Fix WSL2 vs VPN networking

Fix WSL2 vs VPN networking.md

The problem

WSL2 uses a random network from the 172.16.0.0/12 RFC1918 private IP address block. And our VPN uses that address block, too, with a route metric of 1 (= most preferred.)

This breaks networking for WSL2. Meh!

The solution

While messing around with the interface/route metric of the VPN network may work around the problem, it also reduces the priority of the VPN. We do not really want this. Additionally, changing the interface metric does not seem to be permanent, so it requires more work when it breaks again.

A better solution is configuring WSL2 to not use a network in the VPN network space at all. However, in our case, the VPN routed all the available RFC1918 address space... (Isn't IPv4 great!)

But we can use the link-local address space from 169.254.0.0/16 and so have at least a semi-elegant and permanent solution!

1. These PowerShell commands set the NAT network used by WSL2 to a subnet of 169.254.0.0/16 - I chose 169.254.214.0/24 here - and need to be run as a Windows administrator:

Set-ItemProperty `
  -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss `
  -Name NatNetwork `
  -Value "169.254.214.0/24"
Set-ItemProperty `
  -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss `
  -Name NatGatewayIpAddress `
  -Value "169.254.214.1"

2. Reboot (I couldn't be bothered to check if restarting some service suffices.)

3. After the reboot, you a. should get an error message the first time you start your WSL2 (because it can't use the IP it used before the change) and b. networking should work, now with shiny new 169.254.x.y addresses.

Notes

• The only thing that makes this "semi-elegant" is that I would prefer using a network from RFC1918.
• To check the current values, run Get-Item -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss.
• I've also seen DNS break a lot and would recommend checking IPv4 connectivity through the WSL2 NAT without DNS first (e.g. ping -n 8.8.8.8 or similar), then fixing DNS, if needed. My WSL just auto-configured 169.254.x.1 in /etc/resolv.conf, and that worked here. So WSL2 seems to have a built-in DNS proxy, but I couldn't find any documentation on it.
• Our VPN set up does not route all traffic through it, so this might be not be a complete solution in that case. It would be interesting to see how a Cisco AnyConnect VPN with default route to the VPN sets this default route - what metric does the route have?

Using WSL 2 Ubuntu under win 11, I have the problem with the VPN not allowing me to connect to internal sites from WSL, I tried using the approach of the Registry keys and it did nothing - I see nowhere where those IP ranges get assigned to WSL or anywhere for that matter. Exported my Registry settings confirming I did it right:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss]
"KernelVersion"="5.10.102.1"
"RollbackKernelVersion"="5.10.16"
"SystemDistro"="C:\\ProgramData\\Microsoft\\WSL\\system.vhd"
"GraphicsVersion"="1.0.27"
"VirtioFsClassId"="{DF380B4F-9282-46B6-AAAB-E94BDD7EC5BB}"
"NatNetwork"="169.254.214.0/24"
"NatGatewayIpAddress"="169.254.214.1"

Rebooted a few times now. WSL network:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether ce:81:84:5a:ae:dc brd ff:ff:ff:ff:ff:ff
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 36:3e:ac:8f:06:b0 brd ff:ff:ff:ff:ff:ff
4: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
6: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:de:4d:6f brd ff:ff:ff:ff:ff:ff
    inet 172.27.180.191/20 brd 172.27.191.255 scope global eth0               <=================
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fede:4d6f/64 scope link
       valid_lft forever preferred_lft forever
cisco@LAPTOP-L0MJCF72:~$
cisco@LAPTOP-L0MJCF72:~$ ip route
default via 172.27.176.1 dev eth0                                  <=================
172.27.176.0/20 dev eth0 proto kernel scope link src 172.27.180.191
cisco@LAPTOP-L0MJCF72:~$

Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
   Physical Address. . . . . . . . . : 00-15-5D-FB-CD-7B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5a1a:73a8:f54a:1173%46(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.27.176.1(Preferred)          <==================
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 771757405
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-54-36-A0-20-7B-D2-23-22-81
   NetBIOS over Tcpip. . . . . . . . : Enabled
PS C:\Users\ddamerji>

My Windows routing table:

PS C:\Users\ddamerji> route print
===========================================================================
Interface List
 11...00 05 9a 3c 7a 00 ......Cisco AnyConnect Virtual Miniport Adapter for Windows x64
 10...f4 26 79 81 32 ac ......Microsoft Wi-Fi Direct Virtual Adapter
 19...f6 26 79 81 32 ab ......Microsoft Wi-Fi Direct Virtual Adapter #2
 20...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
 12...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
 23...f4 26 79 81 32 ab ......Intel(R) Wi-Fi 6E AX210 160MHz
  1...........................Software Loopback Interface 1
 46...00 15 5d fb cd 7b ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.14     50
          0.0.0.0          0.0.0.0      10.82.200.1     10.82.206.66      2
     3.10.100.255  255.255.255.255      192.168.1.1     192.168.1.14     50
    3.126.229.159  255.255.255.255      192.168.1.1     192.168.1.14     50
    3.210.155.126  255.255.255.255      192.168.1.1     192.168.1.14     50
     3.222.22.251  255.255.255.255      192.168.1.1     192.168.1.14     50
      4.152.214.0    255.255.255.0      192.168.1.1     192.168.1.14     50
      4.158.208.0    255.255.255.0      192.168.1.1     192.168.1.14     50
      4.175.120.0    255.255.255.0      192.168.1.1     192.168.1.14     50
      10.82.200.0    255.255.248.0         On-link      10.82.206.66    257
     10.82.206.66  255.255.255.255         On-link      10.82.206.66    257
    10.82.207.255  255.255.255.255         On-link      10.82.206.66    257
     13.54.78.128  255.255.255.255      192.168.1.1     192.168.1.14     50
     13.107.6.194  255.255.255.255      192.168.1.1     192.168.1.14     50
    13.107.136.10  255.255.255.255      192.168.1.1     192.168.1.14     50
    13.107.138.10  255.255.255.255      192.168.1.1     192.168.1.14     50
    13.107.253.41  255.255.255.255      192.168.1.1     192.168.1.14     50
    13.250.67.212  255.255.255.255      192.168.1.1     192.168.1.14     50
    17.248.230.64  255.255.255.255      192.168.1.1     192.168.1.14     50
    17.248.230.65  255.255.255.255      192.168.1.1     192.168.1.14     50
    17.248.230.66  255.255.255.255      192.168.1.1     192.168.1.14     50
   18.184.245.197  255.255.255.255      192.168.1.1     192.168.1.14     50
      20.50.235.0    255.255.255.0      192.168.1.1     192.168.1.14     50
       20.53.87.0    255.255.255.0      192.168.1.1     192.168.1.14     50
       20.57.87.0    255.255.255.0      192.168.1.1     192.168.1.14     50
      20.68.154.0    255.255.255.0      192.168.1.1     192.168.1.14     50
      20.76.127.0    255.255.255.0      192.168.1.1     192.168.1.14     50
     20.96.152.55  255.255.255.255      192.168.1.1     192.168.1.14     50
      20.108.99.0    255.255.255.0      192.168.1.1     192.168.1.14     50
