{{ message }}
/ WSL Public

# [WSL2] Checkpoint VPN breaks network connectivity#4246

Open
opened this issue Jun 29, 2019 · 119 comments
Open

# [WSL2] Checkpoint VPN breaks network connectivity#4246

opened this issue Jun 29, 2019 · 119 comments
Labels

### rlipscombe commented Jun 29, 2019

 (I've searched the open issues, and none that I could find were exactly the same) Windows 10.0.18922.1000 I just installed Windows Insiders, and updated my Ubuntu distro to WSL2. It can no longer access the Internet. From the Ubuntu bash prompt: ping github.com doesn't work (100% packet loss); ping 8.8.8.8 is the same. /etc/resolv.conf gives nameserver 192.168.115.225. ping 192.168.115.225 doesn't work. My Ubuntu distro has IP 192.168.115.230; I can ping that from Ubuntu. The Windows IP address is 192.168.115.225, and I can ping it from PowerShell. Pinging the Ubuntu distro's IP (192.168.115.230) also works, from PowerShell. Inside Ubuntu, route -n reports: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.115.225 0.0.0.0 UG 0 0 0 eth0 192.168.115.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0  I'm using a Surface Go, Windows 10 Pro, connected to the Internet over Wifi. I might have some left-over detritus from when I attempted to get a Hyper-V VM connecting via Wifi. That was prior to upgrading to Windows Insiders. I don't know how much of that Hyper-V networking infrastructure is shared, and I don't know how to debug that. The text was updated successfully, but these errors were encountered:

### rlipscombe commented Jun 29, 2019 • edited

 I attempted to convert the distro back to WSL 1, but it failed with The network connection was aborted by the local system.

### rlipscombe commented Jun 29, 2019

 Oh, it might be worth noting that I've got Checkpoint VPN software (not active), Wireshark (i.e. npcap) and NordVPN (also not active) installed. I don't know whether any of those will break anything.

### rlipscombe commented Jun 29, 2019 • edited

 Uninstalling NordVPN does not fix the problem. The Checkpoint VPN software seems to be responsible for screwing it up. Uninstalling it fixes the problem. Unfortunately (sigh), I have to have this software installed, so it looks like I'm going to have to uninstall Windows Insiders. Any chance you could work with Check Point to get this resolved?

### rlipscombe commented Jun 30, 2019

 So, interestingly enough, uninstalling and reinstalling the Checkpoint VPN software appears to fix the problem.

changed the title [WSL2] No network connectivity [WSL2] Checkpoint VPN breaks network connectivity Jun 30, 2019

### rlipscombe commented Jun 30, 2019

 (title updated to true cause of problem)

### BenHenning commented Sep 20, 2019

 FWIW I've experienced what sounds like a similar issue, and I don't use Checkpoint VPN. I notice that when this happens, seemingly all socket-level operations seem to fail in Windows. Even my Android emulator becomes inaccessible to Android Studio, and all Chrome tabs indicate no internet connectivity. Closing all Ubuntu windows resolved the issue for me today, and this consistently happens when I leave a local server running in Ubuntu overnight and come back to my workstation 24 hours later.

### cmeiklejohn commented Oct 9, 2019

 I'm using the Cisco AnyConnect VPN and as soon as I connect, I lose all access to the external network. Anything I can do to help debug this further?

### craigloewen-msft commented Oct 9, 2019

 @cmeiklejohn please see issue #4277 If you'd like to help us debug it please send us networking logs, instructions on how to do that are here!

### neileadobe commented Oct 31, 2019

 I also have this problem, using Cisco. Logs here: https://aka.ms/AA6fthe

### rlipscombe commented Nov 5, 2019

 Data point: with Windows 10.0.19013.1, CheckPoint VPN E81.40. If I right-click on the notification icon and select "Disable Security Policy" (thus regaining control of my own firewall) then WSL Ubuntu can connect to the Internet correctly.

