[WSL2] Checkpoint VPN breaks network connectivity

[rlipscombe]

(I've searched the open issues, and none that I could find were exactly the same)

Windows 10.0.18922.1000

I just installed Windows Insiders, and updated my Ubuntu distro to WSL2. It can no longer access the Internet.

From the Ubuntu bash prompt: ping github.com doesn't work (100% packet loss); ping 8.8.8.8 is the same.

/etc/resolv.conf gives nameserver 192.168.115.225. ping 192.168.115.225 doesn't work.

My Ubuntu distro has IP 192.168.115.230; I can ping that from Ubuntu.

The Windows IP address is 192.168.115.225, and I can ping it from PowerShell. Pinging the Ubuntu distro's IP (192.168.115.230) also works, from PowerShell.

Inside Ubuntu, route -n reports:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.115.225 0.0.0.0         UG    0      0        0 eth0
192.168.115.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0

I'm using a Surface Go, Windows 10 Pro, connected to the Internet over Wifi.

I might have some left-over detritus from when I attempted to get a Hyper-V VM connecting via Wifi. That was prior to upgrading to Windows Insiders. I don't know how much of that Hyper-V networking infrastructure is shared, and I don't know how to debug that.

[rlipscombe]

I attempted to convert the distro back to WSL 1, but it failed with The network connection was aborted by the local system.

[rlipscombe]

Oh, it might be worth noting that I've got Checkpoint VPN software (not active), Wireshark (i.e. npcap) and NordVPN (also not active) installed. I don't know whether any of those will break anything.

[rlipscombe]

Uninstalling NordVPN does not fix the problem.

The Checkpoint VPN software seems to be responsible for screwing it up. Uninstalling it fixes the problem.

Unfortunately (sigh), I have to have this software installed, so it looks like I'm going to have to uninstall Windows Insiders.

Any chance you could work with Check Point to get this resolved?

[rlipscombe]

So, interestingly enough, uninstalling and reinstalling the Checkpoint VPN software appears to fix the problem.

[rlipscombe]

(title updated to true cause of problem)

[BenHenning]

FWIW I've experienced what sounds like a similar issue, and I don't use Checkpoint VPN. I notice that when this happens, seemingly all socket-level operations seem to fail in Windows. Even my Android emulator becomes inaccessible to Android Studio, and all Chrome tabs indicate no internet connectivity. Closing all Ubuntu windows resolved the issue for me today, and this consistently happens when I leave a local server running in Ubuntu overnight and come back to my workstation 24 hours later.

[cmeiklejohn]

I'm using the Cisco AnyConnect VPN and as soon as I connect, I lose all access to the external network. Anything I can do to help debug this further?

[craigloewen-msft]

@cmeiklejohn please see issue #4277

If you'd like to help us debug it please send us networking logs, instructions on how to do that are here!

[neileadobe]

I also have this problem, using Cisco. Logs here: https://aka.ms/AA6fthe

[rlipscombe]

Data point: with Windows 10.0.19013.1, CheckPoint VPN E81.40. If I right-click on the notification icon and select "Disable Security Policy" (thus regaining control of my own firewall) then WSL Ubuntu can connect to the Internet correctly.

[jagjordi]

Same issus occurs with Cisco OpenConnect VPN. Here are the logs https://aka.ms/AA6jmg1

[timesnewmen]

Similar issue with Citrix VPN.
I can ping the server, but can not open tcp port 80 and curl is timeout.

[codeart1st]

Same issues also with Checkpoint VPN

[caal-15]

Same problem with Cisco AnyConnect

[elmorekevin]

I lose internet connectivity in WSL2 when using SonicWall VPN in full-tunnel mode. If I switch to partial-tunnel, then WSL2 internet connectivity is fine.

[wissamz]

I am seeing the same behavior using Cisco AnyConnect VPN. Any updates on this issue?

[iamoverit]

same issue using Cisco AnyConnect (connected)

[sphair]

So, interestingly enough, uninstalling and reinstalling the Checkpoint VPN software appears to fix the problem.

