had the same problem (no internet when VPN connected) running WSL version 2. To resolve I uninstalled Ubuntu, then from powershell set the default version to WSL 1 when installing a new distro wsl --set-default-version <Version#> then re-installed Ubuntu. That resolved the issue. To check the WSL versions being used for each distro, from powershell enter wsl -l -v