     20.120.238.0    255.255.254.0      192.168.1.1     192.168.1.14     50
    20.241.89.235  255.255.255.255      192.168.1.1     192.168.1.14     50
      23.55.63.48  255.255.255.255      192.168.1.1     192.168.1.14     50
      23.55.63.49  255.255.255.255      192.168.1.1     192.168.1.14     50
      23.55.63.50  255.255.255.255      192.168.1.1     192.168.1.14     50
      23.55.63.56  255.255.255.255      192.168.1.1     192.168.1.14     50
      23.55.63.57  255.255.255.255      192.168.1.1     192.168.1.14     50
      23.55.63.58  255.255.255.255      192.168.1.1     192.168.1.14     50
      23.55.63.65  255.255.255.255      192.168.1.1     192.168.1.14     50
      23.55.63.72  255.255.255.255      192.168.1.1     192.168.1.14     50
      23.55.63.74  255.255.255.255      192.168.1.1     192.168.1.14     50
      23.65.1.244  255.255.255.255      192.168.1.1     192.168.1.14     50
     23.65.21.222  255.255.255.255      192.168.1.1     192.168.1.14     50
        23.89.0.0      255.255.0.0      192.168.1.1     192.168.1.14     50
     35.86.33.112  255.255.255.255      192.168.1.1     192.168.1.14     50
    35.177.29.140  255.255.255.255      192.168.1.1     192.168.1.14     50
      38.127.80.0    255.255.255.0      192.168.1.1     192.168.1.14     50
     40.104.46.50  255.255.255.255      192.168.1.1     192.168.1.14     50
     40.119.234.0    255.255.255.0      192.168.1.1     192.168.1.14     50
    44.234.52.192  255.255.255.192      192.168.1.1     192.168.1.14     50
      50.93.246.0    255.255.254.0      192.168.1.1     192.168.1.14     50
      50.93.255.0    255.255.255.0      192.168.1.1     192.168.1.14     50
     52.96.64.130  255.255.255.255      192.168.1.1     192.168.1.14     50
      52.96.69.50  255.255.255.255      192.168.1.1     192.168.1.14     50
     52.96.70.242  255.255.255.255      192.168.1.1     192.168.1.14     50
      52.96.88.66  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.96.109.130  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.96.109.194  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.96.109.226  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.96.109.242  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.96.165.130  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.96.165.210  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.96.165.226  255.255.255.255      192.168.1.1     192.168.1.14     50
     52.96.172.98  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.96.181.226  255.255.255.255      192.168.1.1     192.168.1.14     50
     52.96.182.18  255.255.255.255      192.168.1.1     192.168.1.14     50
     52.96.182.98  255.255.255.255      192.168.1.1     192.168.1.14     50
     52.96.184.18  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.96.185.194  255.255.255.255      192.168.1.1     192.168.1.14     50
     52.96.242.18  255.255.255.255      192.168.1.1     192.168.1.14     50
     52.109.0.140  255.255.255.255      192.168.1.1     192.168.1.14     50
      52.109.8.36  255.255.255.255      192.168.1.1     192.168.1.14     50
     52.109.136.6  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.111.227.28  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.111.229.20  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.111.229.61  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.111.229.62  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.111.229.63  255.255.255.255      192.168.1.1     192.168.1.14     50
