WSL2 fails to make HTTPS connection if Windows is using VPN #4698
Comments
|
Unable to reproduce on 19025.1 with OpenVPN GUI. (am aware it was explicitly mentioned using the built-in VPN client, but just providing this for reference) |
Thank you for your attention. However, the VPN server I'm using do not support OpenVPN. It supports IPSec IKEv2 (which built-in VPN uses) and Wireguard. I've also tested the issue with Wireguard (running on Windows, not WSL) but unfortunately the result was the same. |
|
For what it's worth- I'm having a similar issue with VPN functionality and current insider builds. I'm using Viscosity (1.8.2) and once I connect the VPN, my vEthernet connection for WSL somehow becomes 'unplugged' until I reboot the machine. Shutting down the VM doesn't resolve the issue. My current insider build is 19028.vb_release.191115-1325 |
|
I'm having a similar issue using Pritunl client. Even if I don't activate it, if my computer sleeps, any connectivity is lost in WSL2. like @Einlanzerous, shutting down the VM doesn't help, logging out doesn't help. I have to restart it. 🤷🏻♂️ After uninstalling the Pritunl client, it seems I don't get the intermittent any connection on WSL2. |
|
Same. Using Windows10's built-in VPN with type L2TP/IPsec. Example:
What works:
|
|
Thank you for the support. |
|
I'm having this same issue using Wireguard / Firefox Private Network, both of which use Mullvad over the Wireguard protocol. I'm using Windows insider build 19041.1. I'm not sure if this is relevant, but it looks like Wireguard is changing the route table in WSL. It looks like Wireguard replaces all routes that point to the IP address in /etc/resolv.conf with the Wireguard address: |
|
I also have issue that when Pritunl is connected, I have no connectivity from WSL2. It's important to note that if the VPN profile only forwards private traffic, WSL2 is blocked only for private IPs, but if the profile is forwarding everything, WSL2 can't reach anything. I have the same issue that as @thisguychris mentioned that WSL2 completely loses connectivity after my laptop sleeps. |
|
Today, (coincidentally) I've tested to install an Ubuntu Server VM using the Hyper-V. Then, I thought that might be the Hyper-V and it's networking that's causing trouble. I made it use the Default Hyper-V switch to make it more distinctive (WSL uses it's own Hyper-V switch). When I look at the properties page of the VPN, one thing I've noticed is that the Security is maintained by using machine certificates, which might be a case, because the VM doesn't have those certificates (Just thinking :) ): I'll investigate further, but I'll be grateful if some of you can also check both the VPN configuration (if it's similar to mine) and the connectivity from a VM. |
|
I can reproduce the VPN issue with Cisco AnyConnect 4.5.04029, impossible to ping or get data from any domain or IP when active, but works again the moment the VPN connection is disabled. |
|
same issue, and the workaround is switch back to WSL1. |
|
I would be cool is we don't have to switch back to wsl 1 |
|
I am having the same issue with Cisco AnyConnect and windows build 19564 |
|
Any updates to this? I've found WSL1's filesystem increasingly unstable, so am trying to switch to WSL2, but the network does not work with Pulse Secure, either. Same behaviour as described here and elsewhere - the network completely fails to connect, and after activating the VPN, a full shutdown and restart of WSL is required to restore network access. |
|
This issue was finally fixed for me a week ago. Not sure what did it but my combination of usage was as follows:
|
|
@blaine, unfortunately, no updates on the problem. But I'm getting the impression that the problem might be about the VPN protocol (i.e. IKEv2) and the authentication method (machine certificates). |
|
@blaine @emrahkaya It's set to use OpenVPN. I have never been able to get IKEv2 to work with my Windows, using the windows built-in VPN settings or Cyberghost client. However, note that I had the issue described in the title with same VPN protocols (OpenVPN) since WSL 2 came out last year on the slow ring. I had to turn off VPN every time I needed to run This could very well be a solution from the distro side, maybe... I skimmed the release notes of Pengwin but didn't see anything relevant. So I really don't have a clue what really solved the issue. |
|
@emrahkaya I'm using Pulse Secure. Type of VPN is SSTP. In the Authentication section, PAP, CHAP, and MS-CHAPv2 are ticked. |
|
Also having this problem with a Cisco Meraki VPN (L2TP with PAP). Its weird because "most" of the network traffic works fine (SSHing for example), but accessing https://google.com does NOT work, while https://duckduckgo.com DOES work. I just ran a test.. if the TLS connection is made from inside WSL2 before making it on the host, it does work. But if the host then hits the same site, the connection doesnt work. Example, in WSL I can hit https://xkcd.com, until I go to https://xkcd.com in a windows browser. Then WSL fails to hit xkcd.com |
|
I just found #416 and tried a few of the suggestions, but was unable to fix this issue. |
|
#416 is more related with the DNS issues. Currently it's easier to fix DNS issues (if any) by just changing the However, this issue is more related with a failing TSL handshake issue when using VPN on the host (i.e. Windows). If it was a DNS issue, I wouldn't be able to hit even the |
|
I don't know if a different issue needs to be created, but when I use a windows-side VPN (PulseSecure), all networking in WSL2 fails. I'm unable to reach any hosts, resolve DNS, or make HTTP requests, SSL or not. My workaround is literally to use my Mac. |
|
I'm on insiders fast ring build 19624. The problem is still here. When i'm using wireguard in my windows host, wsl2 can no longer access the internet. |
|
I have the same issue with the current slow ring build. HTTPS connections while my host machine is on a Cisco Meraki VPN that sends all traffic over it basically time out forever. |
|
To add some debugging info, I am having this problem with a full-tunnel L2TP/IPSec VPN using a pre-shared key and PAP authentication.