### jagjordi commented Nov 13, 2019

 Same issus occurs with Cisco OpenConnect VPN. Here are the logs https://aka.ms/AA6jmg1

### timesnewmen commented Nov 20, 2019

 Similar issue with Citrix VPN. I can ping the server, but can not open tcp port 80 and curl is timeout.

### codeart1st commented Dec 9, 2019

 Same issues also with Checkpoint VPN

### caal-15 commented Jan 10, 2020

 Same problem with Cisco AnyConnect

### elmorekevin commented Jan 10, 2020

 I lose internet connectivity in WSL2 when using SonicWall VPN in full-tunnel mode. If I switch to partial-tunnel, then WSL2 internet connectivity is fine.

### wissamz commented Jan 17, 2020

 I am seeing the same behavior using Cisco AnyConnect VPN. Any updates on this issue?

### iamoverit commented Feb 3, 2020

 same issue using Cisco AnyConnect (connected)

mentioned this issue Mar 3, 2020

### sphair commented Mar 12, 2020

 So, interestingly enough, uninstalling and reinstalling the Checkpoint VPN software appears to fix the problem. I have the same problem, but this did not seem to help in my case.

### hardik-id commented Mar 14, 2020 • edited

 I installed/used Cisco AnyConnect from Windows Store https://www.microsoft.com/store/productId/9WZDNCRDJ8LH and it started working. Credit goes to #4277 (comment)

### andyneff commented Apr 2, 2020

 I have the same problem as @elmorekevin I'm using the latest Sonicwall NetExtender (9.0.274), and can only use full tunnel mode. WSL1 works perfectly at the same time WSL2 does not.

### metawave commented Apr 20, 2020

 I have a similar problem with Citrix Netscaler VPN at work, which only tunnels some networks. Internet access is fine with wsl2 but connecting to a host inside a VPN tunneled network, the name can be resolved to an IP but then timeouts (wireshark says tcp retransmission). Citrix Netscaler says, that it has tunneled that connection in the "tunneled application" window. Also disabled the firewall completely, but that didn't work either....

mentioned this issue Apr 23, 2020

### andyneff commented Apr 23, 2020

 At random, I tried to use WSL 2 when I was connected to VPN, and to my utter and total surprise, it started working! I have not been able to reproduce the result since. But I was able to access both my VPN network and the internet (via full tunnel mode). I did make an observation though. When it worked, I had done nslookup and run server and noted the IP address of the dns proxy server was 172.x.x.x. However other times (when it doesn't work) it's 192.168.x.x. (Now my real IP both locally and via VPN is 10.x.x.x subnets) Sometimes I see three IPs in WSL2 (ifconfig), sometimes only two. I have no idea what is going on here. For example, now I only see 172.25.x.x and 127.0.0.1 (local host is always there), and it's not working. In my current example, I am able to ping the 172.25.x.x IP on my host windows machine, that is in the same subnet, but none of my other IPs Recently updated to Windows 10 Pro build 10.0.19041

### andyneff commented Apr 24, 2020 • edited

 Attempted to delete the WSL NIC/switch from hyper v fails (in a extremely bad way) I was hoping I could "reset the NIC" once connected to VPN by deleting it, and then letting it regenerate like it did the first time you run WSL2. It half deletes, and won't finish, and will never repair itself. I had to uninstall and reinstall WSL itself (not the distros)

# Workaround steps to get Internet working on VPN

Since the one time I got internet working on WSL2 was after an Windows 10 update, I was guessing that maybe somehow the network was reset, it and was because I started WSL2 while on VPN...

This has worked twice now using Sonicwall VPN, so I hope this works for someone else:

WARNING: You should always backup registry keys before you delete them, in case this breaks things!

