DNS server coming from vpn network is not reflected in WSL

[asvetliakov]

• A brief description
  I've L2TP/IPsec vpn connection without default gateway set and own DNS server

• Expected results
  Bash should add VPN DNS IP to /etc/resolv.conf

• Actual results (with terminal output if applicable)
  No VPN DNS IP in /etc/resolve.conf . It works though if i set "use default gateway on remote network" (generally i don't want) setting in vpn configuration.

• Your Windows build number
  14965.1001

[sunilmut]

@asvetliakov - Thanks for reporting the issue. Yes, we are aware of issues with VPN, as you can also see in #416. We are actively working on a solution for this. @misenesi as FYI.

[misenesi]

Hi @asvetliakov, could you please provide output when you do:

ipconfig /all

?

I have a fix prepared for this, but need to verify that your VPN networking interface is reported as point-to-point interface.

[asvetliakov]

@misenesi

PS C:\Users\asvet> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Alexey-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Home

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : Home
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-V
   Physical Address. . . . . . . . . : E0-3F-49-AC-04-1E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5867:7e40:cdf2:456a%25(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.33(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, November 30, 2016 2:28:47 AM
   Lease Expires . . . . . . . . . . : Wednesday, November 30, 2016 2:28:47 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 65027913
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-92-04-D1-E0-3F-49-AC-04-1E
   DNS Servers . . . . . . . . . . . : 80.58.61.250
                                       80.58.61.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

PPP adapter freechat.com:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : freechat.com
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.61.0.5(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.60.10.121
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-2F-01-1A-D1
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 10:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:2cca:22a9:3f57:fede(Preferred)
   Link-local IPv6 Address . . . . . : fe80::2cca:22a9:3f57:fede%19(Preferred)
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 318767104
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-92-04-D1-E0-3F-49-AC-04-1E
   NetBIOS over Tcpip. . . . . . . . : Disabled

The one with name 'freechat.com' is my VPN

[misenesi]

Thank you @asvetliakov . I have checked in a fix that will address some of the VPN DNS resolving issues, including yours. Currently for DNS resolving we update /etc/resolv.conf from the service. In this fix I added the capability to manually modify the /etc/resolv.conf file if you wish so, disabling its automatic regeneration.

However, due to how DNS resolving works for various VPN solutions, this fix will only work with strict force tunnel VPN that do not hide their DNS servers for privacy or security reasons. I have a proposal for better solution that is currently under discussion that would work for all VPN scenarios.

[blemasle]

@misenesi With creators update installed, the automic generation cannot be disabled on my system. Even if I remove the first line, it still get regenerated every single time. It's working for /etc/hosts though.

[sunilmut]

@blemasle - @misenesi is no longer with MSFT.
It looks like we screwed up the /etc/resolv.conf auto-generation logic, see @benhillis comment in #1908.

Here is the background. By default, bash.exe will auto-generate /etc/resolv.conf every time you launch bash.exe. Then it will try to keep it up to date with changes from Windows, when bash is running. It looks like if you remove the first line, we stop auto-update of the file while bash is running, but forgot to disable the logic to auto-generate during bash launch. We do apologize for the inconvenience and as @benhillis mentions in #1908, we are looking to improve the experience here.

[johnarban]

I don't know if this is still a problem for anyone else. I am on build 16232.rs_prerelease.170624-1334 using WSL with Ubuntu 16.04.2 LTS from the Windows Store and CISCO AnyConnect version 21.12020 , and I still can't connect. I tried removing the commented line in /etc/resolv.conf, but it still get's reset. I don't know if there has a been a fix posted yet, but I haven't found it online if it exists.

[mo18]

The problem I'm seeing is that the ordering of the dns servers is incorrect when the vpn is connected. as a reslult, I can't resolve any of the hosts behind the vpn. I'm running windows 15063.483 with Cisco Anyconnect. The dns bindings in windows are the following:

> Get-DnsClientServerAddress -AddressFamily ipv4 | Select-Object -ExpandProperty ServerAddresses
10.0.0.51
10.0.0.52
192.168.1.1

in ubuntu the are the following:

$ cat /etc/resolv.conf
# This file was automatically generated by WSL. To stop automatic generation of this file, remove this line.
nameserver 192.168.1.1
nameserver 10.0.0.51
nameserver 10.0.0.52
search home xyz.vpn

[sunilmut]

If you are connected to a VPN and lose connectivity within bash, please try the workaround posted here. It should work for Creators Update and above. Post Fall Creators Update, we will be looking at a better support for other VPN solutions.

