WSL2 , problem with network connection when VPN used (PulseSecure)

[fibu79]

I'm using MS v. 2004 (build 19041) with UBUNTU linux on WSL2. When I don't use VPN on windows , everything is fine - I have internet connection on windows and wsl2 ubuntu. But when established connection via VPN (on windows) then on windows still is OK - I have both internet and vpn connection , but on Ubuntu there is no network connection at all (no internet , no vpn access). I suspect there is a problem with NAT (on Hyper-V default switch) Any idea what could be wrong ? Additionally: on wsl1 everything worked fine (also when VPN enabled)

Currently on wsl2 it looks like this : fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$ ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.30.123.209 netmask 255.255.240.0 broadcast 172.30.127.255 inet6 fe80::215:5dff:fe41:b550 prefixlen 64 scopeid 0x20 ether 00:15:5d:41:b5:50 txqueuelen 1000 (Ethernet) RX packets 263 bytes 27705 (27.7 KB) RX errors 0 dropped 1 overruns 0 frame 0 TX packets 223 bytes 34352 (34.3 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 2 bytes 56 (56.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2 bytes 56 (56.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$ fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$ ping google.com ping: google.com: Temporary failure in name resolution fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$ fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 172.30.112.1 0.0.0.0 UG 0 0 0 eth0 172.30.112.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$ cat /etc/resolv.conf nameserver 172.30.112.1 fibu@DESKTOP-3N4US3P:/mnt/c/Users/fibu2$

[fibu79]

Does anyone can help ...?

[WangHaiYang874]

I'm troubling with the samilar problem here. It's frustrating

[aaemon]

same problem, wsl1 working fine, all the distros in wsl2 is not connecting to internet

[akulbe]

I am having a similar issue when I'm on the GlobalProtect VPN connection to our corporate network. One workaround I've found is to add the IP for your router to /etc/resolv.conf as a nameserver entry.

[dys152]

Same here, seems to be intermittent though. Also have docker desktop running and stopping that has fixed it a couple of times but not always.

[yanke1311]

i have the same problem

[carl-berg]

Same problem here. WSL2 can't access internet after connecting to VPN. If I turn it off, things are OK again. Using windows VPN configuration (IKEv2), no special VPN app.

[peterhorvath]

Latest pulse secure vpn client for corp vpn connection and experiencing the same issue. WSL2 has almost none existent internet connection when connected on VPN

[honeway]

Same issue happens on released Windows 10 2004, run Ubuntu 20.04 on WSL2 when connect to Pulse Secure.

I have tried solutions mentioned in https://github.com/microsoft/WSL/issues/1350
Didn’t work to me.

[peterhorvath]

https://github.com/microsoft/WSL/issues/4277

[petersonsbuild]

same problem for me, cisco anyconnect vpn client running Windows 10 2004 WSL2 Ubuntu 18.04 and 20.04

[peterhorvath]

Interestingly i can curl http sites while on vpn but not https.

[peterhorvath]

okay it is resolve for me, apparently IT had a transparent url filtering proxy when i am connected to VPN and needed bypass, it also works when i set http_proxy/https_proxy and proxy for apt within WSL2 to the corp proxy.

[chazt3n]

@peterhorvath is your anyconnect setup to use full tunnel?

[peterhorvath]

it is pulse secure vpn but yes it is full tunnel.

[luvwagn]

I'm having same issues, have read multiple reports on here and elsewhere. Everything worked against Cisco AnyConnect when using WSL v1. After upgrading to latest Windows and updating to WSL v2, my internet connectivity inside WSL is broken. I'm in split-tunnel mode, but will try full-tunnel.

[honeway]

When WSL2 is started after connecting to VPN through Pulse Secure, WSL2 can access the Internet, but not https.

[peterhorvath]

if you have corporate proxy try to set http_proxy in WSL2 I had to do

export http_proxy=whatever.com:9091
export https_proxy=whatever.com:9091
export no_proxy=*.internal.domain.com,10.0.0.0/8 

talk to your IT team, (out comapny using mcafee web gateway and client proxy)

[DadongZ]

I have same problem..frustrated

[crisrise]

Same problem here, with CiscoAnyconnect...

[DadongZ]

I have exactly same issue and solved it by

1. uninstall anyconnect
2. download and reinstall anyconnect from Windows Store

No issue so far

[chazt3n]

our windows store is blocked O_o

[daviddyball]

I'm using a straight Windows IPSec VPN connection to my organisation and I too am unable to do anything from my WSL2 container once the VPN is initiated.