1. Remove the WSL Switch and NIC. Since neither WSL2 VM nor networks devices appear normally in Hyper-V Manager (which only hurts the users, so thanks), I cannot figured out how to use Hyper-V Manager to remove the Switch. It just errors out, and leave it broken. Now I found a Registry way to remove them
1. Look in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\####\NetSetupProperties, where #### is a four digit number
• Out of the four digit keys in there, two of them will mention WSL
• "NETSETUPPKEY_Interface_IfAliasBase"="vSwitch (WSL)"
• "NETSETUPPKEY_Interface_IfAliasBase"="vEthernet (WSL)"
• The two number should be consecutive. Delete both keys.
2. Look in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmsmp\parameters\NicList
• Delete the Key containing "FriendlyName"="WSL"
3. Look in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmsmp\parameters\SwitchList
• Delete the Key containing "FriendlyName"="WSL"
2. Now reboot.
3. Once you reboot, running ipconfig should no longer show Ethernet adapter vEthernet (WSL):
4. VPN in (do not start WSL2 even once before doing this)
5. Once completly connected to VPN, now start WSL 2
• Enjoy internet (Until you have to do this all over again...)

While still on VPN, shutting down WSL2 and restarting it, still worked. However...

1. wsl --shutdown
2. Disconnect from VPN
3. Reconnect from VPN
4. Run WSL2 again

Does not work.

This is not a great workaround, but it is a start... Shortcuts welcome!

mentioned this issue May 1, 2020

### AmmarRahman commented May 12, 2020

 The workaround I have at the moment is to work within a container. Even though Docker uses WSL2 as it's backend, they seem to have got a better network setup that would work through the VPN.

### metawave commented May 15, 2020

 I can confirm the comment of @AmmarRahman. After installing Docker Desktop on my Windows machine and switch to the WSL2 backend, I noticed that this docker daemon is able to access resources in the vpn (downloads an image from a docker registry there). I can also confirm it by running a container accessing resources on the vpn docker run alpine sh -c 'wget -O- https://some-vpn-internal.resource.com'. Eventhough the communication to vpn resources don't work in wsl2, ex. by running the docker wsl2 "machine" (wsl.exe -d docker-desktop). So I think something is actively preventing this to work

### d-ryzhikov commented Jan 14, 2021 • edited

 Until a proper fix arrives from microsoft, here is a workaround that I use, to change the mtu size on startup. Create a script that would change the mtu size: echo<

### bastaramus commented Jan 19, 2021 • edited

 Hi guys I've developed a simple script that can help you to deal with conection issue from WSL2: https://gist.github.com/bastaramus/3d5f1326835fe111d5ea9684c41a6675 You need to run this script as an Administrator on your Windows machine each time when you was connected to the CheckPoint VPN. And you don't need to disable any interfaces or reconnect to VPN. Just launch this script I don't know is there any way in Windows to automatically launch this script after VPN connection was established. It would be great if somebody can help with this

### AmmarRahman commented Jan 25, 2021 • edited

 @d-ryzhikov solution seem to be working in principle. I have tried the new found WSL boot script support for doing that and it seems to solve the situation as well. All what you need to do is to add [boot] command="ip link set dev eth0 mtu 1350" to /etc/wsl.conf. After a computer restart, WSL seems to be working fine with VPN on.

mentioned this issue Jan 29, 2021

### eldar commented Feb 8, 2021

 Hi, all. I'm experiencing the same issue when connecting to the VPN network at work using Cisco AnyConnect. The solution from the recent comments does not work for me. I edit the /etc/wsl.conf as described above and set the MTU size to 1350. Executing ip link gives me the following: 5: eth0: mtu 1350 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 00:15:5d:d1:c1:cb brd ff:ff:ff:ff:ff:ff  However ping google.com still gives me an error: ping: google.com: Temporary failure in name resolution. Am I missing something else? Thank you.

### smerschjohann commented Feb 8, 2021 • edited

I came up with a different solution, as I seem to have a different problem than the other posts here.

In my situation the endpoint firewall was in the way, For virtualbox etc. the company excluded some ip addresses from these rules exactly for such internal purposes. So I had to use one of these ip addresses to allow internet access.