Thanks to @bradley101, who first pointed out the workaround.

[johnarban]

Thank you that works around that. The only other thing is to get the list of domain suffixes, but that is 2nd order.

[nimbixler]

here's a more automatic workaround that works for me - in my case I only ever connect to one VPN at a time and its nameserver is at the very end of /etc/resolv.conf, which of course is no good.

YMMV but, first...

create a file in /etc/sudoers.d with allowing your username to run sudo with no password; you can restrict this to specific commands if you want but I do it for all (please adjust for your needs). For example let's say your username is linux, so create the file /etc/sudoers.d/00-linux (you can call this whatever you want), with the following text in it:

linux ALL=(ALL) NOPASSWD: ALL

you'll need to of course sudo to root to create that file. Be sure to replace "linux" with whatever your username is in WSL.

Close the shell and all instances of WSL and run a new one, and try it - type sudo -s
if you are not prompted for password, it worked. Otherwise please check the syntax.

Next, create this python file in your home directory = call it resolv_flip.py :

#!/usr/bin/python

if __name__ == '__main__':
    with open('/etc/resolv.conf', 'r') as f:
        lines = f.read().splitlines()
    ns = []
    other = []
    for i in lines:
        if i[:11] != 'nameserver ':
            other.append(i)
        elif i[11:][:2] == '8.':
            ns.append(i)
        else:
            ns.insert(0, i)
    with open('/etc/resolv.conf', 'w') as f:
        f.write('\n'.join(other) + '\n')
        f.write('\n'.join(ns) + '\n')

finally, add this to the end of your ~/.bashrc file:

sudo ~/resolv_flip.py

from that point forward every time you run the WSL shell it will flip the nameservers so that anything that doesn't start with 8. will be at the top, but it won't disturb the comment header that is used to autogenerate the file (because we need that information in order for this to work).

It's not perfect but it works fine for me, and it's dead simple.

Enjoy,
Leo Reiter

[zenithstorm]

@trallnag Thank you for the suggestion! I've been trying it for the past half hour or so, but no luck so far. I will keep fiddling with it.

[sanarena]

In my case, i set VPN network interface metric to 6000 and both vpn and internet within wsl is now working:
Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000
Cisco AnyConnect mentioned in command above is my VPN. yours could be different. along with the metric number.

and then used @cod3monk3y solution above for fixing DNS.

[spookyrecharge]

Don't forget to make /etc/resolv.conf file immutable after editing to avoid Windows overwrite it

chattr +i /etc/resolv.conf

I also was struggling with using wireguard tunnel
It was important to me since I'm using DoH on MikroTik wireguard server

[chrisdlangton]

This comment has the solution that worked best for me on WSL2
#2884 (comment)
Hope wsl-vpnkit helps you too

[marwin1991]

1. Find out nameserver with windows powershell (during VPN Session and without) using nslookup
2. USe sudo touch /etc/wsl.conf and sudo vim /etc/wsl.conf to add:

[network]                                                                        
generateResolvConf = false

3. Restart wsl (Windows powershell) using wsl --shutdown
4. Open WSL and remove using rm -f /etc/resolv.conf
5. Add new file sudo touch /etc/resolv.conf and sudo vim /etc/resolv.conf with:

nameserver X.X.X.X

nameserver Y.Y.Y.Y

6. Restart wsl (Windows powershell) using wsl --shutdown
7. Open WSL and remove using wget google.com and test some you corporate domain.

[2-X]

don't forget to make sure your VPN's nameserver comes first in your /etc/resolv.conf file
i was losing my sanity to this issue lol
luckily this seems to have done the trick for me

[EdwardCooke]

Here's my solution, it takes what @cod3monk3y did, and makes it automatic it so you don't have to run anything manually anymore. It's geared towards the Cisco AnyConnect client, so if you you're using something different, you would just need to figure out the events in the event log to trigger off of.

https://www.frakkingsweet.com/automatic-dns-configuration-with-wsl-and-anyconnect-client/

[Kraego]

Here's my solution, it takes what @cod3monk3y did, and makes it automatic it so you don't have to run anything manually anymore. It's geared towards the Cisco AnyConnect client, so if you you're using something different, you would just need to figure out the events in the event log to trigger off of.

https://www.frakkingsweet.com/automatic-dns-configuration-with-wsl-and-anyconnect-client/

Works like a charm, thanks.

