No internet connectivity from WSL2/Ubuntu

[j0057]

• Your Windows build number: 10.0.19041.84

• What you're doing and what's happening:

I'm getting timeouts when trying to connect to internet from a WSL2 instance. DNS works, and the WSL2 instance can see/ping the host without problem.

$ ip route
default via 172.24.64.1 dev eth0
172.24.64.0/20 dev eth0 proto kernel scope link src 172.24.66.230
$ cat /etc/resolv.conf
# This file was automatically generated by WSL. To stop automatic generation of this file, add the following entry to /etc/wsl.conf:
# [network]
# generateResolvConf = false
nameserver 172.24.64.1
$ dig +noall +answer microsoft.com
microsoft.com.          0       IN      A       13.77.161.179
microsoft.com.          0       IN      A       40.76.4.15
microsoft.com.          0       IN      A       40.112.72.205
microsoft.com.          0       IN      A       40.113.200.201
microsoft.com.          0       IN      A       104.215.148.63
$ curl -4sv -m5 https://microsoft.com/
*   Trying 13.77.161.179...
* TCP_NODELAY set
* After 2498ms connect time, move on!
* connect to 13.77.161.179 port 443 failed: Connection timed out
*   Trying 40.76.4.15...
* TCP_NODELAY set
* After 1249ms connect time, move on!
* connect to 40.76.4.15 port 443 failed: Connection timed out
*   Trying 40.112.72.205...
* TCP_NODELAY set
* After 623ms connect time, move on!
* connect to 40.112.72.205 port 443 failed: Connection timed out
*   Trying 40.113.200.201...
* TCP_NODELAY set
* After 311ms connect time, move on!
* connect to 40.113.200.201 port 443 failed: Connection timed out
*   Trying 104.215.148.63...
* TCP_NODELAY set
* After 155ms connect time, move on!
* connect to 104.215.148.63 port 443 failed: Connection timed out
* Failed to connect to microsoft.com port 443: Connection timed out
* Closing connection 0

Based on what I know about Hyper-V networking, my Internal switch may or may not route packets from the VM to the internet, but in order for packets to be routed back, the traffic from the WSL2 VM will need to be NAT'ed.

On the host, in Powershell, Get-NetNat returns no results:

PS C:\WINDOWS\system32> Get-NetIPAddress -InterfaceIndex 59 | Format-Table

ifIndex IPAddress                                       PrefixLength PrefixOrigin SuffixOrigin AddressState PolicyStore
------- ---------                                       ------------ ------------ ------------ ------------ -----------
59      fe80::xxxx:xxxx:xxxx:xxxx%59                              64 WellKnown    Link         Preferred    ActiveStore
59      172.24.64.1                                               20 Manual       Manual       Preferred    ActiveStore

PS C:\WINDOWS\system32> Get-VMSwitch -name WSL | Format-List

Name                                             : WSL
Id                                               : 32874a54-04c6-4677-a51f-77c5245345a5
Notes                                            :
Extensions                                       : {Microsoft Windows Filtering Platform, Microsoft Azure VFP Switch Extension, Microsoft NDIS Capture}
BandwidthReservationMode                         : Absolute
PacketDirectEnabled                              : False
EmbeddedTeamingEnabled                           : False
IovEnabled                                       : False
SwitchType                                       : Internal
AllowManagementOS                                : True
NetAdapterInterfaceDescription                   :
NetAdapterInterfaceDescriptions                  :
NetAdapterInterfaceGuid                          :
IovSupport                                       : False
IovSupportReasons                                :
AvailableIPSecSA                                 : 0
NumberIPSecSAAllocated                           : 0
AvailableVMQueues                                : 0
NumberVmqAllocated                               : 0
IovQueuePairCount                                : 0
IovQueuePairsInUse                               : 0
IovVirtualFunctionCount                          : 0
IovVirtualFunctionsInUse                         : 0
PacketDirectInUse                                : False
DefaultQueueVrssEnabledRequested                 : True
DefaultQueueVrssEnabled                          : False
DefaultQueueVmmqEnabledRequested                 : True
DefaultQueueVmmqEnabled                          : False
DefaultQueueVrssMaxQueuePairsRequested           : 16
DefaultQueueVrssMaxQueuePairs                    : 0
DefaultQueueVrssMinQueuePairsRequested           : 1
DefaultQueueVrssMinQueuePairs                    : 0
DefaultQueueVrssQueueSchedulingModeRequested     : StaticVrss
DefaultQueueVrssQueueSchedulingMode              : Dynamic
DefaultQueueVrssExcludePrimaryProcessorRequested : False
DefaultQueueVrssExcludePrimaryProcessor          : False
SoftwareRscEnabled                               : False
BandwidthPercentage                              : 0
DefaultFlowMinimumBandwidthAbsolute              : 0
DefaultFlowMinimumBandwidthWeight                : 0
CimSession                                       : CimSession: .
ComputerName                                     : NB-XXXXXXX
IsDeleted                                        : False
DefaultQueueVmmqQueuePairs                       : 0
DefaultQueueVmmqQueuePairsRequested              : 16

