Can not connect to internet in WSL 2

[Fubuchi]

This happen on almost all official WSL distros (suse, debian, ubuntu) . I have not tried kali yet but i think the result will be the same.

This is the report on ubuntu:

• Windows build number: 10.0.18932.1000

• What you're doing and what's happening:

  • try to run sudo apt-get update

• What's wrong / what should be happening instead:

  • Error message:

  Err:1 http://archive.ubuntu.com/ubuntu bionic InRelease
  Temporary failure resolving 'archive.ubuntu.com'
  Err:2 http://security.ubuntu.com/ubuntu bionic-security InRelease
  Temporary failure resolving 'security.ubuntu.com'
  Err:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
  Temporary failure resolving 'archive.ubuntu.com'
  Err:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
  Temporary failure resolving 'archive.ubuntu.com'
  Reading package lists... Done

  • This seem like a dns issue, this is the content of my resolv.conf:

  # This file was automatically generated by WSL. To stop automatic generation of this file, add the following entry to /etc/wsl.conf:
  # [network]
  # generateResolvConf = false
  nameserver 172.22.64.1

  • Run ipconfig from cmd and overwrite resolv.conf with the dns I get from ipconfig. Run apt-get update again. Host name can be resolved now, but get another error:

  Err:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
  Cannot initiate the connection to security.ubuntu.com:80 (2001:67c:1560:8001::11). - connect (101: Network is unreachable) Cannot initiate the connection to security.ubuntu.com:80 (2001:67c:1562::19). - connect (101: Network is unreachable) Cannot initiate the connection to security.ubuntu.com:80 (2001:67c:1360:8001::17). - connect (101: Network is unreachable) Cannot initiate the connection to security.ubuntu.com:80 (2001:67c:1360:8001::21). - connect (101: Network is unreachable) Cannot initiate the connection to security.ubuntu.com:80 (2001:67c:1560:8001::14). - connect (101: Network is unreachable) Could not connect to security.ubuntu.com:80 (91.189.88.149), connection timed out Could not connect to security.ubuntu.com:80 (91.189.91.26), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.31), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.162), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.24), connection timed out Could not connect to security.ubuntu.com:80 (91.189.91.23), connection timed out
  ....

  • Try disable firewall, still the same error. I only use window defender, no other antivirus.

  • I convert my distro back to WSL 1 and every network command work fine. The content of resolv.conf in WSL 1 is surprisingly the same as when I overwrite the one in WSL 2

  • Expected: commands that require internet work as WSL 1

• Strace of the failing command, if applicable: can't, strace has not been installed yet beacause no internet. (I run strace on debian and got the command not found error, so I think ubuntu doesn't have them pre installed too). The log is quite long (3k+ lines) so I put them in a file:
  apt-strace.log

[jameslao]

I have a similar issue. Strangely it worked when I first convert to WSL2, but no longer works after a reboot.

For me, the windows hosts generates a WSL ethernet card:

    IP: 192.168.112.1
    Mask: 255.255.240.0

For the WSL ubuntu, ifconfig shows this:

    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet 192.168.114.176  netmask 255.255.255.0  broadcast 192.168.114.255
    inet6 fe80::215:5dff:fe2e:c311  prefixlen 64  scopeid 0x20<link>
    ether 00:15:5d:2e:c3:11  txqueuelen 1000  (Ethernet)
    RX packets 379  bytes 37421 (37.4 KB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 13  bytes 1006 (1.0 KB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

when I try to use ping 192.168.112.1, it comes back with connect: Network is unreachable.

I feel the problem is with the netmask, but not sure how to deal with it given the DHCP.

[lidalve]

i also have this issue.When i convert the Ubuntu to wsl version 1, it can connect the Internet.
So i config the wsl vEthernet card,make it in the same netmask and reboot, but it doesn't work.Now i have removed the vethernet card, and i found it didn't be crearted any more...

[muhviehstah]

try ifconfig down and up

[heamaral]

I'm having this issue too.
ifconfig eth0 down and up doesn't solve the problem

[heamaral]

I think the problem is because I had another virtual machine in Hyper-V (Docker For Windows), and there was another network adapter with the name br-25ddfb4f166c and eth0 with the wrong ip.
I uninstalled Docker For Windows and restarted the LxssManager (net stop LxssManager, net start LxssManager) service, and now the adapter is working normally.
It may be some conflict with adapters from other virtual machines.