I have the same problem, but this did not seem to help in my case.

[hardik-id]

I installed/used Cisco AnyConnect from Windows Store
https://www.microsoft.com/store/productId/9WZDNCRDJ8LH and it started working.
Credit goes to #4277 (comment)

[andyneff]

I have the same problem as @elmorekevin I'm using the latest Sonicwall NetExtender (9.0.274), and can only use full tunnel mode. WSL1 works perfectly at the same time WSL2 does not.

[metawave]

I have a similar problem with Citrix Netscaler VPN at work, which only tunnels some networks. Internet access is fine with wsl2 but connecting to a host inside a VPN tunneled network, the name can be resolved to an IP but then timeouts (wireshark says tcp retransmission). Citrix Netscaler says, that it has tunneled that connection in the "tunneled application" window. Also disabled the firewall completely, but that didn't work either....

[andyneff]

At random, I tried to use WSL 2 when I was connected to VPN, and to my utter and total surprise, it started working! I have not been able to reproduce the result since. But I was able to access both my VPN network and the internet (via full tunnel mode).

I did make an observation though. When it worked, I had done nslookup and run server and noted the IP address of the dns proxy server was 172.x.x.x. However other times (when it doesn't work) it's 192.168.x.x. (Now my real IP both locally and via VPN is 10.x.x.x subnets)

Sometimes I see three IPs in WSL2 (ifconfig), sometimes only two. I have no idea what is going on here. For example, now I only see 172.25.x.x and 127.0.0.1 (local host is always there), and it's not working. In my current example, I am able to ping the 172.25.x.x IP on my host windows machine, that is in the same subnet, but none of my other IPs

Recently updated to Windows 10 Pro build 10.0.19041

[andyneff]

Attempted to delete the WSL NIC/switch from hyper v fails (in a extremely bad way) I was hoping I could "reset the NIC" once connected to VPN by deleting it, and then letting it regenerate like it did the first time you run WSL2. It half deletes, and won't finish, and will never repair itself. I had to uninstall and reinstall WSL itself (not the distros)

[andyneff]

Workaround steps to get Internet working on VPN

Since the one time I got internet working on WSL2 was after an Windows 10 update, I was guessing that maybe somehow the network was reset, it and was because I started WSL2 while on VPN...

This has worked twice now using Sonicwall VPN, so I hope this works for someone else:

WARNING: You should always backup registry keys before you delete them, in case this breaks things!

1. Remove the WSL Switch and NIC. Since neither WSL2 VM nor networks devices appear normally in Hyper-V Manager (which only hurts the users, so thanks), I cannot figured out how to use Hyper-V Manager to remove the Switch. It just errors out, and leave it broken. Now I found a Registry way to remove them
   1. Look in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\####\NetSetupProperties, where #### is a four digit number
      • Out of the four digit keys in there, two of them will mention WSL
        • "NETSETUPPKEY_Interface_IfAliasBase"="vSwitch (WSL)"
        • "NETSETUPPKEY_Interface_IfAliasBase"="vEthernet (WSL)"
      • The two number should be consecutive. Delete both keys.
   2. Look in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmsmp\parameters\NicList
      • Delete the Key containing "FriendlyName"="WSL"
   3. Look in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmsmp\parameters\SwitchList
      • Delete the Key containing "FriendlyName"="WSL"
2. Now reboot.
3. Once you reboot, running ipconfig should no longer show Ethernet adapter vEthernet (WSL):
4. VPN in (do not start WSL2 even once before doing this)
5. Once completly connected to VPN, now start WSL 2
   • Enjoy internet (Until you have to do this all over again...)

While still on VPN, shutting down WSL2 and restarting it, still worked. However...

1. wsl --shutdown
2. Disconnect from VPN
3. Reconnect from VPN
4. Run WSL2 again

Does not work.

---

This is not a great workaround, but it is a start... Shortcuts welcome!

[AmmarRahman]

The workaround I have at the moment is to work within a container. Even though Docker uses WSL2 as it's backend, they seem to have got a better network setup that would work through the VPN.