    52.111.229.96  255.255.255.255      192.168.1.1     192.168.1.14     50
     52.111.230.0  255.255.255.255      192.168.1.1     192.168.1.14     50
     52.232.210.0    255.255.255.0      192.168.1.1     192.168.1.14     50
    54.68.201.219  255.255.255.255      192.168.1.1     192.168.1.14     50
     54.79.123.45  255.255.255.255      192.168.1.1     192.168.1.14     50
     54.169.14.70  255.255.255.255      192.168.1.1     192.168.1.14     50
    54.252.173.50  255.255.255.255      192.168.1.1     192.168.1.14     50
    54.252.187.75  255.255.255.255      192.168.1.1     192.168.1.14     50
   54.254.137.133  255.255.255.255      192.168.1.1     192.168.1.14     50
   54.254.157.106  255.255.255.255      192.168.1.1     192.168.1.14     50
     62.109.192.0    255.255.192.0      192.168.1.1     192.168.1.14     50
       64.68.96.0    255.255.224.0      192.168.1.1     192.168.1.14     50
     64.102.252.4  255.255.255.255      192.168.1.1     192.168.1.14     51
     64.207.196.0    255.255.252.0      192.168.1.1     192.168.1.14     50
     64.207.204.0    255.255.254.0      192.168.1.1     192.168.1.14     50
     64.207.222.0    255.255.254.0      192.168.1.1     192.168.1.14     50
     66.114.160.0    255.255.240.0      192.168.1.1     192.168.1.14     50
      66.163.32.0    255.255.224.0      192.168.1.1     192.168.1.14     50
     67.222.248.0    255.255.248.0      192.168.1.1     192.168.1.14     50
      68.65.192.0    255.255.248.0      192.168.1.1     192.168.1.14     50
      69.26.160.0    255.255.224.0      192.168.1.1     192.168.1.14     50
      85.119.56.0    255.255.254.0      192.168.1.1     192.168.1.14     50
      103.8.239.0    255.255.255.0      192.168.1.1     192.168.1.14     50
     114.29.192.0    255.255.224.0      192.168.1.1     192.168.1.14     50
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     128.177.14.0    255.255.255.0      192.168.1.1     192.168.1.14     50
     128.177.36.0    255.255.255.0      192.168.1.1     192.168.1.14     50
     135.84.168.0    255.255.248.0      192.168.1.1     192.168.1.14     50
     139.177.64.0    255.255.248.0      192.168.1.1     192.168.1.14     50
     139.177.72.0    255.255.254.0      192.168.1.1     192.168.1.14     50
      144.196.0.0      255.255.0.0      192.168.1.1     192.168.1.14     50
        149.5.7.0    255.255.255.0      192.168.1.1     192.168.1.14     50
    150.253.128.0    255.255.128.0      192.168.1.1     192.168.1.14     50
     162.222.40.0    255.255.248.0      192.168.1.1     192.168.1.14     50
      163.129.0.0      255.255.0.0      192.168.1.1     192.168.1.14     50
     168.86.128.0    255.255.192.0      192.168.1.1     192.168.1.14     50
     168.100.64.0    255.255.192.0      192.168.1.1     192.168.1.14     50
       170.72.0.0    255.255.128.0      192.168.1.1     192.168.1.14     50
     170.72.128.0    255.255.192.0      192.168.1.1     192.168.1.14     50
     170.72.192.0    255.255.224.0      192.168.1.1     192.168.1.14     50
    170.133.128.0    255.255.192.0      192.168.1.1     192.168.1.14     50
     172.27.176.0    255.255.240.0         On-link      172.27.176.1   5256
     172.27.176.0    255.255.240.0      10.82.200.1     10.82.206.66      2