When trying to set up a new NAT rule, I get a seemingly unrelated error:

PS C:\WINDOWS\system32> New-NetNat -Name "WSLNetworkNAT" -ExternalIPInterfaceAddressPrefix 172.24.64.0/20
New-NetNat : The parameter is incorrect.
At line:1 char:1
+ New-NetNat -Name "WSLNetworkNAT" -ExternalIPInterfaceAddressPrefix 17 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (MSFT_NetNat:root/StandardCimv2/MSFT_NetNat) [New-NetNat], CimException
    + FullyQualifiedErrorId : Windows System Error 87,New-NetNat

[ultramaks]

Can anyone tall me what exact steps should be performed to allow WSL2 traffic from WSL2 Ubuntu to Internet trough primary host Win10 workstation? I tried this specifying an IP address of the WSL adapter that I received from ipconfig /all but had no luck (all other settings were put as "all"). Am i missing something?

PS I have Symantec Endpoint Protection Version 14. Despite that I can successfully ping some resources e.g. ping www.ya.ru but when I try to sudo apt-get update I can't connect any host

PPS if I disable Symantec I have all the connectivity in Ubuntu and all works fine (docker connections. updates etc). But it's managed by my organization and it's automatically enabled after several minutes

[ExtremeGTX]

Thanks @anthonysomerset , I could also ping google.com but apt update or git clone fails :( So I checked my Avast firewall and it was it :( More here Goto Protection -> Firewall -> Settings -> Enable "Internet Connection sharing mode" Now internet works!

I don't know if this option is completely safe or not, will try to find out more.

[k0psutin]

I got the network working in Ubuntu 20.04 WSL2 after I unchecked IPv6 from my WLAN and VPN properties and made few changes to .conf-files.

For the .conf-files I used the solution found in https://github.com/microsoft/WSL/issues/5420#issuecomment-646479747 to stop WSL from rewriting the nameservers.

sudo rm /etc/resolv.conf
sudo bash -c 'echo "nameserver 8.8.8.8" > /etc/resolv.conf'
sudo bash -c 'echo "[network]" > /etc/wsl.conf'
sudo bash -c 'echo "generateResolvConf = false" >> /etc/wsl.conf'
sudo chattr +i /etc/resolv.conf

These steps worked for me and I hope it helps others as well. Now I have network connection in Ubuntu everytime I launch it.

[uscwifi]

Hi，我也遇到了这个问题，我是在更新了windows 6月份的补丁之后发现的这个问题，我参考这篇文章：ipconfig shows only "Windows IP Configuration" after upgrade to Win10 我卸载掉电脑上的checkpoint vpn然后重启电脑后，我的ubuntu子系统就正常了，我真是个幸运儿！:yum:

[brettcave]

I had a similar issue - to narrow down the problem, I avoided DNS and worked with IPs - so it was a routing / nat related issue (and because I couldn't reach my windows local network from the virtual network, DNS fails, but it's not the root cause).

Problem description: My Windows host is on network a.0.0.0/24 with a default gateway of a.0.0.1. from windows. I can ping from Windows to default gateway, or out onto the network (e.g. 8.8.8.8). I had full network functionality in WSL1 (Ubuntu 20). After WSL2 upgrade, networking was lost. From Ubuntu, was not able to ping a.0.0.1, my local network gateway (and therefore any external IP like 8.8.8.8).

Resolution:

1. I had WSL + Virtual Machine Platform installed in Windows Features, but did not have Hyper-V components. I added all Hyper-V components and restarted.
2. Still not able to reach local gateway. The solution posted by @Karlheinzniebuhr did the trick, but a full Network Reset was not needed (I didn't want to reconfigure VPNs and other network settings that I needed). To confirm the commands, executed from an Admin powershell / command prompt:

wsl --shutdown
netsh winsock reset
netsh int ip reset all
netsh winhttp reset proxy
ipconfig /flushdns

Reboot.

After that, ping to local gateway confirmed, plus ping to external IP was possible, but DNS was not working.

In Ubuntu, /etc/resolv.conf was autogenerated with a virtual network address (172.31 - the same as the WSL gateway, i.e. virtual network adapter on the Windows host). Am guessing that the DNS proxy or forwarding there was not working - I didn't resolve this by getting this dns forward / masq or whatever it is to work, but used the /etc/wsl.conf method described above to disable auto resolv config. My router / local network gateway (a.0.0.1) is a DNS forwarder, so I set up resolv.conf to use that. Not sure yet if this would affect any WSL to WSL resolution that i might need.