[metawave]

I can confirm the comment of @AmmarRahman. After installing Docker Desktop on my Windows machine and switch to the WSL2 backend, I noticed that this docker daemon is able to access resources in the vpn (downloads an image from a docker registry there). I can also confirm it by running a container accessing resources on the vpn docker run alpine sh -c 'wget -O- https://some-vpn-internal.resource.com'. Eventhough the communication to vpn resources don't work in wsl2, ex. by running the docker wsl2 "machine" (wsl.exe -d docker-desktop). So I think something is actively preventing this to work

[d-ryzhikov]

Until a proper fix arrives from microsoft, here is a workaround that I use, to change the mtu size on startup.

1. Create a script that would change the mtu size:

echo<<EOF | sudo tee /etc/init.d/eth0-mtu
#!/bin/sh
ip link set dev eth0 mtu 1350
EOF
sudo chmod 755 /etc/init.d/eth0-mtu
sudo chown root:root /etc/init.d/eth0-mtu

2. Allow the script to be executed by sudo without password. Run sudo visudo and add the following line:

%sudo   ALL=NOPASSWD:   /etc/init.d/eth0-mtu

3. Create a startup shortcut. Press Win + R, enter shell:startup, in the open directory create a short cut with the following command:

"C:\path\to\your\distro.exe" run sudo /etc/init.d/eth0-mtu

To find path to your distro:

1. Run your wsl terminal.
2. Start "Task Manager" and select "More details" at the bottom of task manager window.
3. In the process tree find your distro, right-click on it and select "Open file location".

Inspired by https://adrianstoll.com/tips-and-tricks/running-services-at-startup-windows-subsystem-for-linux.html

[bastaramus]

Hi guys
I've developed a simple script that can help you to deal with conection issue from WSL2:
https://gist.github.com/bastaramus/3d5f1326835fe111d5ea9684c41a6675
You need to run this script as an Administrator on your Windows machine each time when you was connected to the CheckPoint VPN. And you don't need to disable any interfaces or reconnect to VPN. Just launch this script
I don't know is there any way in Windows to automatically launch this script after VPN connection was established. It would be great if somebody can help with this

[AmmarRahman]

@d-ryzhikov solution seem to be working in principle. I have tried the new found WSL boot script support for doing that and it seems to solve the situation as well. All what you need to do is to add

[boot]
command="ip link set dev eth0 mtu 1350"

to /etc/wsl.conf.

After a computer restart, WSL seems to be working fine with VPN on.

[eldar]

Hi, all. I'm experiencing the same issue when connecting to the VPN network at work using Cisco AnyConnect. The solution from the recent comments does not work for me. I edit the /etc/wsl.conf as described above and set the MTU size to 1350. Executing ip link gives me the following:

5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1350 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:15:5d:d1:c1:cb brd ff:ff:ff:ff:ff:ff

However ping google.com still gives me an error: ping: google.com: Temporary failure in name resolution. Am I missing something else?

Thank you.

[smerschjohann]

I came up with a different solution, as I seem to have a different problem than the other posts here.

In my situation the endpoint firewall was in the way, For virtualbox etc. the company excluded some ip addresses from these rules exactly for such internal purposes. So I had to use one of these ip addresses to allow internet access.

I do that with the following scripts (e.g. 192.168.123.100/32 is your excluded IP address)

Windows / Powershell

A small powershell script which adds a route to the vSwitch to route traffic to the ip range/single IP excluded in the checkpoint firewall.

$wslIfdx = (Get-NetAdapter -Name "vEthernet (WSL)").ifIndex
$wslIfAddr = $(Write-Output (Get-NetIPAddress -InterfaceIndex $wslIfdx).IPv4Address)[1]
New-NetRoute -DestinationPrefix "192.168.123.100/32" -InterfaceIndex $wslIfdx -NextHop $wslIfAddr

Linux / WSL2

A script that switches the activate IP address of the system, it turned out that I didn't need to change the /etc/resolv.conf (DNS resolution) that may vary in your setup.

