No internet connection Ubuntu-WSL while VPN

Question

I have a Ubuntu-20.04 Version 2 WSL running on my Windows 10 Laptop. Everything works fine, I have internet connection. But only as long as I am not connected to a VPN network.

If I connect to my the network of my university using Cisco AnyConnect, I can no longer connect to the internet on WSL, while everything works fine using e.g. firefox in the windows system. I get: ping: google.de: Temporary failure in name resolution

I already tried the following:

Open windows cmd in admin mode and type these commands:

netsh winsock reset
netsh int ip reset all
netsh winhttp reset proxy
ipconfig /flushdns
reboot

That worked once, I had access to the internet. But as soon as I disconnected the VPN connection and connected again, I had the same problem all over again. I tried to just execute the commands again and rebooted, but now thats not working anymore.

So I really do not know what else to do. I really need to use WSL while being connected via VPN

score 50 · Answer 1 · edited Feb 27 '24 at 16:57

There is an issue with DNS Forwarding in WSL2 when using VPN (see github Issue). Plus there is a issue with the Cisco AnyConnect. So here is a workaround for these problems. Should work for Ubuntu and Debian.

Workaround (new - automatic)

This solution is automatic and was created by EdwardCooke (see https://www.frakkingsweet.com/automatic-dns-configuration-with-wsl-and-anyconnect-client/). This is just the first part of his solution updating resolv.conf when starting WSL.

Re-enable auto generation of resolv.conf (if disabled)

by commented the disable with #
```
sudo nano /etc/wsl.conf
```
```
#[network]
#generateResolvConf = false
```

Create the script

sudo nano /bin/vpn-dns.sh

#!/bin/bash
echo "Getting current DNS servers, this takes a couple of seconds"
/mnt/c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -Command '
$ErrorActionPreference="SilentlyContinue"
Get-NetAdapter -InterfaceDescription "Cisco AnyConnect" | Get-DnsClientServerAddress | Select -ExpandProperty ServerAddresses
Get-NetAdapter | ?{-not ($_.InterfaceDescription -like "Cisco AnyConnect") } | Get-DnsClientServerAddress | Select -ExpandProperty ServerAddresses
' | 

        awk 'BEGIN { print "# Generated by vpn fix func on", strftime("%c"); print } { print "nameserver", $1 }' | 

        tr -d '\r' > /etc/resolv.conf
clear

Make it executable/run as sudo

sudo chmod +x /bin/vpn-dns.sh
echo "$(whoami) ALL=(ALL) NOPASSWD: /bin/vpn-dns.sh" | sudo tee /etc/sudoers.d/010-$(whoami)-vpn-dns

Make it run on wsl startup

echo "sudo /bin/vpn-dns.sh" | sudo tee /etc/profile.d/vpn-dns.sh

You can also run it manually: sudo /bin/vpn-dns.sh

Workaround (old manual)

Find out nameserver with windows powershell (during VPN Session)
```
nslookup
```
You'll get the IPv4 adress of your corporate nameserver Copy this address.

Disable resolv.conf generation in wsl:

sudo nano /etc/wsl.conf

copy this text to the file (to disable resolve.conf generation, when wsl starts up)

[network]                                                                        
generateResolvConf = false

In wsl Add your corporate nameserver to resolv.conf
```
sudo nano /etc/resolv.conf
```
Remove other entries and add your corporate nameserver IP (if you have a secondary nameserver, add it in a separate line)
- nameserver X.X.X.X (where X.X.X.X is your address obtained in step 1)
Set your VPN adapter (if you have Cisco AnyConnect) open a admin powershell
- Find out your VPN adapter name: Get-NetIPInterface (in my case: "Cisco AnyConnect")
- Set adapter metric (Replace -Match with your name), in my case I have to run this after ever reboot or VPN reconnect:
```
Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000
```
(What is interface metric: Used to determine route, windows use interface with lowest metric)
Restart wsl in powershell: wsl.exe --shutdown
Test it in wsl run: wget google.com - if this command works, you are done.

