DEV Community

Cover image for Fix Network Connectivity in WSL2 with Cisco AnyConnect VPN
Tim Bachmann
Tim Bachmann

Posted on • Originally published at tiim.ch on

Fix Network Connectivity in WSL2 with Cisco AnyConnect VPN

I recently ran into the problem that when the Cisco AnyConnect VPN is connected, the network connectivity inside of WSL2 stops working. I found a bunch of solutions online for it: most just focus on the fact that the VPN DNS settings are not applied inside WSL2 and therefore no domain names can be resolved. I additionally had the issue that the WSL2 network interface somehow gets disconnected when the VPN starts.

I will show you how I fixed this problem for me and explain what the commands I used do. This post is mostly for my reference, but I hope it helps anyone else as well.

Finding out what your problem is

Let's check first if we have internet access inside WSL2. For this run the ping command with an IP address as a destination:

ping 8.8.8.8
Enter fullscreen mode Exit fullscreen mode

If you get something like this as the output, your internet connection is fine, and it's just the DNS nameserver addresses that are misconfigured, you can jump forward to Solution 2.

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=108 time=4.53 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=108 time=3.94 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=108 time=3.97 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=108 time=3.78 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=108 time=3.77 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=108 time=3.76 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=108 time=3.81 ms
Enter fullscreen mode Exit fullscreen mode

If you don't get any responses from the ping (i.e. no more output after the PING 8.8.8.8 (8.8.8.8) ... line), you need to configure the WSL and the VPN network adapter metric. Go to Solution 1.

To check if the DNS is working, we can again use the ping command, this time with a domain name:

ping google.com
Enter fullscreen mode Exit fullscreen mode

If you get responses, the DNS and your internet connection are working! If not go to Section 2.

Solution 1: Fixing the Network Adapter

Run the following two commands in PowerShell as administrator:

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 4000

Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1
Enter fullscreen mode Exit fullscreen mode

Let me explain what those two commands do. Both follow the same pattern of listing all network adapters, selecting a specific adapter from the list and setting its "metric".

You can imagine an adapter as a virtual network port on the back of your pc or laptop. But instead of sending packets through the wire, the driver for a specific port can do whatever it wants with those packets, in the case of a VPN, the packets get encrypted and forwarded to the internet via another adapter.

The InterfaceMetric is a value associated with each adapter that determines the order of those adapters. This allows windows to determine which adapter to prefer over another one.

By setting the interface metric of the Cisco adapter to 4000 and the metric of the WSL adapter to one, we allow the traffic from WSL to flow through the Cisco adapter. To be honest I do not exactly understand why this works but it does.

Solution 2: Registering the VPN DNS inside of WSL

Setting the DNS servers is, unfortunately, a little bit more involved than just running two commands, we need to edit the files /etc/wsl.conf and /etc/resolv.conf, and restart wsl in between. Let's get to it:

Edit the file /etc/wsl.conf inside of WSL2 using a text editor. I suggest doing this through the terminal since you need root permissions to do that:

sudo nano /etc/wsl.conf
# feel free to use another editor such as vim or emacs
Enter fullscreen mode Exit fullscreen mode

Most likely this file does not exist yet, otherwise, I suggest you create a backup of the original file to preserve the settings.

Add the following config settings into the file:

[network]
generateResolvConf = false
Enter fullscreen mode Exit fullscreen mode

This will instruct WSL to not override the /etc/resolv.conf file on every start-up. Save the file and restart WSL with the following command so that the changed config takes effect:

wsl.exe --shutdown
Enter fullscreen mode Exit fullscreen mode

Now open a PowerShell terminal and list all network adapters with the following command:

ipconfig /all
Enter fullscreen mode Exit fullscreen mode

Find the Cisco AnyConnect adapter and copy the IP addresses in the DNS-Server field. We will need those IPs in the next step.

Start WSL again and edit the /etc/resolv.conf file:

sudo nano /etc/resolv.conf
Enter fullscreen mode Exit fullscreen mode

Most likely there is already something in this file, you can discard it. When undoing the changes, WSL will automatically regenerate this file anyway, so you don't need to back it up.

Delete all the contents and enter the IP addresses you noted down in the last step in the following format:

nameserver xxx.xxx.xxx.xxx
Enter fullscreen mode Exit fullscreen mode

Put each address on a new line, preceded by the string nameserver. Save the file and restart WSL with the same command as above:

wsl.exe --shutdown
Enter fullscreen mode Exit fullscreen mode

Now open up WSL for the last time and set the immutable flag for the /etc/resolv.conf file:

chattr +i /etc/resolv.conf
Enter fullscreen mode Exit fullscreen mode

And for the last time shut down WSL. Your DNS should now be working fine!

Undoing those changes

I did not have a need to undo the steps for Solution 1, and I'm pretty sure the metric resets after each system reboot anyway so there is not much to do.

To get DNS working again when not connected to the VPN run the following commands:

sudo chattr -i /etc/resolv.conf
sudo rm /etc/resolv.conf
sudo rm /etc/wsl.conf
wsl.exe --shutdown
Enter fullscreen mode Exit fullscreen mode

This will first clear the immutable flag off /etc/resolv.conf, and delete it. Next, it will delete /etc/wsl.conf if you have a backup of a previous wsl.conf file, you can replace it with that. At last, we shutdown WSL again for the changes to take effect.

Unfortunately, this is quite a procedure to get a VPN to work with WSL2, but I'm hopeful that this will soon not be necessairy anymore.

Top comments (2)

Collapse
 
soern profile image
Soern • Edited

Ethernet adaptor names are different on my machine - it's vEthernet (WSL something...). So the solution 1 query needs to be a bit different.

This did the trick:

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"}  | Set-NetIPInterface -InterfaceMetric 4000
Get-NetIPInterface | Where-Object {$_.InterfaceAlias -Match "vEthernet \(WSL"} | Set-NetIPInterface -InterfaceMetric 1
Enter fullscreen mode Exit fullscreen mode
Collapse
 
magoerlich profile image
magoerlich

Update almost a year later: This is still necessary.