Skip to content

Instantly share code, notes, and snippets.

@jian-dong

jian-dong/WSL2_VPN_Workaround_Instructions.md

Forked from machuu/WSL2_VPN_Workaround_Instructions.md
Created December 4, 2022 13:01
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jian-dong/8834cf5481375bfafaf9a667ea84e2be to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jian-dong/8834cf5481375bfafaf9a667ea84e2be to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @machuu machuu revised this gist Mar 15, 2021. 1 changed file with 9 additions and 8 deletions.
    17 changes: 9 additions & 8 deletions WSL2_VPN_Workaround_Instructions.md
    View file
    Original file line number Diff line number Diff line change
    @@ -101,9 +101,14 @@ You can save it where you want, just make sure to use that path in step 13 below
    7. Open 'Begin the task' drop-down
    8. Select 'On an Event'
    9. Configure Event:
    - Log: 'Microsoft-Windows-NetworkProfile/Operational'
    - Source: 'NetworkProfile'
    - Event ID: '10000'
    - option 1: Trigger on any Network Change
    - Log: 'Microsoft-Windows-NetworkProfile/Operational'
    - Source: 'NetworkProfile'
    - Event ID: '10000'
    - option 2: Trigger only when AnyConnect Client successfully connects to VPN
    - Log: 'Cisco AnyCOnnect Secure Mobility Client'
    - Source: 'acvpnagent'
    - Event ID: '2039'
    10. Click 'OK'
    11. Select 'Actions' Tab
    12. Click 'New'
    @@ -115,10 +120,6 @@ You can save it where you want, just make sure to use that path in step 13 below
    15. Select 'Conditions' Tab
    16. Uncheck box:
    - Power -> Start the task only if the computer is on AC Power
    17. (optional) Check box:
    - Network -> Start only if the following network connection is available
    - Select your corporate network name (e.g. cisco.com)
    - This will avoid running the script unnecessarily (startup, connect to new wifi, VPN not active)
    18. Click 'OK'
    17. Click 'OK'

    When AnyConnect finishes connecting, a Powershell window pops up for a couple seconds and WSL can reach the network.
  2. @machuu machuu renamed this gist Jan 19, 2021. 1 changed file with 0 additions and 0 deletions.
    0 Instructions.md → WSL2_VPN_Workaround_Instructions.md
    View file
    File renamed without changes.
  3. @machuu machuu revised this gist Jan 19, 2021. 1 changed file with 24 additions and 2 deletions.
    26 changes: 24 additions & 2 deletions Instructions.md
    View file
    Original file line number Diff line number Diff line change
    @@ -44,6 +44,7 @@ generateResolvConf = false
    ```

    Next, manually add the corportate DNS Server as the first `nameserver` in `/etc/resolv.conf`.

    */etc/resolv.conf*

    ```
    @@ -52,12 +53,33 @@ nameserver <corporateDNS2>
    nameserver 1.1.1.1
    ```

    To get `<corporateDNS>` addresses, use `ipconfig /all` from `CMD` or `Powershell` prompt, and check the details of the VPN adapter:

    ```
    Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
    Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv6 Address. . . . . . . . . . . : xxxx:xxxx:xxxx:xxxx(Preferred)
    Link-local IPv6 Address . . . . . : xxxx:xxxx:xxxx:xxxx(Preferred)
    IPv4 Address. . . . . . . . . . . : 10.20.30.40(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . : ::
    0.0.0.0
    DHCPv6 IAID . . . . . . . . . . . :
    DHCPv6 Client DUID. . . . . . . . :
    DNS Servers . . . . . . . . . . . : 123.45.67.89 <- Corporate DNS 1
    123.45.67.90 <- Corporate DNS 2
    Primary WINS Server . . . . . . . : xxx.xx.xxx.xx
    NetBIOS over Tcpip. . . . . . . . : Enabled
    ```

    ## Automatically update Interface Metric

    To automate this, I put the PS command in a script and created a Task to run every time there is a network change.
    To automate this, I put the PS command in a script and created a Scheduled Task to run every time there is a network change.

    ### Save the script in a file
    First, create the script. I have a 'scripts' directory in my user home, so I put it at:
    First, create the script. I have a 'scripts' directory in my Windows user home, so I put it at:

    **%HOMEPATH%\scripts\UpdateAnyConnectInterfaceMetric.ps1**

  4. @machuu machuu revised this gist Jan 19, 2021. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Instructions.md
    View file
    Original file line number Diff line number Diff line change
    @@ -33,7 +33,7 @@ Changing the Interface Metrics for AnyConnect to:

    When the VPN is active, the autogenerated `/etc/resolv.conf` does not work. The list of nameservers must be manually built to include some sane default DNS Name Servers and the DNS from the VPN.

    First, disable automatically generating `/etc/resolv.conf`. `generateResolvConf` in `/etc/wsl.conf`.
    First, disable automatically generating `/etc/resolv.conf`.
    Add the following configuration, or create the file if it doesn't exist. The path to this file is from the shell prompt of your WSL2 instance.

    */etc/wsl.conf*
  5. @machuu machuu revised this gist Jan 19, 2021. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion Instructions.md
    View file
    Original file line number Diff line number Diff line change
    @@ -20,13 +20,14 @@ Changing the Interface Metric 1 -> 6000 for AnyConnect VPN Adapter resolves the
    By default, the Interface Metrics for AnyConnect are:
    - IPv6: 6000
    - IPv4: 1

    `ping` times out from WSL Shell.

