microsoft
Full VPN Support with WSL2
Is your feature request related to a problem? Please describe. Many people work from home with WSL2 and connect to a corporate networking using VPN. The issues has been that either you choose WSL1 or you have to go to the office.
Describe the solution you'd like Making WSL2 network connectivity seamless work with any VPN solution.
Describe alternatives you've considered The only stable way i've found is https://github.com/sakai135/wsl-vpnkit and Windows 11 Version 22H2 (OS Build 22621.1992). It works but on startup the system will "freeze" for ca 1-2 minutes.
Question Is VPN support on any of your roadmap ?
https://github.com/deanmcniven/wsl2-vpn-support
Depending on your VPN, the above may work. It's just a PowerShell script that adds the appropriate routes, giving WSL2 network access the way it should.
I can add that if I use VPN in Windows (before starting WSL 2 - but sometimes also after starting WSL 2) - it also works from within WSL 2 - I used VPN inside Windows and the OpenVPN client, both successfully
Usually it works because Windows will create a NAT for your WSL2, and route through the VPN in Windows (i.e. it comes out of the WSL2 NAT, hits the Windows routing table and enters your VPN). The problem I have seen is the IP address range used in WSL2 conflicts with internal network ranges i.e. (172.16.0.0/12) often used in corporate networks.
Ok here is my 2 cents (or experience) with this. I/we work behind (http) proxies On-site (ie w/o VPN) all green. From home with VPN (Pulse Secure / Juniper) to corp network -> issues.
Some details (steps taken to try and fix this)!
How internet via VPN will work for "some amount of time".
WSL2 internet connectivity will work if there is no vEthernet (WSL) showing up in netsh interface show interface before I connect via VPN.
Then I will activate or connect via VPN.
netsh interface show interface will now show vEthernet (WSL) as Enabled in State Connected. Everything "roses" ie curl, wget, etc. all work.
BUT as soon as the VPN (even if only for the blink of an eye) looses connection and therefore immediately reconnects again, there is no way (at least I have not found one) to make the WSL2 internet connectivity work again (ie proxy sever can no longer be found, etc) EXCEPT rebooting the computer, which will remove ie again no longer showing the vEthernet (WSL) interface in the list [again].
Things I tried so far to avoid having to reboot/restart the PC.
disable/enable vEthernet (WSL) in Powershell elevated terminal
Restart LxssManager
additional info: this was done in all available combinations of wsl --shutdown and VPN connect/disconnect you can think of or find on the internet. All to no avail - still the only fix -> reboot until next VPN connection loss and reconnect that breaks it.
The VPN connection loss and reconnect breaking the WSL2 internet connectivity afaict is not a "surprise" since starting WSL2 before being connected via VPN (ie this way creating an existing vEthernet (WSL) interface before there's a VPN involved) and then starting VPN connection afterwards will also result in WSL2 internet connectivity being dead.
Looking fwd to solution ideas ...
I've struggled with this for several months. It seems that a recent update to WSL offers experimental features which resolve the issue for me. I'm using WSL2 on Windows 11 with Cisco AnyConnect VPN.
In my environment, I've added the following flags to my C:\Users\_username_\.wslconfig file:
[experimental]
networkingMode=mirrored
dnsTunneling=true
This solution worked perfectly for me! I have been following this thread for a few months hoping for a solution to this issue and was far too excited that this worked haha. Thanks.
This may not be your problem but after trying numerous very different things, this was my problem. I had these experimental settings and I am on OpenVPN. I commented those in wsl.conf and everything started to flow.
https://learn.microsoft.com/en-us/windows/wsl/troubleshooting#wsl-has-no-network-connectivity-once-connected-to-a-vpn
#[experimental]
#networkingMode=mirrored
#dnsTunneling=true
#autoProxy=true
WSL connectivity issues with VPNs when Mirrored networking mode is on
Mirrored networking mode is currently an experimental setting in the WSL Configuration. The traditional NAT networking architecture of WSL can be updated to an entirely new networking mode called “Mirrored networking mode”. When the experimental networkingMode is set to mirrored, the network interfaces that you have on Windows are mirrored into Linux to improve compatibility. Learn more in the Command Line blog: WSL September 2023 update.
Some VPNs have been tested and confirmed to be incompatible with WSL, including:
"Bitdefender" version 26.0.2.1
"OpenVPN" version 2.6.501
"Mcafee Safe Connect" version 2.16.1.124
Thanks for that information, mirrored mode looks interesting.
Our current fix is to set a registry key to move the NAT to 192.168.240.0/20
This keeps WSL addresses away from our corporate and most home networks.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss
NatGatewayIpAddress 192.168.240.1
NatNetwork 192.168.240.0/20
update installed wsl2 with "experimental" vpn support here are the details
WSL version: 2.2.1.0 as well as 2.2.2.0
Kernel version: 5.15.150.1-2
WSLg version: 1.0.60
MSRDC version: 1.2.5105
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windows version: 10.0.19045.4170
Still same issue - once the VPN gets "disconnected" (means usually due to some network stability issue - since not all network connections are 100% stable a 100% of the time) and then the vpn app re-connects itself the WSL connections are gone/dead. Only restarting PC will bring them back until the next network glitch.
I can confirm that networkingMode=mirrored mentioned above seems to solve my issues with VPN and WSL2. I've had two issues with networking/VPN/WSL2 in the six weeks using this setup where ssh and az (Azure cli) stops working while telnet and other network services like DNS works fine. Running the command
ipconfig /release
seems to resolve the problem.
