Networking issues while using VPN

[esabelhaus]

I've tried approaching this two different ways.

Create VPN Within Windows

• Instantiate VPN tunnel using AnyConnect VPN client on my Windows laptop, then connect to upstream devices using SSH via Linux subsystem.
• RESULT: DNS was not properly handed off to the linux subsystem, and no hostname resolution is possible.

  Create VPN Connection Within Subsystem

• Instantiate VPN tunnel using OpenConnect networking client
• RESULT: Failed to instantiate network tunnel with the following error mkdir: cannot create directory ‘/dev/net’: No such file or directory

Any help would be greatly appreciated, as I often perform work on VMs which are located behind a firewall of some sort

[Tawmu]

Is there any update to WSL utilising DirectAccess?

Our org isn't yet on the Creator's Update so not sure if it's been addressed, but we do have Windows 10 with DirectAccess (and no fall-back VPN option), it would be really nice to see this in future. Using Bash on Windows with our Ansible tools and development is a really nice workflow.

[sunilmut]

@Tawmu - Thanks for your post. But, unfortunately, we don't have any update at the moment. We plan on looking at the whole VPN/DNS WSL solution soon (hopefully) and will look into DirectAccess as part of that work.

[regisbsb]

Why is it closed mate? @benhillis

[benhillis]

Sorry was doing cleanup of things marked as fixed.

[rwngallego]

I'm still having this problem in the Creators Update. If I manually add the VPN DNS to the top of the /etc/resolv.conf list, then it cannot do the correct resolution to the external IP addresses and I can't do neither apt-get update nor apt-get install

[timcanham]

I confirmed that a full tunnel with Pulse Secure allows WSL programs to see the hosts on the other side of the tunnel.

[rwngallego]

Could you please up vote the resolution for this issue in the following almost related User Voice entry?

https://wpdev.uservoice.com/forums/266908-command-prompt-console-bash-on-ubuntu-on-windo/suggestions/15636564-vpn-routing-support-in-bash

[trondhindenes]

I just noticed that with OpenVPN active on my Windows client, I'm loosing all name resolution functionality inside WSL - nothing works. With Pulse VPN, the only affected traffic was the traffic supposed to traverse the tunnel.

Hopefully there will be some movement here, the VPN-related problems is the sole reason I still have to fire up a Linux VM in most cases.

[javydekoning]

Can confirm that I have this issue as well when connected to VPN (Build: 10.0.16299)

[diveyez]

No updates on this?

[mathieulongtin]

Still an issue two years later.

[odhekar]

I updated to 1803 today and this problem still exists 😐

[bliles]

Explained very well by @rodrymbo, just to reiterate: Please allow the Windows resolver to provide a DNS resolver service to the Linux environment. Then the Linux environment just always points to that DNS service. Everything will just work and stay in sync. The upstream resolver will just look like a standard DNS server to the Linux environment.

[mikchaos]

Hi Ricardo,

Once you’re connected to AnyConnect it will add an additional entry to /etc/resolv.conf at the bottom of the file. Just take that line and move it to the beginning of the file. It’s annoying but afterwards DNS resolution works for me.

---

Von: Ricardo Amaral notifications@github.com Gesendet: Saturday, May 5, 2018 11:27:19 AM An: Microsoft/WSL Cc: mikchaos; Mention Betreff: Re: [Microsoft/WSL] Networking issues while using VPN (#416)

I'm also using Cisco AnyConnect and having issues under WSL.

@mikchaoshttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmikchaos&data=02%7C01%7C%7C7698dcf039c74ed637e508d5b26a664d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636611092400309741&sdata=6xjltg%2BXAF1aWi6NsNHubd%2BehvQi5iTPGN7vPgWT0gc%3D&reserved=0 Can you please explain me how do I find the proper DNS that Windows is using from AnyConnect so I can change /etc/resolv.conf on WSL and temporarily workaround this issue?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoft%2FWSL%2Fissues%2F416%23issuecomment-386792565&data=02%7C01%7C%7C7698dcf039c74ed637e508d5b26a664d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636611092400309741&sdata=Sfc%2F0lflNrm97lROZcdm7XLcsEXDAC7xhsVhRUF1FLQ%3D&reserved=0, or mute the threadhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAXfHmM5u4NYQI66j0UBNwej5ooaPBck9ks5tvXB3gaJpZM4Ikrqq&data=02%7C01%7C%7C7698dcf039c74ed637e508d5b26a664d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636611092400309741&sdata=AH3HpNpZ1Nb4Wk6H6vvIxAWrSt4zXF9pa3RnHP7yRH8%3D&reserved=0.