I do that with the following scripts (e.g. 192.168.123.100/32 is your excluded IP address)

## Windows / Powershell

A small powershell script which adds a route to the vSwitch to route traffic to the ip range/single IP excluded in the checkpoint firewall.

$wslIfdx = (Get-NetAdapter -Name "vEthernet (WSL)").ifIndex$wslIfAddr = $(Write-Output (Get-NetIPAddress -InterfaceIndex$wslIfdx).IPv4Address)[1]
New-NetRoute -DestinationPrefix "192.168.123.100/32" -InterfaceIndex $wslIfdx -NextHop$wslIfAddr


## Linux / WSL2

A script that switches the activate IP address of the system, it turned out that I didn't need to change the /etc/resolv.conf (DNS resolution) that may vary in your setup.

#!/bin/bash

ip=$(hostname -I) sudo ip addr add 192.168.123.100/32 dev eth0 sudo ip addr delete$ip dev eth0;
sudo ip link set mtu 1350 dev eth0 # needed to connect to IPs behind VPN


### tedjp commented Feb 11, 2021

 @baruchiro /etc/resolv.conf not /etc/resolve.conf

### barroudjo commented Feb 26, 2021 • edited

 Just dropping by to say that with socat and a local proxy you can circumvent altogether this problem, at least for http calls: set your WSL http_proxy env var to point to a socat TCP listening process: http_proxy=http://localhost:8118 launch socat to listen and forward (through binary communication) to a socat (socat cygwin) in windows the tcp calls: socat tcp-listen:8118,fork,reuseaddr exec:"/mnt/c/Workspace/socat/socat.exe - tcp\:localhost\:8118" run a proxy server (for example privoxy, or winfoom / px if you need to go through a corporate proxy with cntlm authentification) on your windows host, at the same 8118 port you also need to configure the http proxy for apt-get to http://localhost:8118 in /etc/apt/apt.conf.d/proxy.conf: Acquire::http::Proxy "http://127.0.0.1:8118"; It's a workaround, but it's robust, and it should work for all cases. Doesn't matter which vpn, if you have connectivity in windows you will have it in WSL. To make it clean obviously you should autostart the socat process. I have a solution but it's not the cleanest and I'm sure people here more competent than I can propose something better !

### smerschjohann commented Feb 26, 2021

 @barroudjo Yes for a specific additional customer VPN I had to use a similiar setup. But I use the docker magic for that. Docker Desktop does a very good job to circumvent the WSL2 quirks by some tun/tap magic, so you can just start a squid proxy in docker. So I came up with the following: docker run --name squid -d -p 3128:3128 datadog/squid export http_proxy=http://127.0.0.1:3128 export https_proxy=http://127.0.0.1:3128  Done!

### barroudjo commented Feb 26, 2021

 @smerschjohann that's a good one ! A bit simpler than my solution too (you just have to install docker desktop) ! And you could improve it just a bit by using a non-caching smaller proxy: https://hub.docker.com/r/vimagick/tinyproxy.

### fryzhykau commented Mar 2, 2021 • edited

 I had the same behavior - connection via https/443 didn't work on WSL2, giving: >wget https://github.com/kubeflow/manifests/archive/ebeb4c285a0cf49750c4f07015b58cc27ca4c3a1.tar.gz --2021-03-01 20:24:44-- https://github.com/kubeflow/manifests/archive/ebeb4c285a0cf49750c4f07015b58cc27ca4c3a1.tar.gz Resolving github.com (github.com)... 140.82.112.3 Connecting to github.com (github.com)|140.82.112.3|:443... failed: Connection timed out. Retrying. However it worked on WSL1. Windows 10 Pro: Version 10.0.19042 Build 19042 (latest till now on my laptop - Dell XPS 17). I have OpenVPN installed as well, however behavior didn't change whether I have VPN connection established or not. All above methods (including thread in #4246, except latest one in this thread - around proxy) didn't help. Interestingly enough - for me it turned out to be the Symantec Endpoint Protection antivirus... Not sure yet what exactly it blocks - will try to find. When protection was disabled - things started to work as expected..