    Changing the Interface Metrics for AnyConnect to:
    - IPv6: 6000
    - IPv4: 6000
    `ping` to IP Addresses succeed, but still no DNS Resolution.

    `ping` to IP Addresses succeed, but still no DNS Resolution.

    ## DNS Resolution

  6. @machuu machuu revised this gist Jan 19, 2021. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Instructions.md
    View file
    Original file line number Diff line number Diff line change
    @@ -13,7 +13,7 @@ This problem is tracked in multiple microsoft/WSL issues including, but not limi

    ## Network connection

    When the VPN connection is active, network traffic out of WSL2 is not passed to the internet. This is probably a problem with `vEthernet (Default Switch)`.
    When the VPN connection is active, network traffic out of WSL2 is not passed to the internet.

    Changing the Interface Metric 1 -> 6000 for AnyConnect VPN Adapter resolves the connection issue, but this has to be done after each time the VPN connects.

  7. @machuu machuu revised this gist Jan 19, 2021. 1 changed file with 4 additions and 3 deletions.
    7 changes: 4 additions & 3 deletions Instructions.md
    View file
    Original file line number Diff line number Diff line change
    @@ -6,9 +6,10 @@ The workaround breaks down into two problems:
    2. DNS in WSL2

    This problem is tracked in multiple microsoft/WSL issues including, but not limited to:
    microsoft/WSL#5068
    microsoft/WSL#4277
    microsoft/WSL#4246

    - microsoft/WSL#5068
    - microsoft/WSL#4277
    - microsoft/WSL#4246

    ## Network connection

  8. @machuu machuu renamed this gist Jan 19, 2021. 1 changed file with 0 additions and 0 deletions.
    0 Instructions → Instructions.md
    View file
    File renamed without changes.
  9. @machuu machuu created this gist Jan 19, 2021.
    100 changes: 100 additions & 0 deletions Instructions
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,100 @@
    # Overview

    Internet connection and DNS routing are broken from WSL2 instances, when some VPNs are active.
    The workaround breaks down into two problems:
    1. Network connection to internet
    2. DNS in WSL2

    This problem is tracked in multiple microsoft/WSL issues including, but not limited to:
    microsoft/WSL#5068
    microsoft/WSL#4277
    microsoft/WSL#4246

    ## Network connection

    When the VPN connection is active, network traffic out of WSL2 is not passed to the internet. This is probably a problem with `vEthernet (Default Switch)`.

    Changing the Interface Metric 1 -> 6000 for AnyConnect VPN Adapter resolves the connection issue, but this has to be done after each time the VPN connects.

    By default, the Interface Metrics for AnyConnect are:
    - IPv6: 6000
    - IPv4: 1
    `ping` times out from WSL Shell.

    Changing the Interface Metrics for AnyConnect to:
    - IPv6: 6000
    - IPv4: 6000
    `ping` to IP Addresses succeed, but still no DNS Resolution.


    ## DNS Resolution

    When the VPN is active, the autogenerated `/etc/resolv.conf` does not work. The list of nameservers must be manually built to include some sane default DNS Name Servers and the DNS from the VPN.

    First, disable automatically generating `/etc/resolv.conf`. `generateResolvConf` in `/etc/wsl.conf`.
    Add the following configuration, or create the file if it doesn't exist. The path to this file is from the shell prompt of your WSL2 instance.

    */etc/wsl.conf*

    ```
    [network]
    generateResolvConf = false
    ```

    Next, manually add the corportate DNS Server as the first `nameserver` in `/etc/resolv.conf`.
    */etc/resolv.conf*

    ```
    nameserver <corporateDNS1>
    nameserver <corporateDNS2>
    nameserver 1.1.1.1
    ```

    ## Automatically update Interface Metric

    To automate this, I put the PS command in a script and created a Task to run every time there is a network change.

    ### Save the script in a file
    First, create the script. I have a 'scripts' directory in my user home, so I put it at:

    **%HOMEPATH%\scripts\UpdateAnyConnectInterfaceMetric.ps1**

    ```
    Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000
    ```

    You can save it where you want, just make sure to use that path in step 13 below.

    ### Create the scheduled task:

    1. Open 'Task Scheduler'
    2. Click "Create Task" on Right Sidebar
    3. Name: Update Anyconnect Adapter Interface Metric for WSL2
    4. Set Security Options
    - Check box: 'Run with highest priveleges'
    5. Select 'Triggers' Tab
    6. Click 'New' at bottom of Window
    7. Open 'Begin the task' drop-down
    8. Select 'On an Event'
    9. Configure Event:
    - Log: 'Microsoft-Windows-NetworkProfile/Operational'
    - Source: 'NetworkProfile'
    - Event ID: '10000'
    10. Click 'OK'
    11. Select 'Actions' Tab
    12. Click 'New'
    13. Configure Action:
    - Action: 'Start a Program'
    - Program/script: 'Powershell.exe'
    - Add arguments: '-ExecutionPolicy Bypass -File %HOMEPATH%\scripts\UpdateAnyConnectInterfaceMetric.ps1'
    14. Click 'OK'
    15. Select 'Conditions' Tab
    16. Uncheck box:
    - Power -> Start the task only if the computer is on AC Power
    17. (optional) Check box:
    - Network -> Start only if the following network connection is available
    - Select your corporate network name (e.g. cisco.com)
    - This will avoid running the script unnecessarily (startup, connect to new wifi, VPN not active)
    18. Click 'OK'

    When AnyConnect finishes connecting, a Powershell window pops up for a couple seconds and WSL can reach the network.