[heamaral]

The problem happened again. Restarting LxssManager does not resolve.

[rich-nahra]

Is it possible to inspect WSL2 virtual machine settings? Its not visible in hyper-v console.

[benhillis]

It is not a traditional VM so no. You can see it via hcsdiag.exe and container powershell apis though.

[ahmedyarub]

I had just to uninstall Docker for Windows, restart and the internet started working again in WSL 2! Note that I've uninstalled all virtualization applications last week, except for Hyper-V.

[samscott89]

I had the same issue too. network unreachable, and nothing can connect.

The following resolved my issues:

# ifconfig eth0 netmask 255.255.240.0
# ip route add default via <WSL ethernet address>    

(For me, ipconfig shows the WSL virtual eth address as 192.168.64.1.

---

Explanation:

I noticed that my $ ip addr didn't quite match my \>ipconfig:

$ ip addr show eth0
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:db:c0:c6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.76.46/24 brd 192.168.76.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fedb:c0c6/64 scope link tentative
       valid_lft forever preferred_lft forever

versus

 ipconfig                                                                                                                                                                                                                                                                                                                                                                                                                         Windows IP Configuration


Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::f513:b32c:60d5:1200%87
   IPv4 Address. . . . . . . . . . . : 192.168.64.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

Virtual ethernet has subnet mask 255.255.240.0.

So the first line changes it to the correct subnet mask.

# ifconfig eth0 netmask 255.255.240.0

For the second line, when I ran ip route, I saw:

$ ip route
192.168.64.0/20 dev eth0  proto kernel  scope link  src 192.168.76.46

Which basically means that only the 192.168.64.0/20 range is routable. Hence why network unreachable for a lot of the commands.
So the second one simply adds 192.168.64.1 as the default gateway for all routes:

# ip route add default via 192.168.64.1

Where the 192.168.64.1 matches the output of the windows ipconfig command for the WSL ipv4 address.

I don't know if this is the 100% correct approach, but it certainly fixes this issue for me.

[rich-nahra]

It is not a traditional VM so no. You can see it via hcsdiag.exe and container powershell apis though.

Thanks for the info. Anecdotally, it does feel like its related to docker networking.

I seem to have found an acceptable workaround. At login, it takes a while for docker to fully initialize. With that, I added a WSL2 process that uses networking at startup which finishes before docker is initialized. Specifically I'm exporting DISPLAY and loading an X window.

Working so far.

[Fubuchi]

@samscott89 ip route add default via give me a RTNETLINK answers: File exists . How can I make it work?

[samscott89]

@samscott89 ip route add default via give me a RTNETLINK answers: File exists . How can I make it work?

You might be fine without the second step then. After applying that step, I see:

$ ip route
default via 192.168.64.1 dev eth0
192.168.64.0/20 dev eth0  proto kernel  scope link  src 192.168.76.46

Where 192.168.64.1 should match whatever ipconfig showed as the WSL ip address.

You will probably need (at least) both lines. If the first line is already there, then either you are good to go, or the issue is elsewhere

[Fubuchi]

@samscott89 the ip address match with the ip in ipconfig but I still cannot ping or use curl. Hope MS address this issue asap because it is a blocker issue that prevent many user from trying and testing WSL 2

[samscott89]

What's the output of ipconfig (from cmd), and ip a and ip route on WSL?

[Fubuchi]

ipconfig :

Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
   Physical Address. . . . . . . . . : 00-15-5D-DB-C8-62
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::99bf:aeb5:cdf6:d3d3%47(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.21.176.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 788534621
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-A6-3A-23-20-47-47-77-68-96
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1

ip a:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 4a:67:0b:ea:41:95 brd ff:ff:ff:ff:ff:ff
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:97:ad:4d brd ff:ff:ff:ff:ff:ff
    inet 172.21.183.22/16 brd 172.21.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fe97:ad4d/64 scope link
       valid_lft forever preferred_lft forever

ip route:

default via 172.21.176.1 dev eth0
172.21.0.0/16 dev eth0 proto kernel scope link src 172.21.183.22

[samscott89]

@samscott89 the ip address match with the ip in ipconfig but I still cannot ping or use curl. Hope MS address this issue asap because it is a blocker issue that prevent many user try and test WSL 2

But yeah, fully agree. It seems I might have lucked out that my problem was actually fixable. There are a ton of related networking problems this build.