     172.27.176.1  255.255.255.255         On-link      172.27.176.1   5256   <=============

   172.27.191.255  255.255.255.255         On-link      172.27.176.1   5256
     173.39.224.0    255.255.224.0      192.168.1.1     192.168.1.14     50
      173.243.0.0    255.255.240.0      192.168.1.1     192.168.1.14     50
     184.31.48.47  255.255.255.255      192.168.1.1     192.168.1.14     50
    185.115.196.0    255.255.252.0      192.168.1.1     192.168.1.14     50
      192.168.1.0    255.255.255.0         On-link      192.168.1.14    306
      192.168.1.0    255.255.255.0      10.82.200.1     10.82.206.66      2
      192.168.1.1  255.255.255.255         On-link      192.168.1.14     51
     192.168.1.14  255.255.255.255         On-link      192.168.1.14    306
    192.168.1.255  255.255.255.255         On-link      192.168.1.14    306
     192.168.57.0    255.255.255.0         On-link      192.168.57.1    291
     192.168.57.0    255.255.255.0      10.82.200.1     10.82.206.66      2
     192.168.57.1  255.255.255.255         On-link      192.168.57.1    291
   192.168.57.255  255.255.255.255         On-link      192.168.57.1    291
    192.168.255.0    255.255.255.0         On-link     192.168.255.1    291
    192.168.255.0    255.255.255.0      10.82.200.1     10.82.206.66      2
    192.168.255.1  255.255.255.255         On-link     192.168.255.1    291
  192.168.255.255  255.255.255.255         On-link     192.168.255.1    291
     199.19.196.0    255.255.254.0      192.168.1.1     192.168.1.14     50
     199.19.199.0    255.255.255.0      192.168.1.1     192.168.1.14     50
      199.59.64.0    255.255.248.0      192.168.1.1     192.168.1.14     50
    207.182.160.0    255.255.224.0      192.168.1.1     192.168.1.14     50
    209.197.192.0    255.255.224.0      192.168.1.1     192.168.1.14     50
      210.4.192.0    255.255.240.0      192.168.1.1     192.168.1.14     50
      216.9.196.0    255.255.252.0      192.168.1.1     192.168.1.14     50
       216.17.8.0    255.255.255.0      192.168.1.1     192.168.1.14     50
      216.147.0.0    255.255.192.0      192.168.1.1     192.168.1.14     50
    216.151.128.0    255.255.224.0      192.168.1.1     192.168.1.14     50
     216.223.38.0    255.255.255.0      192.168.1.1     192.168.1.14     50
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.255.1    291
        224.0.0.0        240.0.0.0         On-link      192.168.57.1    291
        224.0.0.0        240.0.0.0         On-link      192.168.1.14    306
        224.0.0.0        240.0.0.0         On-link      172.27.176.1   5256
        224.0.0.0        240.0.0.0         On-link      10.82.206.66    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.255.1    291
  255.255.255.255  255.255.255.255         On-link      192.168.57.1    291
  255.255.255.255  255.255.255.255         On-link      192.168.1.14    306
  255.255.255.255  255.255.255.255         On-link      172.27.176.1   5256
  255.255.255.255  255.255.255.255         On-link      10.82.206.66    257
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 11     36 ::/0                     On-link
  1    331 ::1/128                  On-link
 11    291 2001:420:c0c4:1002::/64  On-link
 11    291 2001:420:c0c4:1002::225/128
                                    On-link
 11    291 fe80::/64                On-link
 12    291 fe80::2ac:6d85:939a:9d3c/128
                                    On-link
 20    291 fe80::958:3d54:3513:13b0/128
                                    On-link
 46   5256 fe80::5a1a:73a8:f54a:1173/128
                                    On-link
 11    291 fe80::5d7a:eddc:d9fb:1e1f/128
                                    On-link
  1    331 ff00::/8                 On-link
 20    291 ff00::/8                 On-link
 12    291 ff00::/8                 On-link
 46   5256 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
PS C:\Users\ddamerji>

For the record, I have gotten my hardware-based VPN (Meraki MR56) working again and of course it has no issue with routing. But I would really like to get cisco secure client (5.1.4.74) to work as if I am remote I have no choice but to use it.

I need you guys to come thru for me please, I need someone to respond to my post, I would help you, you help me, we're hear to help eachother, dont abandon me please I took the time to write a nice clear post.

I really need help here

Can someone step up to the plate and help me please

@ddamerjian Check any wsl.conf (in the WSL distribution) or .wslconfig files, if you have anything network-related configured there. (I'm on Windows 10, you are on Windows 11, which might make a difference, can't say.)

thanks for the response.

the only wsl.conf i found is the one i have been modifying in testing different solutions for this issue, and currently it looks like the following where i was taking a suggestion from a post to use mirrored feature which doesnt work. But if i dont have that setting the problem still exists

[network]
generateResolvConf = True
[experimental]
networkingMode=mirrored
dnsTunneling=true
cisco@LAPTOP-L0MJCF72:~$

As far as the other file you mentioned, .wslconfig, no such file exists on my system

Thanks
dd

networkingMode=mirrored

With mirrored mode the NAT config I propose here probably isn't relevant.

right I know that, I already acknowledged that, what I am saying is that I tried your approach without that setting and it still doesnt work