### ecool commented Mar 4, 2021 • edited

 Alright, so I've been wanting to use WSL 2 for a while now and the only thing stopping me is the VPN connectivity issue. I found something that I'm not sure if others have because I haven't found any posts in the issues I've been looking through and figured I should throw this in here as a possible reason for the issue with VPN connectivity issues. I have tried a lot of the workarounds except for the metric modification because I don't want my system to "disable/ignore" my VPN. From what I understand of the metric value is that it is a priority system and if you increase the metric on a VPN to higher than your outgoing internet nic you are basically routing 0 traffic through the VPN. (If I am misunderstanding this, please let me know). So, I've been looking into the Hyper-V Virtual Switch and while trying to create an external switch /(or modifying the WSL one) the external network interfaces list does not show the VPN interface image. I am using Private Internet Access as my VPN connection and as shown in the image is not in the selection list. I hope this helps with figuring out if there might be an issue with the Virtual Switch instead of with the WSL networking in general. Just some extra info showing that DNS resolving is working fine (for some reason)[this is a fresh Ubuntu 20.04 WSL 2 install]. > curl -L ip.me -v * Trying 134.209.78.99:80... * TCP_NODELAY set * connect to 134.209.78.99 port 80 failed: Connection timed out * Failed to connect to ip.me port 80: Connection timed out * Closing connection 0 curl: (28) Failed to connect to ip.me port 80: Connection timed out > ip route default via 172.17.40.145 dev eth0 172.17.40.144/28 dev eth0 proto kernel scope link src 172.17.40.147 > ping 172.17.40.145 PING 172.17.40.145 (172.17.40.145) 56(84) bytes of data. 64 bytes from 172.17.40.145: icmp_seq=1 ttl=128 time=0.317 ms 64 bytes from 172.17.40.145: icmp_seq=2 ttl=128 time=0.441 ms 64 bytes from 172.17.40.145: icmp_seq=3 ttl=128 time=0.292 ms ^C --- 172.17.40.145 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2113ms rtt min/avg/max/mdev = 0.292/0.350/0.441/0.065 ms > ping 1.1.1.1 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. ^C --- 1.1.1.1 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4185ms

### famod commented Mar 11, 2021

 @barroudjo & @smerschjohann many thanks for your proxy ideas! We (@tkalmar and I) also added a dante socks proxy so that we can SSH to other machines in our corporate network. So we now have a docker-compose setup that starts both dante and tinyproxy in containers. We might share the entire setup later but we want to give it more "baking time" first.

mentioned this issue Mar 12, 2021

### ionutvilie commented Jun 15, 2021 • edited

 removing comment, refreshed windows 2 times, could not replicate first working sollution, i probably did not payed attention and it was WSL1

### galindroasml commented Jun 16, 2021 • edited

 @idsergiu provided the best and most simpler solution. Nevertheless, I had to use this tool from the comment of @baruchiro about the DNS resolution problem. Thank you very much guys!

### yoda-br commented Jul 23, 2021

 I'm using Windows 10 Pro, version 21H1, compilation 19043.1110, Windows Feature Experience Pack 120.2212.3530.0 and Ubuntu 20.04 on WSL2. When I connect to my corporate VPN using Check Point Mobile client, Ubuntu on WSL2 can't access any machine on VPN. Access to my home network and Internet remains okay, but I can't reach any machine on VPN. Does anybody knows how to fix it?

### yalopov commented Jan 18, 2022

 I have created a script to simplify the solution above for our corporate machines. I have adapted it to be more generic on https://github.com/AmmarRahman/wsl-vpn Please feedback if this work for you. Works like a charm, thank you

### thcuvelier commented Mar 18, 2022

 Using also Zscaler proxy running on Windows on http://localhost:9000. and having the same problem than @aderuelle Any idea how to solve this