[samscott89]

@Fubuchi The subnet mask looks wrong on yours as well. Should be 255.255.240.0 corresponding to /20, not /16. But I would expect it to work anyway.

[heamaral]

There is another problem I am experiencing in WSL 2, I do not know if it has any relation to this problem but my downloads often stop.

This also happens when I install some package with apt

[benhillis]

Good call on the subnet mask, I'll get that fixed.

[anoopchaurasia]

Steps From @samscott89

1. Open CMD.exe (windows not wsl) run ipconfig
2. Goto 'Ethernet adapter vEthernet (WSL):'
3. Copy 'Subnet Mask'
4. Goto wsl and run sudo ifconfig eth0 netmask 'Subnet Mask'
   5 Goto cmd and copy ' IPv4 Address'
5. Goto wsl and run sudo ip route add default via ' IPv4 Address'

[samscott89]

For the record, this is now fixed for me on build 18932.

[pauloscardine]

I have a similar issue. Strangely it worked when I first convert to WSL2, but no longer works after a reboot.

For me, the windows hosts generates a WSL ethernet card:

    IP: 192.168.112.1
    Mask: 255.255.240.0

For the WSL ubuntu, ifconfig shows this:

    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet 192.168.114.176  netmask 255.255.255.0  broadcast 192.168.114.255
    inet6 fe80::215:5dff:fe2e:c311  prefixlen 64  scopeid 0x20<link>
    ether 00:15:5d:2e:c3:11  txqueuelen 1000  (Ethernet)
    RX packets 379  bytes 37421 (37.4 KB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 13  bytes 1006 (1.0 KB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

when I try to use ping 192.168.112.1, it comes back with connect: Network is unreachable.

I feel the problem is with the netmask, but not sure how to deal with it given the DHCP.

You are right, looks like this is a dupe of #3438

Try this:

$ sudo ifconfig eth0 netmask 255.255.240.0
$ sudo ip route add default via 192.168.112.1

Where 192.168.112.1 and 255.255.240.0 are the IP and netmask you got on the WSL interface (run ipconfig on windows and look for the WSL entry).

[tuananh]

I have a similar issue. Strangely it worked when I first convert to WSL2, but no longer works after a reboot.
For me, the windows hosts generates a WSL ethernet card:

    IP: 192.168.112.1
    Mask: 255.255.240.0

For the WSL ubuntu, ifconfig shows this:

    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet 192.168.114.176  netmask 255.255.255.0  broadcast 192.168.114.255
    inet6 fe80::215:5dff:fe2e:c311  prefixlen 64  scopeid 0x20<link>
    ether 00:15:5d:2e:c3:11  txqueuelen 1000  (Ethernet)
    RX packets 379  bytes 37421 (37.4 KB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 13  bytes 1006 (1.0 KB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

when I try to use ping 192.168.112.1, it comes back with connect: Network is unreachable.
I feel the problem is with the netmask, but not sure how to deal with it given the DHCP.

You are right, looks like this is a dupe of #3438

Try this:

$ sudo ifconfig eth0 netmask 255.255.240.0
$ sudo ip route add default via 192.168.112.1

Where 192.168.112.1 and 255.255.240.0 are the IP and netmask you got on the WSL interface (run ipconfig on windows and look for the WSL entry).

this fixes the issue for me but i have to do that every time i started wsl VM.

is the real fix coming soon?

[tuananh]

ah, i just updated to insider 18963. the issue seems to be fixed in this build.

[Fubuchi]

Confirmed, it was fixed in the latest insider build.

[psalz]

I'm on 18963 and just ran into this issue, got it working with @samscott89's approach.