#!/bin/bash

ip=$(hostname -I)

sudo ip addr add 192.168.123.100/32 dev eth0
sudo ip addr delete $ip dev eth0;
sudo ip link set mtu 1350 dev eth0 # needed to connect to IPs behind VPN

[tedjp]

@baruchiro /etc/resolv.conf not /etc/resolve.conf

[barroudjo]

Just dropping by to say that with socat and a local proxy you can circumvent altogether this problem, at least for http calls:

1. set your WSL http_proxy env var to point to a socat TCP listening process:
   http_proxy=http://localhost:8118

2. launch socat to listen and forward (through binary communication) to a socat (socat cygwin) in windows the tcp calls:
   socat tcp-listen:8118,fork,reuseaddr exec:"/mnt/c/Workspace/socat/socat.exe - tcp\:localhost\:8118"

3. run a proxy server (for example privoxy, or winfoom / px if you need to go through a corporate proxy with cntlm authentification) on your windows host, at the same 8118 port

4. you also need to configure the http proxy for apt-get to http://localhost:8118 in /etc/apt/apt.conf.d/proxy.conf:
   Acquire::http::Proxy "http://127.0.0.1:8118";

It's a workaround, but it's robust, and it should work for all cases. Doesn't matter which vpn, if you have connectivity in windows you will have it in WSL.
To make it clean obviously you should autostart the socat process. I have a solution but it's not the cleanest and I'm sure people here more competent than I can propose something better !

[smerschjohann]

@barroudjo Yes for a specific additional customer VPN I had to use a similiar setup. But I use the docker magic for that.

Docker Desktop does a very good job to circumvent the WSL2 quirks by some tun/tap magic, so you can just start a squid proxy in docker. So I came up with the following:

docker run --name squid -d -p 3128:3128 datadog/squid

export http_proxy=http://127.0.0.1:3128
export https_proxy=http://127.0.0.1:3128

Done!

[barroudjo]

@smerschjohann that's a good one ! A bit simpler than my solution too (you just have to install docker desktop) ! And you could improve it just a bit by using a non-caching smaller proxy: https://hub.docker.com/r/vimagick/tinyproxy.

[fryzhykau]

I had the same behavior - connection via https/443 didn't work on WSL2, giving:

>wget https://github.com/kubeflow/manifests/archive/ebeb4c285a0cf49750c4f07015b58cc27ca4c3a1.tar.gz
--2021-03-01 20:24:44-- https://github.com/kubeflow/manifests/archive/ebeb4c285a0cf49750c4f07015b58cc27ca4c3a1.tar.gz
Resolving github.com (github.com)... 140.82.112.3
Connecting to github.com (github.com)|140.82.112.3|:443... failed: Connection timed out.
Retrying.

However it worked on WSL1.
Windows 10 Pro: Version 10.0.19042 Build 19042 (latest till now on my laptop - Dell XPS 17).
I have OpenVPN installed as well, however behavior didn't change whether I have VPN connection established or not.
All above methods (including thread in #4246, except latest one in this thread - around proxy) didn't help.

Interestingly enough - for me it turned out to be the Symantec Endpoint Protection antivirus... Not sure yet what exactly it blocks - will try to find.
When protection was disabled - things started to work as expected..

[ecool]

Alright, so I've been wanting to use WSL 2 for a while now and the only thing stopping me is the VPN connectivity issue. I found something that I'm not sure if others have because I haven't found any posts in the issues I've been looking through and figured I should throw this in here as a possible reason for the issue with VPN connectivity issues.

I have tried a lot of the workarounds except for the metric modification because I don't want my system to "disable/ignore" my VPN. From what I understand of the metric value is that it is a priority system and if you increase the metric on a VPN to higher than your outgoing internet nic you are basically routing 0 traffic through the VPN. (If I am misunderstanding this, please let me know).

So, I've been looking into the Hyper-V Virtual Switch and while trying to create an external switch /(or modifying the WSL one) the external network interfaces list does not show the VPN interface image. I am using Private Internet Access as my VPN connection and as shown in the image is not in the selection list.