$ sudo -i
# cat >/etc/wsl.conf <<-EOF
[network]
generateResolvConf = false
EOF
# mv /etc/resolv.conf /etc/resolv.conf-autogen-symlink
# echo nameserver a.0.0.1 > /etc/resolv.conf
# host www.google.com
www.google.com has address x.y.z.b

1 other item worth noting, not sure if it impacted this, was that I was upgrading to WSL2 in order to get docker working in Linux. Not sure if the docker networking affected this in any way, I didn't verify networking after WSL2 before Docker installation.

HTH, happy networking.

[brettcave]

p.s. if anyone has a solution to get the generated resolv.conf working, would be great to use this so I don't have to maintain this myself - didn't see a fix or root cause on this.

$ host www.google.com 172.31.64.1 # DNS server that wsl generated for me
;; connection timed out; no servers could be reached
$ host www.google.com a.0.0.1 ("a" is my local subnet redacted).
www.google.com has address x.y.z.b
$  ping -c 1 172.31.64.1
PING 172.31.64.1 (172.31.64.1) 56(84) bytes of data.
64 bytes from 172.31.64.1: icmp_seq=1 ttl=128 time=0.334 ms

The virtual interface does respond to icmp, just no functioning resolution from it.

[108806]

Nothing works for me, I have looked at the other threads too. I am using win 10.0.19043.1081. I had to go back to the older WSL1 and older Linux distro, openSUSE-15.2 is the only one fully working on my machine currently, everything else has some DNS issues, it can ping 8.8.8.8 but can't ping google.com.

[flashadvocate]

Crazy idea, and it actually worked...

Why not just run VPN on the VM itself?

sudo apt-get install openconnect
sudo openconnect vpn.domain.com
# <CTRL+Z>
# bg

[lo-w]

hello, we got the same issue. the SEP(Symantec Endpoint Protection) blocks the traffic from WSL2. but we cannot modify the SEP settings because it's blocked by the organization. do we having any other WA to put the way forward, thanks.

[y1rn]

hello, we got the same issue. the SEP(Symantec Endpoint Protection) blocks the traffic from WSL2. but we cannot modify the SEP settings because it's blocked by the organization. do we having any other WA to put the way forward, thanks.

same issue

[lo-w]

Hi update the latest status about who using SEP(Symantec Endpoint Protection) having this issue. we using geek(uninstall tool) to remove the SEP totally, now everything works as expected. BR//lo

[monigenomi]

I think what helped for me was:

• Uninstall all Ubuntu versions
• Disable "Enable integration with my default WSL distro" in Docker's settings (Resources -> WSL Integration)
• Restart computer
• Install Ubuntu 20.04 LTS
• Check "Ubuntu-20.04" in "Enable integration with additional distros" in mentioned Docker's settings panel (do not check "Enable integration with my default WSL distro")
• Click "Apply & Restart"
• Optionally restart computer again

This is provided you have WSL 2 integration enabled in docker (WSL 1 does not work for me), and ip traffic is allowed in Symantec Endpoint Protection. No editing of /etc/resolv.conf or /etc/wsl.conf was necessary

[kunzjacq]

It took forever to figure this out so I'll document it here in case someone comes along and finds this. I used Microsoft Message Analyzer with the Hyper-V-VmSwitch and NDIS-PacketCapture providers, which will show exactly how the internal switches are routing packets.

This allowed me to see the outbound TCP packets, the inbound TCP responses, and that they were being filtered at the switch level due to a VLAN tag.

MessageNumber DiagnosisTypes  Timestamp   TimeElapsed Source  Destination Module  Summary 
502   None    2020-03-20T16:21:09.3340883             Microsoft_Windows_Hyper_V_VmSwitch  NBL 0xFFFF90079978BA40 received from Nic 14B75DAC-3764-4D7F-84B6-8F39004014B2 (Friendly Name: WSL) in switch D57EE459-57B6-4965-B86E-1906ABAECB70 (Friendly Name: WSL)  
503   None    2020-03-20T16:21:09.3340929             Microsoft_Windows_Hyper_V_VmSwitch  NBL originating from Nic 14B75DAC-3764-4D7F-84B6-8F39004014B2 (Friendly Name: WSL) was dropped in switch D57EE459-57B6-4965-B86E-1906ABAECB70 (Friendly Name: WSL), Reason VLAN Filtered (Status:Unknown NTSTATUS Error code (0xE0000003))  

... was dropped in switch D57EE459-57B6-4965-B86E-1906ABAECB70 (Friendly Name: WSL), Reason VLAN Filtered

My network port was slightly misconfigured and VLAN tagged packets were being sent to my system, but I had never noticed before because nothing connected to this switch port had ever cared before. Windows didn't care (and didn't show me, either, when using Wireshark/npcap). WSL1 also didn't care that inbound packets were tagged. WSL2, however, uses hyper-v switches, which do care about VLAN tags and silently drop packets that are tagged.