[tuananh]

I'm on 18963 and just ran into this issue, got it working with @samscott89's approach.

i'm on 18963 and wsl2 and the issue is fixed. are you using wsl1 by any chance?

[bitemarcz]

As @alekzg just disconnect VPN, close WSL and re-open it. I can't believe this hasn't been fixed yet. Anyone want to work on this fix together and get it pushed?

[alexanderluiscampino]

I can't believe windows... This needs to be fixed, wasted my whole morning on this. A simple VPN disconnect and reboot of WSL fixes it. wth going on here.

[chitinlink]

I don't have any sort of VPN enabled and I'm getting this.

[valorin]

Have you tried turning off Fast Start-Up in the System Settings -> Shut-down Settings?
I've written up the instructions here: https://stephenreescarter.net/wsl2-network-issues-and-win-10-fast-start-up/

[mabasic]

For anyone still struggling I have found that allowing incoming traffic on the public profile in the firewall instantly makes DNS resolution work in WSL without having to make any changes to /etc/resolv.conf or having to create /etc/wsl.conf file.

Windows Defender Firewall with Advanced Security -> Windows Defender Firewall Properties -> Public Profile -> Inbound Connections set to Allow.

My company uses Firewall to block certain ports which causes this issue. When I set this to allow all inbound connections DNS resolution inside WSL starts working instantly.

[xy-lin]

Windows Defender Firewall with Advanced Security -> Windows Defender Firewall Properties -> Public Profile -> Inbound Connections set to Allow.

This works for me. Many thanks!

[chitinlink]

I should note that for me what worked was uninstalling Check Point Endpoint Security. Even though the program itself wasn't running, uninstalling it fixed this.

[burberger]

The discussions on #4139 ended up fixing this for me. If your organization uses any of the security baseline policies that ship with Intune, firewall rules are likely the culprit as they implement a deny all incoming rule even for local only interfaces.

[janovesk]

You need to make sure that traffic from the network interface in your Linux distro inside WSL2 is routed to the WSL virtual network adapter on your Windows host. If it gets routed anywhere else, you don't get any connectivity to anything outside the Linux vm. Check your routes with route print on the Windows host.

VPN connections are notorious for messing that up. I wrote a post about the problem and how you can work around it here: https://janovesk.com/wsl/2022/01/21/wsl2-and-vpn-routing.html

[CubeFlix]

none of this helped but answer on stackoverflow helped

https://stackoverflow.com/a/64057835/1319799

wsl --shutdown
netsh winsock reset
netsh int ip reset all
netsh winhttp reset proxy
ipconfig /flushdns
netsh winsock reset
shutdown /r 

Thanks, that worked for me!

[ahmedshahriar]

In my case, I disabled Hyper-V then it worked finally!

[pmarcum]

I have questions regarding the potential solution provided. Basically, I don't know which commands get typed within Windows environment using powershell or cmd versus which get typed within the WSL environment. Could you clarify please?

ifconfig eth0 netmask 255.255.240.0 <-- type in powershell/cmd or in the WSL ?

ip route add default via <-- type in powershell/cmd or WSL?

I ask because the ip route command was not recognized by powershell or cmd, and when typed into the WSL (I had to use sudo, so that's also worth mentioning above for us newbies), I get "RTNETLINK answers: File exists"

[lwbaqueros]

check this solution. It worked for me after trying all the above suggestions.
Answer here.

[lndaquino]

Same issue when trying to access network from WSL2. I've uninstalled Docker Desktop on Windows end, rebooted, and it´s working again.

[gnusiva]

Step1:
run this command on powershell windows
Get-DnsClientServerAddress -AddressFamily IPv4 | Select-Object -ExpandProperty ServerAddresses | Foreach-Object { "nameserver $_" }
Step 2: copy the output of this command
Step 3: go to wsl and type
sudo vi /etc/resolv.conf
Step 4: comment the existing name server and paste the copied lines from step 2
Step 5: save and exit the file.
Step 6: ping the desired domain name and verify the connection.

[itsazzad]

I can ping; I can nslookup.
But neither can download nor upload for the last few days.