[sanarena]

isn’t wsl-vpnkit working for you?

[githubuser6000]

A reboot fixed it 🤷‍♂️

[ajgrier]

All the presented "solutions" seem to involve modifying resolv.conf. The default(?) WSL setup has resolv.conf pointing to an internal IP address, and the same address is also used as default route. The failure seems to be that WSL (which handles this internal routing and DNS server / proxy) is not tracking resolver changes on the windows side. All the modifications to resolv.conf are just workarounds for WSL's failure, not fixes to WSL.

Why are windows applications able to track resolver changes, but WSL isn't?

[Jan-Pleva]

Hi, is the VPN in development plan? We are waiting for this.

[exeral]

unlike #2884 (comment) which push DNS from Windows to WSL
I have made a script for the other way: pull DNS from WSL.
https://gist.github.com/exeral/87c792d20262026318661fdc03ea8807

hope it helps ;)

[Jan-Pleva]

Thanks. Still I would need something more instant for enterprise environment.

[saraiva82]

I just went back to my vm after many hours wasted troubleshooting this.
Afterall....

They know and dont care lol

[ccbond]

在浪费了很多时间进行故障排除后，我刚刚回到我的虚拟机。 毕竟....

他们知道但不在乎哈哈

fu*k

[danielwagn3r]

For me the new WSL2dns tunneling feature solved the problem, see https://learn.microsoft.com/en-us/windows/wsl/wsl-config#main-wsl-settings

Add the following to %UserProfile%\.wslconfig to enable the feature:

# Settings apply across all Linux distros running on WSL 2
[wsl2]
# Changes how DNS requests are proxied from WSL to Windows
dnsTunneling=true

[jaredbrogan]

For me the new WSL2dns tunneling feature solved the problem, see https://learn.microsoft.com/en-us/windows/wsl/wsl-config#main-wsl-settings

Add the following to %UserProfile%\.wslconfig to enable the feature:

# Settings apply across all Linux distros running on WSL 2
[wsl2]
# Changes how DNS requests are proxied from WSL to Windows
dnsTunneling=true

Thanks for pointing that out. Unfortunately, it's only available in Windows 11. 😢

[dendr203]

In my case, i set VPN network interface metric to 6000 and both vpn and internet within wsl is now working: Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000 Cisco AnyConnect mentioned in command above is my VPN. yours could be different. along with the metric number.

and then used @cod3monk3y solution above for fixing DNS.

This was the only think that have worked for me and resolved the issue.

[TuanChauKMS]

Guys, are there any plans to completely fix this issue in the future?
Thanks all :)

[OneBlue]

Hi ! Please try the latest networking features that we've added in WSL. Those should greatly improve compatibility with VPN's.

If the issue still remains, please reopen this issue.

[rgmz]

Hi ! Please try the latest networking features that we've added in WSL. Those should greatly improve compatibility with VPN's.

That link doesn't state it, but the linked page "Advanced settings configuration in WSL" makes it clear that these settings require Windows 11.

@OneBlue do you know if there are plans to support dnsTunneling and autoProxy on Windows 10?

[OneBlue]

@OneBlue do you know if there are plans to support dnsTunneling and autoProxy on Windows 10?

Unfortunately, those features won't be backported to Windows 10.

[froh]

unfortunately I'm stuck with corporate windows 10 for another year or two sigh...

…

On Wed, May 15, 2024, 20:19 Blue ***@***.***> wrote: @OneBlue <https://github.com/OneBlue> do you know if there are plans to support dnsTunneling and autoProxy on Windows 10? Unfortunately, those features won't be backported to Windows 10. — Reply to this email directly, view it on GitHub <#1350 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABTBB5KPUO74RBM2S7XWEDZCORMFAVCNFSM4CWBLNU2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMJRGMYTMNJSHE4Q> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[terlar]

Don't be too sad about it, it is not sure that it will fix the issues anyways. I am currently using Citrix Secure Access and I still have to use wsl-vpnkit to get connectivity when on the VPN.

[wsl2]
networkingMode=mirrored
firewall=true
dnsTunneling=true
autoProxy=true