[rfgamaral]

@mikchaos It worked for me too. Thank you :)

Now I need to find a way to monitor this file for changes and move such line automatically if it's found on the bottom.

Unfortunately for me, even if this is fixed, it will be for Insiders builds only and I cannot install such builds on my work machine.

[jjacode]

This issue seems to still exist. I cannot use my company's vpn in WSL either. But it just doesn't work at all. There is never a time it works and then stops. I've tried uninstalling and reinstalling, then doing the same on another machine. But WSL doesn't seem to pick up the DNS once connected.

[bliles]

I've resorted to using http://maradns.samiam.org/deadwood/ as a tiny DNS service running in Windows and then setting /etc/resolv.conf in WSL with:

nameserver 127.0.0.1

In the dwood3rc.txt I have these upstream servers defined:

upstream_servers = {}
upstream_servers["vpn-domain1."]="...ip of vpn domain1 DNS..."
upstream_servers["vpn-domain2."]="...ip of vpn domain2 DNS..."
upstream_servers["."]="8.8.8.8" # Use Google for other stuff

Some notes about using deadwood:

• You have to have '.' at the end of any domain you specify
• If your VPN domain IP addresses are private/non-routable ranges like 10.0.0.0/8 or 192.168.0.0/16 you need to have the deadwood setting filter_rfc1918 = 0

[macmiranda]

What if your DNS servers change for each VPN connection that you establish? The workaround would still require you to edit the config file and reload deadwood. Not the best solution. Why can't wsl just pick up the IP addresses in the same order as: Get-DnsClientServerAddress -AddressFamily IPv4 | Select-Object -ExpandPropert ServerAddresses

[bliles]

@macmiranda, I agree it's not a perfect solution. My recommendation to fix this is a DNS service provided by the OS to WSL that would hand off DNS resolution.

However the situation you mentioned is not a problem. If you have multiple VPNs it seems unlikely that two or more VPNs would use the same DNS zones. You can just configure all your zones in Deadwood. Obviously only the connected VPN zone will work, but it doesn't hurt to have a configured DNS server that is unreachable when you aren't trying to resolve those addresses.

[gosukiwi]

Unfortunately @mikchaos solution doesn't work for me. Maybe I'm running an old build? Is that on Insiders only for now? My version is 10.0.17134 Build 17134

[dominik-ba]

The same issue also appears whn using DirectAccess. This is very annoying. I also prefer a solution where the subsystem just uses the windows dns entries...

[asreimer]

Just adding my vote towards the WSL using the same dns entries as windows.

[therealkenc]

I also prefer a solution where the subsystem just uses the windows dns entries...

So people are aware of the architecture, "WSL" does not know a "DNS entry" coming down port 53 from ssh session data coming down port 22 or a streaming YouTube video coming down port 443. Neither does a Real Linux™ kernel. The resolver functionality is provided by glibc (on for example Ubuntu) and musl (on for example Alpine). WSL doesn't know a DNS cache entry from Adam.

One can hypothesise alternative architectures. Perhaps lookups are always bounced off a local server on localhost along the lines of @bliles back a few posts. Or perhaps Microsoft ships a re-imagination of systemd-resolved that dynamically updates /etc/resolv.conf as Windows VPN connections come and go. Or Microsoft ships their own nss-resolve plug-in. None of these are straightforward asks however, to articulate let alone implement. There is no (quoth) "just uses" about it.

In any event, there is an ask for a resolution (cough) to the broad problem in some unspecified way on UserVoice here. The place to "add your vote" would be there; please do not fill up this issue with me2s.

[asreimer]

One can hypothesise alternative architectures. Perhaps lookups are always bounced off a local server on localhost along the lines of @bliles back a few posts. Or perhaps Microsoft ships a re-imagination of systemd-resolved that dynamically updates /etc/resolv.conf as Windows VPN connections come and go. Or Microsoft ships their own nss-resolve plug-in. None of these are straightforward asks however, to articulate let alone implement. There is no (quoth) "just uses" about it.

Everything you have hypothesized falls under what users mean when they say WSL should be "just using" the windows dns entries. The point is, however it's accomplished, this behaviour is what users expect. @bliles solution is the closest we can get right now, but this would be much better as something built in to WSL.

