Networking issues while using VPN

[esabelhaus]

I've tried approaching this two different ways.

Create VPN Within Windows

• Instantiate VPN tunnel using AnyConnect VPN client on my Windows laptop, then connect to upstream devices using SSH via Linux subsystem.
• RESULT: DNS was not properly handed off to the linux subsystem, and no hostname resolution is possible.

  Create VPN Connection Within Subsystem

• Instantiate VPN tunnel using OpenConnect networking client
• RESULT: Failed to instantiate network tunnel with the following error mkdir: cannot create directory ‘/dev/net’: No such file or directory

Any help would be greatly appreciated, as I often perform work on VMs which are located behind a firewall of some sort

[baruchiro]

@jaques-sam See my update. The "Ethernet 2" is my VPN connection:

And it also loses my connection, so I disconnected and reconnected.

And this is what I said in my update- I think there is a required order to do this. For example: Terminate your WSL instance (wsl -t Ubuntu-18.04), share the VPN adapter, reconnect to the VPN, launch your WSL instance, register the DNS in /etc/resolve.conf, ping.

[tildebyte]

I had to edit /etc/resolv.conf such that the local nameserver/search prefix are at the end of their respective lists, e.g.

  nameserver $LOCAL
  nameserver $WORK_DNS1
  nameserver $WORK_DNS2
  search mshome.net biz.com

becomes

  nameserver $WORK_DNS1
  nameserver $WORK_DNS2
  nameserver $LOCAL
  search biz.com mshome.net

Warning: I haven't tested to know what happens to local resolution with this setup - I'm much more concerned with being able to access work.

[cheuerde]

Hi everyone,

I had been struggling with this quite a bit myself and found the solution today. Microsoft recently releases WSL2 - which adds a hyper-v network adapter and full linux kernel. That means, a VPN tunnel can now easily be established from within an Ubunut instance on WSL2 without having to have a VPN running on the windows host. In fact, the VPN client will indeed only affect the Ubuntu instance.

Tested with openfortivpn on a Windows10 host with WSL2 and Ubuntu 18.04.

Instructions how to update WSL to version 2 are here.

[blakeduffey]

This is an interesting outcome but I don't feel addresses the typical 'corporate' need, where the only supported VPN configuration is on the Windows host (something like AnyConnect). Is there feedback on WSL2 where the Windows host is connected to a VPN?

[matthiassb]

@blakeduffey There's an open-source client for AnyConnect, named OpenConnect. It supports AnyConnect, Juniper Pulse Connect Secure, and the Palo Alto Networks GlobalProtect SSL VPN.

[blakeduffey]

@matthiassb - I appreciate the info, I'm more talking about a 'corporately supported' solution. Not every organization supports linux at all. In that scenario, the Windows host (with the pre-installed VPN client) is the officially supported platform, the WSL instance is sorta on their own. That's where the issue has been (from my experience).

[Chiramisu]

This issues is over 4 years old and urgently needs to be fixed please. I use WSL for managing Linux servers on our network over SSH on AnyConnect VPN. I also use it for Git commands and other network activities. We can't even apt update on VPN with this issue unless you jump through several hoops, and finding a workaround that actually works is not necessarily easy.

Please fix! 😥

[craigloewen-msft]

Hi folks we're looking into fixing this issue, if you're seeing VPN issues can you please collect some logs for us to help us diagnose it? Full instructions can be found here on how to do so. Please make sure to reply here with a link to your feedback item!

[baruchiro]

Hi @craigloewen-msft , what about #4246 and #4277 ? I think they describe my problem most accurately.

Feedback link (Maybe I need to start to collect before I'm lunching the WSL? If so, or if you need any more data, please contact me)

[meskill]

as @cheuerde already said running vpn client inside wsl 2 instance works, but it affects only the wsl instance not windows host

any ideas how to pass network in windows through vpn inside wsl instance?

[rofrol]

Works form me with 2FA and Cisco AnyConnect. Instructions here https://github.com/microsoft/WSL/issues/5068#issuecomment-683917384

[meskill]

as @cheuerde already said running vpn client inside wsl 2 instance works, but it affects only the wsl instance not windows host

any ideas how to pass network in windows through vpn inside wsl instance?

managed to work on host machine through proxy server:

1. install tinyproxy inside wsl machine
2. change tinyproxy server to allow requests from any ip
3. start vpn inside wsl
4. start tinyproxy
5. set up proxy on windows host pointing to wsl ip

[Chiramisu]

I've added my recording as instructed. I hope it proves useful and greatly look forward to this issue being fixed. https://aka.ms/AA9kruf

[Chiramisu]

I've also observed the following, in my current situation (in Ubuntu):

• WSL1 I can ping out when off VPN, but not when connected to VPN.
• WSL2 Currently unable to ping out whether on or off VPN, even after a system reboot.