I hope this helps with figuring out if there might be an issue with the Virtual Switch instead of with the WSL networking in general.

Just some extra info showing that DNS resolving is working fine (for some reason)[this is a fresh Ubuntu 20.04 WSL 2 install].

> curl -L ip.me -v
*   Trying 134.209.78.99:80...
* TCP_NODELAY set
* connect to 134.209.78.99 port 80 failed: Connection timed out
* Failed to connect to ip.me port 80: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to ip.me port 80: Connection timed out

> ip route
default via 172.17.40.145 dev eth0
172.17.40.144/28 dev eth0 proto kernel scope link src 172.17.40.147

> ping 172.17.40.145
PING 172.17.40.145 (172.17.40.145) 56(84) bytes of data.
64 bytes from 172.17.40.145: icmp_seq=1 ttl=128 time=0.317 ms
64 bytes from 172.17.40.145: icmp_seq=2 ttl=128 time=0.441 ms
64 bytes from 172.17.40.145: icmp_seq=3 ttl=128 time=0.292 ms
^C
--- 172.17.40.145 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2113ms
rtt min/avg/max/mdev = 0.292/0.350/0.441/0.065 ms

> ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
^C
--- 1.1.1.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4185ms

[famod]

@barroudjo & @smerschjohann many thanks for your proxy ideas!

We (@tkalmar and I) also added a dante socks proxy so that we can SSH to other machines in our corporate network.
So we now have a docker-compose setup that starts both dante and tinyproxy in containers.
We might share the entire setup later but we want to give it more "baking time" first.

[wesleymusgrove]

@MartinCaccia

I carefully followed all these steps and I'm able to ping external sites from WSL2, but I can't curl or wget them for some reason.

ping works:

$ ping example.com
PING example.com (93.184.216.34) 56(84) bytes of data.
64 bytes from 93.184.216.34 (93.184.216.34): icmp_seq=1 ttl=54 time=54.5 ms
64 bytes from 93.184.216.34 (93.184.216.34): icmp_seq=2 ttl=54 time=55.4 ms
64 bytes from 93.184.216.34 (93.184.216.34): icmp_seq=3 ttl=54 time=55.7 ms
64 bytes from 93.184.216.34 (93.184.216.34): icmp_seq=4 ttl=54 time=53.5 ms
64 bytes from 93.184.216.34 (93.184.216.34): icmp_seq=5 ttl=54 time=54.9 ms
^C
--- example.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 53.563/54.846/55.704/0.765 ms

curl does not work:

$ curl -v https://www.example.com
* Rebuilt URL to: https://www.example.com/
*   Trying 93.184.216.34...
* TCP_NODELAY set
* connect to 93.184.216.34 port 443 failed: Connection refused
*   Trying 2606:2800:220:1:248:1893:25c8:1946...
* TCP_NODELAY set
* Immediate connect fail for 2606:2800:220:1:248:1893:25c8:1946: Network is unreachable
*   Trying 2606:2800:220:1:248:1893:25c8:1946...
* TCP_NODELAY set
* Immediate connect fail for 2606:2800:220:1:248:1893:25c8:1946: Network is unreachable
* Failed to connect to www.example.com port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to www.example.com port 443: Connection refused

In addition to using Cisco AnyConnect VPN on my Windows 10 host, all my traffic also goes through a Zscaler proxy running on Windows on http://localhost:9000. That means that while I'm connected to my VPN, in Windows I also have to specify HTTP_PROXY=http://localhost:9000 pretty much everywhere you can imagine so that things can access the internet. Inside of WSL, I'm able to refer to this Zscaler proxy as http://host.docker.internal:9000. However I'm getting this error: curl: (56) Recv failure: Connection reset by peer and I don't know at what layer it's failing...

curl -v -x http://host.docker.internal:9000 https://www.example.com
* Rebuilt URL to: https://www.example.com/
*   Trying 10.99.148.144...
* TCP_NODELAY set
* Connected to host.docker.internal (10.99.148.144) port 9000 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.example.com:443
> CONNECT www.example.com:443 HTTP/1.1
> Host: www.example.com:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
>
* Recv failure: Connection reset by peer
* Received HTTP code 0 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

In, Powershell, if I run wsl hostname -I, the IP of my Windows host is 172.25.167.201, but trying to use this proxy as 172.25.167.201:9000 instead of http://host.docker.internal:9000 inside WSL doesn't work. So I don't think that's the correct way to go about doing this.