Is there anything settings I can change on the Hyper-v vEthernet adapter to work around this?

EDIT: A little more context:

ip addr output from my Ubuntu-20.04 WSL 2 instance

ip addr                                                                   <aws:saml>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 3a:01:48:88:dc:a3 brd ff:ff:ff:ff:ff:ff
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 3e:20:cb:a5:6f:8f brd ff:ff:ff:ff:ff:ff
4: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:18:7f:df brd ff:ff:ff:ff:ff:ff
    inet 172.24.183.172/20 brd 172.24.191.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fe18:7fdf/64 scope link
       valid_lft forever preferred_lft forever

ipconfig from Windows (while I have the VPN initiated

ipconfig

Windows IP Configuration

Wireless LAN adapter Local Area Connection* 1:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

PPP adapter Company-VPN:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 172.17.15.206
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : lan
   IPv6 Address. . . . . . . . . . . : xxxx:xxxx:xxxx:xxxx::xxxx
   Link-local IPv6 Address . . . . . : xxxx::xxxx:xxxx:xxxx
   IPv4 Address. . . . . . . . . . . : 192.168.8.128
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.8.1

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::8488:c784:edd4:bb17%21
   IPv4 Address. . . . . . . . . . . : 172.24.176.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

I don't think the VPN and vEthernet adapters are clashing.... VPN is on 172.17.15.206/32 and WSL is on 172.24.176.1/20

[peterhorvath]

@daviddyball check route print on your windows. you might have clash in your routing table

[daviddyball]

Looking into it more I'm starting to think that the issue is that my VPN is using a clashing subnet (thanks @peterhorvath for pointing me in that direction)

Given that I think this issue also relates to https://github.com/microsoft/WSL/issues/4467, in that we need some form of configurability on the Hyper-V vSwitch to say "I want this subnet". Right now it appears that it's completely up to chance whether we get a conflicting network segment or not.

[rohanrajpal]

if you have corporate proxy try to set http_proxy in WSL2 I had to do

export http_proxy=whatever.com:9091
export https_proxy=whatever.com:9091
export no_proxy=*.internal.domain.com,10.0.0.0/8 

talk to your IT team, (out comapny using mcafee web gateway and client proxy)

Hey, thanks for sharing this. Here whatever.com is the VPN gateway, right? And do we mean by *.internal.domain.com

[peterhorvath]

in my case whatever.com is not the vpn gateway but the corporate web proxy on the VPN network. no_proxy is a list of internal resources which don't need to go through the proxy as they are directly routed via vpn. no_proxy=.you.corp.internal.domain.com,10.0.0.0/8 (your internal network address range)

[pmakholm]

My corporate VPN forces setting routes to 172.16.0.0/12 to use the VPN as gateway. This means that if VPN is started after the WSL vEthernet, adapter I lose all network connectivity inside my WSL2 distributions.

The only workaround I've found (that doesn't require administratore rights) is to start the VPN before any WSL distribution and reboot after disconnecting from the VPN.

It would be great if it was possible to configure WSL to another range of networks.

[daviddyball]

@pmakholm I know it's not ideal, but your steps have at least got me the ability to use WSL, so thanks ❤️

[rohanrajpal]

in my case whatever.com is not the vpn gateway but the corporate web proxy on the VPN network. no_proxy is a list of internal resources which don't need to go through the proxy as they are no_proxy=.you.corp.internal.domain.com,10.0.0.0/8 (your internal network address range)

Hmm well, I only have the gateway and my credentials to connect to my VPN. Guess I gotta figure out something else. Thanks!

[hetile-ssense]

Same issue here.. and we're not using proxy.

Tried a bunch of thing, nothing works but this solved the issue :)

PS C:\WINDOWS\system32> wsl --set-version Ubuntu 1 Conversion in progress, this may take a few minutes... Conversion complete.

I'm now having network even when on vpn.. Please solve this :)

[chazt3n]

Installing latest AnyConnect from windows store did in fact fix the issue immediately for me. I hope everyone else can get past this as it's a huge pain in the ***.

[luvwagn]

Installing latest AnyConnect from windows store did in fact fix the issue immediately for me. I hope everyone else can get past this as it's a huge pain in the ***.

Store option doesn't help for folks stuck using two-factor authentication with the classic AnyConnect VPN client. (which is my situation)

[chazt3n]

@luvwagn we're using duo two-factor and that works fine. It just asks for two passwords, the second one is "push" for mobile push, or whatever code your two factor app uses

[luvwagn]

@chazt3n - not sure what Duo is? we use a usb dongle thing and the password strings are appended together - let me try the modern app for kicks...