Typical Error: Temporary failure in name resolution

Environment:

• Ubuntu
• AnyConnect VPN
• Nameserver IP in /etc/resolv.conf matches the IPv4 address of my WSL Hyper-V Ethernet Adapter throughout

Process:

1. Connect to VPN
2. Open WSL
3. Ping Bing => Error (shown above)

I get the same result even swapping the order of steps 1 & 2. I also tried the same steps after running wsl --shutdown followed by wsl --set-version Ubuntu 1 to revert back to WSL1.

In the past, I've been able at times to get WSL2 to ping out temporarily after editing the /etc/resolv.conf file, but this time I have been unsuccessful. I have never found a permanent and reliable workaround, even after disabling the auto-generation in the /etc/wsl.conf file. I'm still trying things though. I tend to agree with @rodrymbo's comment above.

With the current pandemic situation and working remotely, this is even more of an issue and I've lost dozens of hours to it. It's an important part of my workflow, and honestly can't recall how I ever survived before WSL. 😊

@craigloewen-msft @benhillis I appreciate the team working on this issue. I hope the fix is relatively straightforward 🤞🏼. I'm happy to work directly with anyone on your team if that would help.

[regisbsb]

Use the store app. It works: https://www.microsoft.com/en-us/p/anyconnect/9wzdncrdj8lh?activetab=pivot:overviewtab

[vnijs]

@regisbsb That does also work for me but, for some reason, the version available through the windows store restricts up and download speeds to 10MB

[Chiramisu]

Could it be!? I'm a Windows Insider (Slow) and just got an update yesterday to version 20H2 build 19042.508, and now suddenly, I can ping out both to public servers on or off VPN, and private servers also on VPN. What!? Could it be that it has been fixed or is this a fluke? I've been burned before so I'm trying not to get too excited just yet, but it's looking hopeful. 🥺🙏🏼

[cprivitere]

Use the store app. It works: https://www.microsoft.com/en-us/p/anyconnect/9wzdncrdj8lh?activetab=pivot:overviewtab

It does, unfortunately the store app does not support all the functionality the normal AnyConnect app does and thus is not permitted for some environments.

[hauntingEcho]

user of AWS VPN Client checking in & seeing the same issue. The nameserver from my VPN is being added to the end of /etc/resolv.conf and effectively not being used - pointing instead to a resolver in the host OS would solve my issue.

[cantrell]

I can confirm that this is still an issue as of 11/18/2020 (with all of the latest updates). I'm using WSL2 and Cisco AnyConnect. This has made it impossible for me to use Windows for work since I can't access repos (and the code I want to work on doesn't run on native Windows). Back to the Mac for now. I'll check in again every few months.

[regisbsb]

@cantrell have you tried the Windows Store app?

[blakeduffey]

@cantrell - that's disappointing. These suggestions for 'use the version from the Windows Store app' are well intentioned but not necessarily helpful. An enterprise that offers their standardized image Cisco AnyConnect offers whatever bits Cisco provides. It isn't a simple matter to simply swap that out for something from the app store.

If there is something known to be different in the store version - that's something we can refer to the good folks who manage the VPN.

[cantrell]

Thank you, @regisbsb. I just set up a VPN connection through Windows using AnyConnect (from the app store) as the VPN provider, and it works!

@blakeduffey: Yeah, our VPN installation process also installs certificates, so I assumed I couldn't use the version from the app store. But when I connected to the VPN server, I was given the option to download and install the necessary certificates. It's a pain to have to deviate from my company's IT policy, but it does appear to work.

Thanks, all!

[regisbsb]

It works with multiple companies I've worked with in the past. Your mileage may very. Better than nothing I'd say.

[blakeduffey]

@cantrell @regisbsb - thanks very much for the feedback. I'll start down this rabbit hole myself. :)

[esabelhaus]

It's interesting looking back to see this is still an active issue 4 years later.

[fd17]

I fixed the problem by going to the AnyConnect Settings -> Preferences -> Allow local (LAN) access when using VPN

Name resolution and everything else worked fine in WSL once I enabled this.

[donatelloOo]

Please see my comment regarding conflict with IPv6 DNS servers here: https://github.com/microsoft/WSL/issues/1350#issuecomment-742454940

A workaround is suggested.

[lassimus]

The problem seems to be with the dns resolver. If dns is routed through the vpn it fails. Adding my vpn dns server to the wsl distro's resolv.conf fixes things.

[donatelloOo]

@lassimus

The problem seems to be with the dns resolver. If dns is routed through the vpn it fails. Adding my vpn dns server to the wsl distro's resolv.conf fixes things.