$ curl -v -x 172.25.167.201:9000 https://www.example.com
* Rebuilt URL to: https://www.example.com/
*   Trying 172.25.167.201...
* TCP_NODELAY set
* connect to 172.25.167.201 port 9000 failed: Connection refused
* Failed to connect to 172.25.167.201 port 9000: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 172.25.167.201 port 9000: Connection refused

Any thoughts or suggestions?

[AmmarRahman]

I just came across this https://github.com/sakai135/wsl-vpnkit. It seems to be working perfectly

[AmmarRahman]

I have created a script to simplify the solution above for our corporate machines. I have adapted it to be more generic on

https://github.com/AmmarRahman/wsl-vpn

Please feedback if this work for you.

[andyneff]

Thank you @sakai135 and @AmmarRahman! This is exactly what I've been looking for. Thank you vpnkit for showing Microsoft how to fix their product

I can confirm this works with Sonicwall using NetExtender (10.2.309, but I doubt the version matters). I no longer have to use the broken MobileConnect.

[jcmendez-guerrero]

It's a metric issue, WSL has a too greater metric and it is not preferred. Changing the WSL network interface to 1 worked for me

Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1
$VPNInterfaceName = "Ethernet 3"
Get-NetIPInterface -InterfaceAlias $VPNInterfaceName | Set-NetIPInterface -InterfaceMetric 5001

Check if your if aliases are the same as I used here, before running these commands. You can do that with: Get-NetIPInterface

just a comment at least for Globalprotect users. you may need to have priorities like WLS -> VPN -> Local Network, otherwise you may end with the DNS changed in order in the windows machine.
e.g:

Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1
Get-NetIPInterface -InterfaceAlias "WiFi" | Set-NetIPInterface -InterfaceMetric 6000
Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "PANGP Virtual Ethernet Adapter"} | Set-NetIPInterface -InterfaceMetric 5000

[ionutvilie]

removing comment, refreshed windows 2 times, could not replicate first working sollution, i probably did not payed attention and it was WSL1

[galindroasml]

@idsergiu provided the best and most simpler solution.
Nevertheless, I had to use this tool from the comment of @baruchiro about the DNS resolution problem.

Thank you very much guys!

[galindroasml]

Before I forget: today I restarted my PC and I connected to Cisco VPN before login to Windows (it is possible in the windows logon page). Then, even applying what I decribed in my previous post, it didn't worked.

Then, what I did to fix it was:

1 - Disconect from VPN
2 - Connect to the VPN again
3 - Change the interface metric (with admin rights):

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 5001
Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1

4 - Run this tool within the WSL.

[firegate22]

Before I forget: today I restarted my PC and I connected to Cisco VPN before login to Windows (it is possible in the windows logon page). Then, even applying what I decribed in my previous post, it didn't worked.

Then, what I did to fix it was:

1 - Disconect from VPN
2 - Connect to the VPN again
3 - Change the interface metric (with admin rights):

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 5001
Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1

4 - Run this tool within the WSL.

Appreciate that you want to help, but please stick to #4277 for Cisco.

[yoda-br]

I'm using Windows 10 Pro, version 21H1, compilation 19043.1110, Windows Feature Experience Pack 120.2212.3530.0 and Ubuntu 20.04 on WSL2. When I connect to my corporate VPN using Check Point Mobile client, Ubuntu on WSL2 can't access any machine on VPN. Access to my home network and Internet remains okay, but I can't reach any machine on VPN. Does anybody knows how to fix it?