[SpencerDawson]

I will note, that using Cisco Anyconnect from the Windows store does allow WSL to use it's connection.

For the remarks about the store option, with regards to using two-factor authentication with the classic AnyConnect VPN client (@luvwagn), if 2FA is needed, it will have a space for a second password, and you should easily be able to use your security tokens there. you can use push, as mentioned, for having a request sent to your authorized device. There is also phone and sms. Otherwise you should only need to type in your token or touch your YubiKey so it inserts your OTP.

[markko1-pro]

Pulse Secure from Windows Store works, but is outdated and abandoned by PulseSecure. For example my employer demands new Pulse client and the one in Windows Store just does no connect anymore. Standalone client connects, but leaves WSL2 (or any HyperV virtual machine) without ANY internet connection. But desperate times need desperate solutions. So here are my two cents, aka how it works for me:

• Install any X11 server on host side (X410 works best for me and has really nice tutorials for WSL2!)
• Install Pulse Secure client on WSL2 side (works at least in Ubuntu 18 out of the box, tutorials for Ubuntu 20 available)
• Run Pulse and connect to VPN. Now WSL is in VPN but host not.
• Run OpenSSH or Microsocks on WSL2 side
• Configure your browser (for me Firefox) to use Socks5 proxy. For me it is localhost:1080

Now at least browser can access VPN. Have not yet figured out how to configure all host programs to use SOCKS proxy. It should be possible by: Start --> Internet options --> Connections --> LAN settings --> Proxy server --> Advanced. But did not work yet. If anyone know how to get that working I would be super happy. Hope this helps someone!

[drew-szlembarski-cf]

Does anyone have a solution for SonicWall VPN? Installing the Linux client results in this:

:~/temp$ sudo ./install.sh
Installing Connect Tunnel 12.3.0.00688...
Looking for tun driver...  modprobe: FATAL: Module tun not found in directory /lib/modules/4.4.0-19041-Microsoft
Connect Tunnel cannot be installed, Can't find tun module

[dengzeyu]

Same issue. We used the pulse secure with a 2FA website. The only way to connect through VPN in WSL2 is to install the linux version of pulse secure and connect through it. However if you want to connect through VPN using other windows based software, you need to disconnect it and reconnect in the windows pulse secure.

I think this is a common problem and should be solved in the next version.

[aqeelat]

I'm having the same issue with Cisco AnyConnect VPN. I tried adding the router's ip address in /etc/resolv.conf but that didn't help.

[douglas-pires]

Just to add more to the discussion, I'm having the same issue with Pulse Secure VPN. And tried adding the router's IP address in /etc/resolv.conf as well. It didn't work too.

[pwr22]

I've recently started trying to use Windows 10 with WSL 2 and PulseVPN as my daily driver. I've just seen connectivity dropped from WSL but disconnecting and reconnecting Pulse seems to have got things going again for now.

[PabloGMZILLI]

I'm having the same issue with Forticlient VPN...

[daviddyball]

I very much doubt this is PulseVPN specific and more to do with the way WSL fits into the routing table for the OS. A fix for this would apply to any VPN client that modifies the host routing rules.

[everdark]

Im using NordVPN and I have the same issue.

[shhsu]

+1 for Cisco AnyConnect. Is it possible to use the host as a proxy for networking?

[aqeelat]

The solution for Cisco AnyConnect is to use the vpn client from the Microsoft Store instead of the standalone one.

[shhsu]

@AqeelAT , thanks for responding. Unfortunately, this didn't help my situation. Maybe it's because of some configuration issue, when I use the Microsoft Store provided AnyConnect client to connect to my VPN I will lose all internet access. I have already selected "Automatically detect settings" but nothing seems to help

[lachlansimpson]

The solution for Cisco AnyConnect is to use the vpn client from the Microsoft Store instead of the standalone one.

This solution worked for me but it isn't a perfect solution. Work machine, work provides an already configured AnyConnect client installer. Took five minutes longer than install and forget.

[gerardbosch]

Same problem here using corporate "Citrix Netscaler Gateway" VPN client.

VPN connected:

• On WSL1 everything allright.
  • Connectivity from WSL1 to Internet.
  • Connectivity from WSL1 to Windows host IP.
• On WSL2,
  • No Internet connectivity.
  • No connectivity to Windows host IP.

VPN disconnected: All the above works fine.

Reverting to WSL1: wsl --set-version Ubuntu 1 makes everything to work again.