Can you check if you have IPv6 enabled, paste the output of your /etc/resolv.conf (VPN connected), apply the workaround mentioned below, and tell if that worked for you ? https://github.com/microsoft/WSL/issues/1350#issuecomment-742454940

[newcarrotgames]

As a workaround, if I start wsl(2), then disconnect/reconnect to my VPN, DNS requests start working again (and continues to work until I restart). If I start WSL before connecting to my VPN, it works the first time.

[lassimus]

@donatelloOo

Can you check if you have IPv6 enabled, paste the output of your /etc/resolv.conf (VPN connected), apply the workaround mentioned below, and tell if that worked for you ? #1350 (comment)

Your ipv6 method didn't work for me. I disabled ipv6 on all interfaces, and after different combinations of restarting things, /etc/resolv.conf is still the autogen version. I'm using a WireGuard vpn connection, which seems to be different from most others on this thread. Manually adding another entry to /etc/resolv.conf works fine for me. Without the entry, enabling the vpn kills all dns in wsl, not just vpn related lookups. Hopefully this feedback helps!

# This file was automatically generated by WSL. To stop automatic generation of this file, add the following entry to /etc/wsl.conf:
# [network]
# generateResolvConf = false
nameserver 172.22.144.1

[geotrev]

I recently tried to use openvpn on WSL, and after a day of digging, discovered this GH issue. Kinda depressing that it's been four years and there's still not a fix.

All I want to do is this:

$ openvpn --config path/to/config.ovpn

And I get an error:

Fri Feb  5 19:18:37 2021 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Fri Feb  5 19:18:37 2021 Exiting due to fatal error

@craigloewen-msft Is this still something coming down the pipeline? It doesn't sound like anyone has a workable solution for CLI + openvpn. Thanks in advance.

[Chiramisu]

Since my last reply I have done a clean install of Windows on a new SSD. Now on 20H2 build 19042.867 (a few ahead compared to before). My Windows and WSL2 configs are very vanilla. It seems I'm having the same issue as before. Alas, it seems to have been a fluke. 😥 The only work around I have found is to launch WSL BEFORE connecting to my work VPN (with AnyConnect on the DTLSv1.2 protocol). The WSL networking really needs to work properly and inherit all the settings from Windows in real time, without requiring a restart of WSL or Windows, or reconnecting to the VPN.

[mrinmoyg]

Moving back to WSL1, WSL2 is kind of hopeless, if they cannot fix this in 4 years, I guess its not going to get fixed any sooner. WSL1 works like a charm with VPN

[mtttcgcg]

I fixed the problem by going to the AnyConnect Settings -> Preferences -> Allow local (LAN) access when using VPN

Name resolution and everything else worked fine in WSL once I enabled this.

Which version of AnyConnect are you using? I don't have that option on my Preferences page in AnyConnect 4.9.01095

[mrinmoyg]

I fixed the problem by going to the AnyConnect Settings -> Preferences -> Allow local (LAN) access when using VPN Name resolution and everything else worked fine in WSL once I enabled this.

Which version of AnyConnect are you using? I don't have that option on my Preferences page in AnyConnect 4.9.01095

I am using 4.9.06037 version, anyconnect version

[cprivitere]

Allow local (LAN) access is usually disabled by companies. This is usually to avoid viruses from other computers on your network from scanning and infecting other computers on your cooperate network.

[blakeduffey]

Allow local (LAN) access is usually disabled by companies. This is usually to avoid viruses from other computers on your network from scanning and infecting other computers on your cooperate network.

This comment is insightful and continues to to be a point lost on some - if Microsoft wants WSL to be an accepted solution in a corporate environment, the network solution needs to work with the 'corporate approved' VPN solution. Many (most?) corporate users can't swap out the AnyConnect client, can't make changes to said client, etc.

This issue has been open for 4+ years. Split tunnel VPN remains a problem. Depending how I configure the WSL /etc/resolv.conf - I can either resolve the the corporate network or the public internet - but never both.

[PivitParkour94]

I'm not sure if this is an issue with the DNS resolving to an ipV6 address or something. Without the vpn connected (PureVPN): I can connect to my server.

With the vpn connected: Fails to connect

I then added in the ipV4 address that came up in my wsl /etc/hosts file for my server

<IPV4 address> my.server

and tried connecting to the server again, and it worked.

Seems to be an issue with the DNS resolution. Just my two cents

(I'm not even close to a network engineer though)

[pixiekat]

I'm using WSL1 and still encountering this. Anytime you disconnect or connect to VPN, I'll need to terminate the WSL instance and then restart it before I can connect to remote URLs again in WSL.

wget www.google.com
--2021-09-30 18:01:23--  http://www.google.com/
Resolving www.google.com (www.google.com)... failed: Temporary failure in name resolution.
wget: unable to resolve host address ‘www.google.com’

[mhlr]

Any updates?