Fixing my network port to strip packets of VLAN tags fixed my issue and the hyper-v switches now work fine.

I think I have a similar problem: the symptom is exactly the same (DNS works but ping does not), and my physical network interface is on a VLAN. with Wireshark, when observing the vEthernet interface corresponding to the Hyper-V WSL switch, I see both the ping request and the answer. However I do not know if there is a way to make the WSL Hyper-V switch to ignore or remove the VLAN tags of incoming packets. Doas anyone know if there is a way to do this?

[jramiresbrito]

Fixed by applying this #5336 (comment)

============================================================================= FIX WSL2 NETWORKING IN WINDOWS 10 cmd as admin: wsl --shutdown netsh winsock reset netsh int ip reset all netsh winhttp reset proxy ipconfig /flushdns

Windows Search > Network Reset

Restart Windows

This worked like a charm for me in W11 and WSL2

[felipecrs]

For those using Symantec Endpoint Protection, I shared a workaround at https://github.com/MicrosoftDocs/WSL/pull/1046#issuecomment-1010092796.

Perhaps it could be useful for other firewalls as well.

[mabasic]

For anyone still struggling I have found that allowing incoming traffic on the public profile in the firewall instantly makes DNS resolution work in WSL without having to make any changes to /etc/resolv.conf or having to create /etc/wsl.conf file.

Windows Defender Firewall with Advanced Security -> Windows Defender Firewall Properties -> Public Profile -> Inbound Connections set to Allow.

My company uses Firewall to block certain ports which causes this issue. When I set this to allow all inbound connections DNS resolution inside WSL starts working instantly.

[Nazeim]

For anyone still struggling I have found that allowing incoming traffic on the public profile in the firewall instantly makes DNS resolution work in WSL without having to make any changes to /etc/resolv.conf or having to create /etc/wsl.conf file.

Windows Defender Firewall with Advanced Security -> Windows Defender Firewall Properties -> Public Profile -> Inbound Connections set to Allow.

My company uses Firewall to block certain ports which causes this issue. When I set this to allow all inbound connections DNS resolution inside WSL starts working instantly.

IT WORKED, without even a reboot.

[knutov]

Windows Defender Firewall with Advanced Security -> Windows Defender Firewall Properties -> Public Profile -> Inbound Connections set to Allow.

works for dns and http[s], but not for ssh from wsl2 to external network

[knutov]

sudo ip link set dev eth0 mtu 1350 fixes all other problems (see https://github.com/microsoft/WSL/issues/4253 for details)

[ManalLiaquat]

Nothing works for me, so I gave my windows user Administrative access and reinstall the WSL and then It works like a charm

[LouDnl]

For anyone still struggling I have found that allowing incoming traffic on the public profile in the firewall instantly makes DNS resolution work in WSL without having to make any changes to /etc/resolv.conf or having to create /etc/wsl.conf file.

Windows Defender Firewall with Advanced Security -> Windows Defender Firewall Properties -> Public Profile -> Inbound Connections set to Allow.

My company uses Firewall to block certain ports which causes this issue. When I set this to allow all inbound connections DNS resolution inside WSL starts working instantly.

Fixed it for me. Anyone create a rule to not have to allow all incoming traffic?

[warengonzaga]

For those using ESET Antivirus, all you have to do is unblock the connection below.

Open your ESET settings > Resolved blocked communication

And it should work!

[merovingian]

@j0057 Thank you, you have helped me solve my problem that I have been debugging for over 3 months! Those NAT rules that I had there (probably from previous VM's) were conflicting with WSL2, so I removed them with Remove-NetNat and boom! WSL2 networking is fixed (in my case)!

Thank you! Remove-NetNat worked for me! This has been bugging me for three days!

[wirytiox]

hello, i found a solution. https://github.com/dorssel/usbipd-win/issues/714 if you run it in mirrored mode you should not have the same issue.

[hilarycheng]

I am facing this problem in company computer which is Symantec Endpoint Protection. It is no way to enable to configure SEP to enable WSL 2 to access Internet.

Since WSL 1 is working fine with SEP. As Microsoft allow both WSL 1 and WSL 2 running at the same time. I just install a squid proxy at WSL 1. Configurate the WSL2 Ubuntu to use WSL1 as HTTP / HTTPS Proxy. It is working fine. But you have to manually configure for each application.