WSL 2 uses a Hyper-V Virtual Network adapter. Network connectivity works without any issue when a VPN is not in use. However when a Cisco AnyConnect VPN session is established Firewall Rules and Routes are added which breaks connectivity within the WSL 2 VM. This issue is tracked WSL/issues/4277
Below outline steps to automatically configure the Interface metric on VPN connect and update DNS settings (/etc/resolv.conf) on connect/disconnect.
This guide is inspired by and a variation of pyther's guide for the networking workaround.
In this guide, the differences exist majorely in the automatic configuration process.
I did this guide because his version was not working for me, specially due to the missing pac proxy and the python script was not running working for me.
After connecting to the VPN, you'll want to modify the Interface Metric of the Cisco VPN Adapter
PS C:\Users\gyurgyik> Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000
Run the following command in Powershell with Administrative permission.
At this point you should have connectivity in your container (but without name resolution). You can test this by running ping 8.8.8.8
.
Once connected the VPN determine the DNS servers that are configured:
PS C:\Users\gyurgyik> (Get-NetAdapter | Where-Object InterfaceDescription -like "Cisco AnyConnect*" | Get-DnsClientServerAddress).ServerAddresses
10.10.0.124
10.10.0.132
Update /etc/resolv.conf
M-machine:~$ cat /etc/resolv.conf
nameserver 10.10.0.124
nameserver 10.10.0.132
Verify Connectivity
ping google.com -c 4
Save the contents of the zip file you can download here below to %homepath%\wsl\scripts
.
Create the directories as needed
The .xml
files are windows task scheduler files for importing.
Here's what to keep into account while importing them all to task scheduler:
Suggestion: Create a Folder called WSL
so you keep the schedules organized.
In the import window:
"General" -> "Security options" -> "When running the task, use the following user account":
Change the user to your own user
Everything else should be already correct to use as-is
In setVPNON.ps1
, change the first line's ip address and port to the IP address and port of the server that provides the pac file.
-> Most likely, that information will be in your browser's proxy settings. If you have a host, you may need to get the IP address that host resolves to in order to work (potential issues with alpaca
this method depends on)
Warning: Due to lack of knowledge on my side, both setVPNON.ps1
and setVPNOFF.ps1
need to have the distros you own correctly set.
I tried the automatic way of achieving that but the results were not to part. Fell free to propose the fix in the comments.
Run the install.sh script inside WSL %homepath%\wsl\scripts\wsl
as root. For example, you can use Powershell like such:
cd "$Home\wsl\scripts\wsl"; wsl.exe -d 'Ubuntu-20.04' -u root "./install.sh"
Windows Scheduled Tasks allows you to trigger an action when a certain log event comes in. The Cisco AnyConnect VPN client generates a number of log events.
3 tasks are necessary.
- Will configure the interface metric when the VPN connects.
- Will activate the proxy and set the name servers for connections.
- Will execute on disconnection to setup the proxy as unconfigured (no pac file) and remove VPN nameservers.
- 2039: VPN Established and Passing Data
- 2061: Network Interface for the VPN has gone down
- 2010: VPN Termination
- 2041: The entire VPN connection has been re-established.
Note: The preferred way of installing these tasks is by importing and adapting the scheduled tasks provided. The explanation below works just both as a fallback and explanation on how to achieve a similar result.
- Open Task Scheduler
- Create a Folder called
WSL
(Optional, but easier to find rules later) - Create Rules
- Update AnyConnect Adapter Interface Metric for WSL2
- General: Check: Run with highest privileges
- Triggers:
- On an Event, Log:
Cisco AnyConnect Secure Mobility Client
, Source:acvpnagent
, Event ID:2039
- On an Event, Log:
Cisco AnyConnect Secure Mobility Client
, Source:acvpnagent
, Event ID:2041
- On an Event, Log:
- Action: Start a program, Program:
Powershell.exe
, Add arguments:-WindowStyle Hidden -NonInteractive -ExecutionPolicy Bypass -File %HOMEPATH%\wsl\scripts\setCiscoVpnMetric.ps1
- Condition: Uncheck: Start the task only if the computer is on AC power
- Start proxy for pac and set nameservers
- General: UnCheck: Run with highest privileges
- Triggers:
- On an Event, Log:
Cisco AnyConnect Secure Mobility Client
, Source:acvpnagent
, Event ID:2039
- On an Event, Log:
Cisco AnyConnect Secure Mobility Client
, Source:acvpnagent
, Event ID:2041
- On an Event, Log:
- Action: Start a program, Program:
Powershell.exe
, Add arguments:-WindowStyle Hidden -NonInteractive -ExecutionPolicy Bypass -File %HOMEPATH%\wsl\scripts\setVPNON.ps1
- Condition: Uncheck: Start the task only if the computer is on AC power
- Start proxy without pac and reset nameservers
- Triggers:
- On an Event, Log:
Cisco AnyConnect Secure Mobility Client
, Source:acvpnagent
, Event ID:2010
- On an Event, Log:
Cisco AnyConnect Secure Mobility Client
, Source:acvpnagent
, Event ID:2061
- At log on: At log on of $USER
- On an Event, Log:
- Action: Start a program, Program:
Powershell.exe
, Add arguments:-WindowStyle Hidden -NonInteractive -ExecutionPolicy Bypass -File %HOMEPATH%\wsl\scripts\setVPNOFF.ps1
- Condition: Uncheck: Start the task only if the computer is on AC power
- Triggers:
- Update AnyConnect Adapter Interface Metric for WSL2
- Test: Connect to the VPN, a powershell window should pop-up briefly
- Same will happen if you disconnect from VPN
Q: Does traffic orginating from the Linux VM still route through the VPN?
A: Yes, I believe so. I did not see any leaked traffic when running a tcpdump on my router.
Q: Are VPN resources accessible from the Linux VM?
A: Yes
Q: Can the Linux VM communicate with Windows?
A: No, it appears a firewall rule is preventing traffic between Windows and the Linux VM. You can still access windows using the /mnt
mount
Q: How do I revert/disable these changes?
A:
- Run the 3rd scheduled task
- Disable scheduled Tasks
- Remove the proxy entries from
/etc/environment
- Reboot wsl
wsl --shutdown
Alpaca is the proxy that makes the process the same for all software. Every time internet is needed, all software connects to alpaca which then connects to the correct endpoint. This is just so all programs can be configured the same way and not have to adjust their proxy configuration depending on the connected network