[Apreche]

When I connect to my employer's VPN from Windows, WSL mostly still works correctly. There are no DNS issues and most network activity is normal. There are, however, specific network activities that fail often. Pulls and pushes to/from Github hang frequently, and I have to retry them or disable the VPN temporarily. If I use VSCode remote into WSL while the VPN is on, the extensions panel that shows what is installed inside the remote fails to load. Turning the VPN off and the extensions panel loads perfectly.

I was trying to get around these issues by connecting to the VPN from within WSL instead of from Windows, but that does not seem to even be possible.

[rfdonnelly]

Use wsl-vpnkit.

Background

Docker Desktop for Windows uses something called VPNKit to provide network connectivity to VMs while connected to a VPN.

From https://github.com/moby/vpnkit#why-is-this-needed:

Running a VM usually involves modifying the network configuration on the host, for example by activating Ethernet bridges, new routing table entries, DNS and firewall/NAT configurations. Activating a VPN involves modifying the same routing tables, DNS and firewall/NAT configurations and therefore there can be a clash -- this often results in the network connection to the VM being disconnected.

VPNKit, part of HyperKit attempts to work nicely with VPN software by intercepting the VM traffic at the Ethernet level, parsing and understanding protocols like NTP, DNS, UDP, TCP and doing the "right thing" with respect to the host's VPN configuration.

VPNKit operates by reconstructing Ethernet traffic from the VM and translating it into the relevant socket API calls on OSX or Windows. This allows the host application to generate traffic without requiring low-level Ethernet bridging support.

The wsl-vpnkit project takes VPNKit from Docker Desktop for Windows and uses it to provide network connectivity for WSL 2 that works nicely with VPN.

[philippe-granet]

@rfdonnelly

The wsl-vpnkit project takes VPNKit from Docker Desktop for Windows and uses it to provide network connectivity for WSL 2 that works nicely with VPN.

Last wsl-vpnkit versions uses gvisor-tap-vsock, see https://github.com/sakai135/wsl-vpnkit/pull/91

[craigloewen-msft]

Hi folks, we have put out a new update that aims to address networking issues in WSL. In your .wslconfig file you can set experimental.networkingMode=mirrored, as well as some other key settings that should improve your network compatibility! Please try them out and let us know what you think.

More info on this release and the changes can be found here in the blog post.

Please note: You need to be on a Windows Insiders version to use the new networking settings (Any channel of Windows Insiders will do, including release preview). If you see the "These are not supported" messages it means that your current Windows version doesn't have support, and you will need to upgrade. These features will eventually be coming to Windows 11 22H2.

[craigloewen-msft]

These new networking features are now available on the latest version of Win11 22H2!

Please make sure you're on the latest build to get these features, you can do that by clicking "Check for Updates" in Windows settings. You can check you have the right build by either ensuring you have KB5031354 installed, or run cmd.exe /c ver and ensure that your build number is 22621.2428 or higher (Including the minor build number which is after the . as this was a backport!)

[danila-io]

These new networking features are now available on the latest version of Win11 22H2!

Please make sure you're on the latest build to get these features, you can do that by clicking "Check for Updates" in Windows settings. You can check you have the right build by either ensuring you have KB5031354 installed, or run cmd.exe /c ver and ensure that your build number is 22621.2428 or higher (Including the minor build number which is after the . as this was a backport!)

Doesn't seem like that's true 🤔

Windows log:

Unknown key 'experimental.dnsTunneling' in C:\Users\...\.wslconfig:12

Windows specifications:

Edition Windows 11 Enterprise
Version 22H2
Installed on    ‎04/‎10/‎2023
OS build    22621.2428
Experience  Windows Feature Experience Pack 1000.22674.1000.0

[gchait]

Hi folks, we have put out a new update that aims to address networking issues in WSL. In your .wslconfig file you can set experimental.networkingMode=mirrored, as well as some other key settings that should improve your network compatibility! Please try them out and let us know what you think.

More info on this release and the changes can be found here in the blog post.

Please note: You need to be on a Windows Insiders version to use the new networking settings (Any channel of Windows Insiders will do, including release preview). If you see the "These are not supported" messages it means that your current Windows version doesn't have support, and you will need to upgrade. These features will eventually be coming to Windows 11 22H2.

Nice! Is there a plan to add mirrored to Windows 10 as well? I am sure a lot of corporate-managed laptop owners would love not having that wsl-vpnkit machine.

[OneBlue]

Hi ! Please try the latest networking features that we've added in WSL. Those should greatly improve compatibility with VPN's.

If the issue still remains, please reopen this issue.