Thanks for pointing to the UserVoice. I've voted there. Cheers.

[regisbsb]

I've summed up all the workarounds here:

First run on powershell:

Get-DnsClientServerAddress -AddressFamily IPv4 | Select-Object -ExpandPropert ServerAddresses

Then run bash on windows with either ubuntu or bash commands (depending on your installation)

Edit the /etc/resolv.conf and replace all nameserver {ip} with the ones generated by the top one.

You should have internet and intranet back now. Remove the first line to make it permanent but be aware if you change networks it will not update anymore. (back it up first maybe?)

Maybe someone could automate that?

[matthiassb]

I took my previous Powershell suggestion and wrapped it in an init.d script. For those interested, here is the Gist

@regisbsb

[oranges13]

This is still an issue for me but the init.d script from @matthiassb has fixed it temporarily.

[offero]

Oh man this issue just dashed all my hopes of using WSL for my work development. I was really hoping not to have to use VMs or dual boot. I'll try the init script 🤞.

Edit 1: I modified my own script based on the one posted above and that seems to be working. Thank you for that work around @matthiassb! I will continue to use WSL for now.

[goyzhang]

The same issue with DirectAccess. In the WSL I can ping IPv6 address but no luck with DNS.

[matthiassb]

@goyzhang Are your DNS servers serving from an IPv6 address?

[goyzhang]

@goyzhang Are your DNS servers serving from an IPv6 address?

@matthiassb Short answer, I think yes. I'm using Windows10 service and I'm not sure how exactly Microsoft DirectAccess works(it just automatically connects you to your company internal network after you login). But I know that the IPv6 is the precondition to make it work. PC will talk to a DirectAccess Server to gain access to internal network. It uses some sort of DNS server routing strategy called "NRPT". So yes, I think the DirectAccess sever resolves all address for clients, which is , of course, under IPv6.

[alexalmadav]

I ran into this issue, what I did was run nslookup in Windows and get the dns server IP returned there, then on WSL edit /etc/resolv.conf and add it as a new nameserver. That fixed all my issues.

[blakeduffey]

I'm seeing this behavior (split tunnel VPN)

If the first nameserver in resolv.conf is internet (8.8.8.8) - I can resolve internet addresses but not machines on the other end of the VPN (the corporate network) - in fact I can't even resolve the corporate website (which is internet facing).

If the first nameserver is 'local' (a nameserver on our network) - I can resolve machines on the other end of the VPN but not the internet (www.google.com for example)

[BrianBlaze]

I point my namesever to the local network gateway that my vpn connects to and it works great. Is there still no solution to this?! :)

[matthiassb]

No official solution it seems unfortunately :( If you're interested I created a init.d service that can make this a little less painful: https://gist.github.com/matthiassb/9c8162d2564777a70e3ae3cbee7d2e95

[BrianBlaze]

Thanks I will check it out. I believe there is a big update coming to this at the end of the year? Hopefully they will fix this :)

[TrentonAdams]

trenta@Trent-PC:/mnt/c/Users/Trent$ cat /etc/resolv.conf
# This file was automatically generated by WSL. To stop automatic generation of this file, remove this line.
nameserver ::
nameserver 192.168.2.254
nameserver 192.168.2.254
search athabascau.ca telus

remove the nameserver :: line, it works fine afterwards

[Farix1337]

trenta@Trent-PC:/mnt/c/Users/Trent$ cat /etc/resolv.conf
# This file was automatically generated by WSL. To stop automatic generation of this file, remove this line.
nameserver ::
nameserver 192.168.2.254
nameserver 192.168.2.254
search athabascau.ca telus

remove the nameserver :: line, it works fine afterwards

I don't have that line. But the script of https://gist.github.com/matthiassb/9c8162d2564777a70e3ae3cbee7d2e95 works fine except for the font-change bug.

[sgarcia-dev]

Thank you all for the detailed workarounds. It's a shame it's been 2 years now and there's no comment from Microsoft on an ETA for this...

Sadly, none of the workarounds worked for me. For some reason the VPN I'm using doesn't provide a DNS address, as when I run:

Get-DnsClientServerAddress -AddressFamily IPv4 | Select-Object -ExpandPropert ServerAddresses

I just get 192.168.1.1 which when I add and modify /etc/resolve.conf, does nothing. I wonder if there's another way to get what my VPN DNS servers look like...

[mzvast]

What a shame for this. I bought an iMac and it works like magic. Goodbye Lxss, I will never use it again.