[javierportillo]

Hi! I've been dealing with this problem for a while, I've tried every solution possible with no results.
The only solution that finally fixed it was completely uninstalling Checkpoint VPN, I even tried to stop every service related to Checkpoint but what solved it at the end was uninstalling it. I even had a ping running in the background and as soon as I uninstalled Checkpoint the ping started to respond.

[itsazzad]

After factory resetting my TP-Link Wireless Router, the problem was solved. Weird!

[luejerry]

In case anyone's coming here from a google search like I did, for me it turns out that a Netgear router in default configuration was blocking WSL2 internet traffic. Switching to a Google WiFi router solved this issue for me. There's probably some setting in the Netgear router config that controls this but I did not investigate further.

[siva22]

I was getting below error while trying to run wsl --install
A connection with the server could not be established
Error code: Wsl/WININET_E_CANNOT_CONNECT

Solution: I got this error when using Jio mobile hotspot. i changed to airtel hotspot and it works fine. I dont know why it happened, but it works.

[guasam]

Fixed it by using following content in these files. If files don't exist by default, just create them with given content.

# /etc/resolv.conf
nameserver 8.8.8.8

# /etc/wsl.conf
[network]
generateResolvConf = false

Shutdown WSL and open it again:

wsl --shutdown

[oldmaspicyrabbit]

I have the similar issue. Then I found I just configured generateResolvConf to false in /etc/wsl.conf:

# /etc/wsl.conf
[network]
generateResolvConf = false
......

I update the generateResolvConf to true
Shutdown wsl and reopen it again.
It then back to normal.

[Sollace]

none of this helped but answer on stackoverflow helped
https://stackoverflow.com/a/64057835/1319799

wsl --shutdown
netsh winsock reset
netsh int ip reset all
netsh winhttp reset proxy
ipconfig /flushdns
netsh winsock reset
shutdown /r 

Thanks, that worked for me!

What worked for me was a combination of the above, and in Hyper-V Manager I made sure the switch was set to "Internal Network" (was Private Network). Don't set it to "External Network". I found that creates a bridge and then neither the host nor the guest have internet.

[plato1123]

To my astonishment resetting my router and dsl modem fixed this. I had not had to reset my router/modem in at least 6 months before this.

[BilalAhmed-358]

I had the same issue too. network unreachable, and nothing can connect.

The following resolved my issues:

# ifconfig eth0 netmask 255.255.240.0
# ip route add default via <WSL ethernet address>    

(For me, ipconfig shows the WSL virtual eth address as 192.168.64.1.

Explanation:

I noticed that my $ ip addr didn't quite match my \>ipconfig:

$ ip addr show eth0
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:db:c0:c6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.76.46/24 brd 192.168.76.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fedb:c0c6/64 scope link tentative
       valid_lft forever preferred_lft forever

versus

 ipconfig                                                                                                                                                                                                                                                                                                                                                                                                                         Windows IP Configuration


Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::f513:b32c:60d5:1200%87
   IPv4 Address. . . . . . . . . . . : 192.168.64.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

Virtual ethernet has subnet mask 255.255.240.0.

So the first line changes it to the correct subnet mask.

# ifconfig eth0 netmask 255.255.240.0

For the second line, when I ran ip route, I saw:

$ ip route
192.168.64.0/20 dev eth0  proto kernel  scope link  src 192.168.76.46

Which basically means that only the 192.168.64.0/20 range is routable. Hence why network unreachable for a lot of the commands. So the second one simply adds 192.168.64.1 as the default gateway for all routes:

# ip route add default via 192.168.64.1

Where the 192.168.64.1 matches the output of the windows ipconfig command for the WSL ipv4 address.

I don't know if this is the 100% correct approach, but it certainly fixes this issue for me.

Thank you this worked for me!!!

[oldravian]

@BilalAhmed-358 Thanks for the explanation. IN CMD, My IPV4 address is "172.19.0.1", when I run

sudo ip route add default via 172.19.0.1

I got this output "RTNETLINK answers: File exists"

my wsl2 is not connecting to internet.

btw, that command runs fine:
sudo ifconfig eth0 netmask 255.255.240.0

[kevinmnm]

For me, it was Norton's Smart Firewall causing this. I disabled it and problem was solved.

[mush42]

For me is a problem with the router. Resetting works.