I'm using Cisco Anyconnect.
I've read the dns configuration in my openvpn log and configured /etc/resolv.conf accordingly, after disabling automatic generation in /etc/wsl.conf. That's the only way the worked for me, pretty empirically.
Five years since these issues showed up. NO fixes. (I don't consider needing to reboot it all when you lose the VPN for any reasons as it being fixed...)
I mean, c'mon- VirtualBox manages this one thing right. And right now even. It's such that if I thought I could get my employer to sign off on a Linux box with their Win10 Enterprise install living in a VirtualBox sandbox, I'd go that way.
I have successfully managed to get the internet working on my WSL2: Ubuntu 22.04.2 LTS a few times, but it was not consistent until a while back. I have identified a series of steps that reliably enable internet access in WSL2 for me. These steps must be followed in the specified order and should work on both Windows 10 and Windows 11, as I discovered this solution over a year ago while using Windows 10:
- After Windows starts, before connecting to the VPN, launch your WSL2 instance (in my case, Ubuntu 22.04.2 LTS).
- Run the following command to check for internet access:
sudo apt update - Connect to the VPN using your client (in my case, "Cisco Secure Client").
- Open PowerShell (x86) with local administrator privileges and execute the following commands:
Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 5500 Restart-Service LxssManager - Open a non-elevated Command Prompt and run:
wsl --shutdownNote: If you did not close the WSL2 window from step 1, it should close after running this command. - Restart the WSL2 client, and you should now have internet access while connected to the VPN network remotely.
These steps hopefully help you achieve consistent internet connectivity in WSL2.
Wondering if anyone has any ideas. I've had luck connecting to internet while on VPN through Ubuntu LTS using network mirroring, but noticed I can't ping any of my floating servers. I looked at the IP and it looks like WSL2 is grabbing my LAN IP instead of my VPN IP when network mirroring. Can anyone think of a simple fix without having to run a bash script everytime I open WSL?
On my setup (Win11/Cisco Anyconnect/WSL2/Ubuntu 24.04 LTS) with mirrored networking I have no issues like this. Both the lan ip and the vpn ip is visible from the Ubuntu system. Maybe a routing problem? Do you reach the servers from windows? (Just grasping at straws here)
luckily I don't have to deal with WSL anymore. Got the Mac pro and all good. Thanks for the WSL, at least an option for Linux based development.
In the latest updates of Windows 11, the experimental configs mentioned above are moved to the main wsl2 section in the .wslconfig file (not experimental anymore). The following worked for me, using Ubuntu 22 and Cisco AnyConnect VPN:
[wsl2]
networkingMode=mirrored
dnsTunneling=true
omg they I can't believe that MS STILL cant fix this hell issue ... im done with this crap
omg they I can't believe that MS STILL cant fix this hell issue ... im done with this crap
@vec715 recommend you try installing the latest WSL release. I was able to get cisco secure client working with WSL with the new settings
Out of curiosity. Does anybody uses two VPN's and mirrored mode?
1st VPN to connect to corporate network (for example Cisco AnyConnect) 2nd VPN to connect to particular network segments (for example CheckPoint Securemote)
On my computer ssh doesn't work from WSL2 to networks behind 2nd VPN, however ssh works from Windows CMD to networks behind 2nd VPN. Same routes are visible in WSL2 and in Windows.
edit: Just made a test in office, where no 1st VPN is active. SSH doesn't work from mirrored WSL2 to networks behind Checkpoint VPN's. So probably WSL2 is not compatible with Securemote Checkpoint VPN.
[experimental] networkingMode=mirrored dnsTunneling=true
solved my issue 100%! Cisco VPN works now!
[experimental] networkingMode=mirrored dnsTunneling=true
solved my issue 100%! Cisco VPN works now!
The solution still has issues when IPv6 is disabled. There are some issues here that are closed and resolved by enabling IPv6. But some companies may have policies in place that do not allow to enable IPv6 on your system.
And in my case /etc/resolv.conf will become a dead symlink and DNS resolution does not work at all.
Maybe both are separate issue, but sub tasks to archive "Full VPN Support with WSL2" as the title of this issue suggests.
Looks like this can also be set via the UI.
This settings helped me thanks! Was having to deal with this issue since 2020 after 5 years microsoft seems to have managed to fix this...
[experimental] networkingMode=mirrored dnsTunneling=true
Unfortunately these two settings do not make OpenVPN (v2.6.14) work together with Fedora 42 installed in WSL 2.
My podman containers communicate with my host apps if I use "Mirrored" networking mode but WSL can not reach my company's domains.
My podman containers do not communicate with my host apps if I use "Nat" networking mode but WSL can reach my company's domains.
I connect with VPN. Still could not find how I can connect to company's links via VPN and "Mirrored" mode.
@muratkucuktepe : First step you can check
ip a
and
cat /etc/resolv.conf
with both modes. Does it look similar? (Number of network interfaces, same search domain in resolv.conf etc). With mirrored mode, I only have a lo interface and a resolv.conf does not exist. In that case I assume it is the IPv6 issue I mentioned above.
The solution still has issues when IPv6 is disabled. There are some issues here that are closed and resolved by enabling IPv6.
@jpbuecken Per Microsoft, disabling IPv6 is an unsupported configuration that may break OS functionality, and should only be done temporarily for troubleshooting purposes. Presumably, this implies that bugs that only occur when IPv6 is disabled are invalid.