[BrianBlaze]

What a shame for this. I bought a iMac and it works like magic. Goodbye Lxss, I will never use it again.

I mean in Windows defense before we had no choice but to use cygwin if we wanted a terminal in windows, so it has come a long way. It's got some ways to go still but I am still impressed with WSL. I swear terminal is the only thing Mac has over Windows.

[Proxxy0]

I'm not sure if this has any changed functionality, as I haven't really looked into it myself, but from what I understand, WSL2 has some changes to how it interacts with things, and how it is structured. Maybe there is something therein that fixes this odd network stack issue. (This is entirely speculative, but if someone tries it, let us know what the results were)

[BertelBB]

I'm not sure if this has any changed functionality, as I haven't really looked into it myself, but from what I understand, WSL2 has some changes to how it interacts with things, and how it is structured. Maybe there is something therein that fixes this odd network stack issue. (This is entirely speculative, but if someone tries it, let us know what the results were)

I can verify that WSL2 has fixed this issue for me. On WSL I was not able to use git while on VPN because it could not resolve the host (company intranet).

[eliasaj92]

I had a similar issue and what fixed it is the answer by @regisbsb and @matthiassb

https://github.com/microsoft/WSL/issues/416#issuecomment-407000250

[pd15ms089]

I've tried approaching this two different ways.

Create VPN Within Windows

• Instantiate VPN tunnel using AnyConnect VPN client on my Windows laptop, then connect to upstream devices using SSH via Linux subsystem.
• RESULT: DNS was not properly handed off to the linux subsystem, and no hostname resolution is possible.

Create VPN Connection Within Subsystem

• Instantiate VPN tunnel using OpenConnect networking client
• RESULT: Failed to instantiate network tunnel with the following error mkdir: cannot create directory ‘/dev/net’: No such file or directory

Any help would be greatly appreciated, as I often perform work on VMs which are located behind a firewall of some sort

I had same issue with OpenVPN. I have tried different things from different websites. Nothing solved my issue. Next time while running VPN I did it as Administrator. Again I tried to do ssh from bash. And it worked. I don't know how, but it works.

[timcanham]

This is a very specific workaround, but I use VPN with the same work setup 99% of the time. I just keep a copy of resolv.conf.mywork that incorporates my own workaround, which is like #416. I have an alias that just copies resolv.conf.mywork to resolv.conf with sudo. Whenever I log in via VPN, I just call the alias. My VPN (PulseSecure) has a "partial" tunnel which only routes the addresses for the VPN site, and a "full" tunnel that routes everything. The full option works fine without the resolv.conf workaround, but cuts off local addresses like printers, etc.

[jaques-sam]

This is an important issue and pretty much the only thing that holds me back from switching from Mac back to Windows

I don't see a reason of using Linux if you have a Mac... Aren't you happy enough with bash/zsh? Most apps are also better designed on Mac than on Linux.

[bitcrazed]

@jaques-sam Mac is not built on Linux. Mac is built on BSD/UNIX.

There are definitely similarities between the UNIX and Linux architectures, shells, etc. because Linux was originally modeled on UNIX architecture, the two can differ quite considerably in many ways, not least in terms of:

• how the software is licensed
• BSD is considered an Operating System whereas Linux is considered a Kernel
• how kernel syscalls are invoked, and how those syscalls differ, esp. more recently introduced Linux syscalls. This led to BSD having to implement its own Linux compatibility layer in order to execute Linux binaries, which us not unlike how WSL1 works, and which needs to be enabled and configured.

Importantly, BSD/UNIX and Linux distros package and deliver modules, ports, etc. differently leading to different methods of deployment, configuration, updating, etc. This can result in quite a lot of work having to be put into a deployment & configuration system when building an app that you want to test locally on a Mac, but deploy into a Linux environment.

Because WSL2 in particular is literally Linux, you may well find that there are fewer differences between deploying an app you've built on WSL2 than doing the same on Mac.

[baruchiro]

The beautiful Gist not solved my problem, since I have a CheckPoint VPN.

What I had to do was share the VPN connection with the WSL connection:

And then use the Gist.

Update:

Currently, I can't reproduce that. My guess is that it depends on the order you doing all these configs, and maybe restart will help. I have no enough knowledge in networking.

[jaques-sam]

Then I would expect you have selected the properties for "Cisco AnyConnect Secure Mobility Client Connection" and not "Ethernet 2"? Anyhow, this makes me losing connection to the vpn.