In my case I get DNS issues when try to connect to internal stuff via browser (on Windows 10, f.e.: intranet), caused by the high metric value set in step 4 (basically kind of disabling VPN Route). So here is the workaround for the workaround:

Check your default metric (of VPNs Interface) in powershell (replace -Match with your interface name)

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Get-NetIPInterface

When running into problems on Windows 10 restore this default value with admin powershell (replace value at the end with your default value):

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 1

jkr · Answer 2 · 2025-04-02T13:34:39.753

For Windows 11 there was an update to WSL2 in September 2023 with (hopefully) a fix for this issue. Create a file %UserProfile%\.wslconfig with the content below, and then restart wsl. Run wsl.exe --shutdown. I also had to restart my computer but I am not sure if that is always necessary.

[wsl2]
networkingMode=mirrored
dnsTunneling=true

After changing these settings restart WSL (i.e. run wsl --shutdown; just closing the running distribution isn't sufficient).

Update 2025-04-02

These settings can be set in WSL Settings in the Start Menu, under Networking.

Update 2024-02-27

These settings should now fall under [wsl2] instead of [experimental]. Related docs

References:

score 12 · Answer 3 · answered Mar 24 '21 at 11:38

12

This seems to be a bug in WSL 2, see https://github.com/microsoft/WSL/issues/4277.

The workaround offered here worked for me: Uninstall the Cisco AnyConnect client and install the version from the Microsoft Store.

answered Mar 24 '21 at 11:38

Tobias

231
2
4

score 4 · Answer 4 · answered Oct 26 '21 at 14:25

The easiest workaround (before either Microsoft or Cisco come up with a permanent fix) is to launch WSL before connecting to the VPN:

wsl --shutdown
# disconnect VPN
wsl
# connect VPN again

Works on Windows 10 with WSL2+Ubuntu 20.04 and Cisco AnyConnect.

score 3 · Answer 5 · answered Jan 04 '22 at 02:42

In my case, i set VPN network interface metric to 6000 and both vpn and internet within wsl is now working: Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

Cisco AnyConnect mentioned in command above is my VPN. yours could be different. along with the metric number.

and then used following to fix the DNS:
echo "nameserver 8.8.8.8" | tr -d '\r' | sudo tee /etc/resolv.conf
echo "nameserver 8.8.4.4" | tr -d '\r' | sudo tee /etc/resolv.conf

You can also put DNS fix into .bashrc

score 2 · Answer 6 · answered Aug 16 '21 at 03:52

2

I solved the problem. open Microsoft Store -> Search and Install Anyconnect -> the vpn connection now works with WSL2.

answered Aug 16 '21 at 03:52

hsq_roy

31
1

score 2 · Answer 7 · answered Feb 08 '23 at 20:59

Another method that is reliable is to use wsl-vpnkit (https://github.com/sakai135/wsl-vpnkit).

The basic setup installs a WSL distro to handle network traffic from your WSL 2 distros (and containers).

Works with Cisco AnyConnect configuration that restricts local network traffic.

Akshay Hiremath · Answer 8 · 2022-05-02T13:37:25.547

The problem is that the VPN Ethernet Adaptor's DNS server settings are not taken by the WSL. These steps worked for me to add these settings manually:

cd ~/../../etc (go to etc folder in WSL).
echo "[network]" | sudo tee wsl.conf (Create wsl.conf file and add the first line).
echo "generateResolvConf = false" | sudo tee -a wsl.conf (Append wsl.conf the next line).
wsl -l (Get the . Debian-XX or Ubuntu-XX (Default) etc.)
wsl --terminate (Terminate WSL in Windows cmd, from the step 4).
cd ~/../../etc (go to etc folder in WSL).
sudo rm -Rf resolv.conf (Delete the resolv.conf file).
In windows cmd, ps or terminal with the vpn connected do: Get-NetIPInterface or ipconfig /all for get the dns primary and secondary. Look for Ethernet adaptor with Description "Cisco AnyConnect...". From under it take values for DNS Servers. It has primary and secondary DNS server IPs.
Use commands in next two steps by replacing X.X.X.X for values of Primary and Secondary DNS server IPs respectively
echo "nameserver X.X.X.X" | sudo tee resolv.conf (Create resolv.conf and append the line.)
echo "nameserver X.X.X.X" | sudo tee -a resolv.conf (Append the line in resolv.conf)
wsl --terminate (Terminate WSL in Windows cmd, from the step 4).
sudo chattr +i resolv.conf
And finally in windows cmd, ps or terminal: Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