[K2ouMais]

It's a metric issue, WSL has a too greater metric and it is not preferred. Changing the WSL network interface to 1 worked for me
Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1
$VPNInterfaceName = "Ethernet 3"
Get-NetIPInterface -InterfaceAlias $VPNInterfaceName | Set-NetIPInterface -InterfaceMetric 5001
Check if your if aliases are the same as I used here, before running these commands. You can do that with: Get-NetIPInterface

just a comment at least for Globalprotect users. you may need to have priorities like WLS -> VPN -> Local Network, otherwise you may end with the DNS changed in order in the windows machine.
e.g:

Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1
Get-NetIPInterface -InterfaceAlias "WiFi" | Set-NetIPInterface -InterfaceMetric 6000
Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "PANGP Virtual Ethernet Adapter"} | Set-NetIPInterface -InterfaceMetric 5000

Do we have to run this after every reboot?

I am asking because we use GlobalProtect on our company laptops and dont have admin rights to run this command every time.

Thanks

[jcmendez-guerrero]

Do we have to run this after every reboot?

Actually you need to run every time you connect the VPN. I haven't been able to find a way to keep the values permanent or without the need of elevated rights

[andyneff]

Do we have to run this after every reboot?

Many VPN clients have the ability to run a post connection script, https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/customizable-app-settings/script-deployment-options.html, however I'm not sure if that will be able to run with the rights you need (I supposed that depends on how GlobalProtect works)

If your Admins are willing to setup this up for you, they can

1. As an admin, Create a task in "Task Scheduler" that will do what you need. Make sure it's configured to run with admin privileges. Usually this means "Run as SYSTEM user, and check the "Run with highest privileges", but they may have another user account designed for this purpose.
2. "Allow task to be run on demand" must be on
3. No trigger needs to be setup
4. Action would run a command (or script) to set your settings.
5. Have the admin give you permission to run the task (I think this is automatic, I don't remember)

Now this means you'll have permission to run an "elevated" task. This is the closest to a "windows sudo" list I know of.

There's a command. As a user, you can create a shortcut to run SCHTASKS.EXE /RUN /TN "task name", and now you can run that task that needs admin, as a non-admin any time you want.

---

I used to think this would help, but on second glance, it will not, it's kind of solves an opposite problem
https://docs.microsoft.com/en-us/powershell/module/vpnclient/add-vpnconnectiontriggerapplication?view=windowsserver2019-ps

[aderuelle]

Hi @wesleymusgrove,

In addition to using Cisco AnyConnect VPN on my Windows 10 host, all my traffic also goes through a Zscaler proxy running on Windows on http://localhost:9000. That means that while I'm connected to my VPN, in Windows I also have to specify HTTP_PROXY=http://localhost:9000 pretty much everywhere you can imagine so that things can access the internet. Inside of WSL, [...] . However I'm getting this error: curl: (56) Recv failure: Connection reset by peer and I don't know at what layer it's failing...

curl: (56) Recv failure: Connection reset by peer

I'm facing the same issue here (win10 20H2 + WSL2 + Zscaler client connector 3.1.0.96)

• added firewall rules to allow WSL access port 9001 on host
• added netsh interface portproxy to proxy on host address 10.90.161.68
• changed interface metrics
• set http_proxy/https_proxy in WSL guest

curl on host through proxy => OK
curl on WSL guest =>

$ curl  -v https://www.google.com/
* Uses proxy env variable https_proxy == '10.90.161.68:9001'
*   Trying 10.90.161.68:9001...
* Connected to 10.90.161.68 (10.90.161.68) port 9001 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.78.0
> Proxy-Connection: Keep-Alive
> 
* Recv failure: Connection reset by peer
* Received HTTP code 0 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

Were you able to solve it ?

[yalopov]

I have created a script to simplify the solution above for our corporate machines. I have adapted it to be more generic on

https://github.com/AmmarRahman/wsl-vpn

Please feedback if this work for you.

Works like a charm, thank you

[thcuvelier]

Using also Zscaler proxy running on Windows on http://localhost:9000. and having the same problem than @aderuelle
Any idea how to solve this