Credit: @MartinCaccia, @yukosgiti, @machuu and @AlbesK: https://github.com/microsoft/WSL/issues/4277 https://github.com/microsoft/WSL/issues/4246

Original resoltuion:

Create a file: /etc/wsl.conf.
Put the following lines in the file in order to ensure the your DNS changes do not get blown away

[network] generateResolvConf = false

In a cmd window, run wsl --shutdown
Restart WSL2
Create a file: /etc/resolv.conf. If it exists, replace existing one with this new file.
Put the following line in the file

nameserver 8.8.8.8 # Or use your DNS server instead of 8.8.8.8 which is a Google DNS server

Repeat step 3 and 4. You will see git working fine now.

Credit: https://github.com/microsoft/WSL/issues/4285#issuecomment-522201021 Sign up for free

Steps are also documented here: https://gist.github.com/akshayhiremath/1b3bff527b3eca6cd41cf60ce88f3a56/8570f9fb4dbd681fc7aabcc817fa18cbab5f1e86#file-fix-wsl2-dns-resolution

I have forked and updated the steps by https://gist.github.com/coltenkrauter to make them easier.

score 0 · Answer 9 · answered Oct 03 '21 at 12:48

0

This might be obvious but I did not think of this. Another workaround is to install VPN in wsl if that is an option for the VPN you are using.

answered Oct 03 '21 at 12:48

adl233

1

eALduderino · Answer 10 · 2021-11-09T23:15:14.577

I was skeptical at first about hsq_roy's method, but since none of the workarounds worked for me I just did what hsq_roy was suggesting.

I deleted my Cisco Anyconnect client
I reinstalled it via Windows Store.
I opened Anyconnect and clicked on manage VPN which forwarded me to the Windows System settings.
I set up a new VPN connection within the Windows settings choosing Anyconnect instead of Windows (integrated).
I started WSL and it connected to the internet while using a VPN in Windows. It works perfectly fine for me, with no issues whatsoever.

score 0 · Answer 11 · answered Dec 22 '21 at 12:44

0

The answer from @kraego worked for me.

I was though unable to make out the adapter from Get-NetIPInterface

but I used instead Get-NetAdapter

And I verified it by looking at the results with and without the VPN connection active.

answered Dec 22 '21 at 12:44

Sigurður J Eggertsson

1
1

score 0 · Answer 12 · answered Sep 02 '22 at 22:55

I had the same problem (no internet when VPN connected) running WSL version 2. To resolve I uninstalled Ubuntu, then from powershell set the default version to WSL 1 when installing a new distro wsl --set-default-version <Version#> then re-installed Ubuntu. That resolved the issue. To check the WSL versions being used for each distro, from powershell enter wsl -l -v

score 0 · Answer 13 · answered Oct 30 '23 at 06:08

so this works the best way possible!

after connecting to your vpn

wsl

open /etc/wsl.conf, add the following

[network]
generateResolvConf=false

sudo cp /etc/resolv.conf /etc/resolv.conf.new #this is to revert back to the resolv.conf of the wsl when vpn is closed
nano /etc/resolv.conf now add the following:

nameserver <XXX.XXX.XXX.XXX> 
#<dns ip of your vpn> 
#to find this run ipconfig /all in windows powershell admin

windows powershell

 wsl --shutdown
 wsl 
 Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

score 0 · Answer 14 · edited Jun 10 '25 at 13:05

I had also the similar problem. I am connected to corporate network via Cisco Anyconnect VPN client. I created WSL2 Ubuntu-24.04 machine. My host machine can go to the internet only via proxy server, regardles if I am connected directly via wire to corporate network or via VPN to corporate network. When I was connected directly (wired) everything is working fine, but when I was connected via VPN, WSL2 machine was not able to connect to the internet via proxy server.

Root cause is that when Cisco AnyConnect VPN is active it overrides routing tables and deprioritize WSL2 virtual network interface.

Solution is to adjust network interface metrics:

Open Powershell as Administrator.
Set high metric for Cisco VPN interface:

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 4000
Set low metric for WSL2 virtual interface

Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1