I am on Windows 10 Pro slow ring build 19041.208. |
|
This really is the weirdest thing, because some HTTPS handshakes work from WSL2 while I'm on the VPN, like so: and But others, like the Microsoft sample related above do not: But HTTPS connections to all three of these work from the Windows host when on the VPN. |
|
@smerrill That was a great catch. After seeing the TLSv1.3 to TLSv1.2 change in your I also tried to force So, I think the problem is now a bit more focused, but I still don't know why it behaves this way. |
|
Yeah - agreed. It's interesting that the way I initially found this was that I tried to run |
|
Adding on to the pile, I can confirm that Cisco AnyConnect VPN 4.8 appears to break most connectivity within WSL 2. |
|
I believe I have a very similar problem. After sleep or hibernation, the SSH connection is completely stuck and none of the suggestions here worked in my case. Changing the MTU has no effect at all. The ssh client is stuck on a select() syscall and the only way to exit from there is being killed manually with The correct behavior should be the connection to be just dropped (e.g. the select() call should just return with an error). For some reason, probably related with the fact that WSL tries to re-establish the connections now, that doesn't happen. |
|
No updates on this one yet?! I've been beating my head against the wall for a number of hours, not being able to find out exactly why a simple cURL request wasn't working, I randomly stumbled into this issue after giving up on trying to solve the problem, turns out it was the freaking VPN. It's been a year and a half since this issue was created, would've been nice if we could get some updates from the maintainers. |
|
My Usecase: 1st problem encountered: Solution:
2nd problem encountered:
Like many others before, my issue now was that the MTU value of WSL did not match the MTU value of my VPN interface. Solution:
|
|
I'm not using VPNs for connecting to the Internet (although I have some installed), and I face the same problem in some of my WSL distros (Debian and Ubuntu), and not in others (CentOS). The problem did not been solved by changing MTU. My NIC drivers are seemed to be updated. |
|
For me, only pritunl wireguard that make the ubuntu WSL cannot connect from VPN. Pritunl openvpn still can connect as usual |
|
|
Are there any words from the wsl2 folks? if not, would love to see a mitigation. thanks. |
|
Open windows firewall and add wsl application and check all the boxes and restart the computer. |
|
Note for anyone using Tailscale on Windows & in wsl having this issue (run in wsl): sudo ip link set dev eth0 mtu 1280
# and the below if still not working...
sudo ip link set dev tailscale0 mtu 1280This is working for me when running Tailscale in both WSL and Windows, using an exit node on Windows |
|
The MTU workaround for the |
|
To everyone looking for a proper MTU value in your case. You may use the Start from 1500 and decrease by 10 until pings will pass. The value in the The method from #4698 (comment) didn't work in my case. The VPN's MTU was 1400 but the maximum working MTU value in WSL was 1230. |
|
WSL's |
|
Does anyone know how to execute a script when a VPN connection is created? Or how can we customize the MTU value that Windows sets on |
|
I've solved this issue with a scheduler task that updates the MTU value. I'm using the standard Windows VPN client. Here are the config values for it: Begin the task: Here are the task screenshots: 
Adjust the MTU value for your case. |
|
Have you tried https://github.com/sakai135/wsl-vpnkit |
|
Hi folks, we have put out a new update that aims to address networking issues in WSL. In your More info on this release and the changes can be found here in the blog post. Please note: You need to be on a Windows Insiders version to use the new networking settings (Any channel of Windows Insiders will do, including release preview). If you see the "These are not supported" messages it means that your current Windows version doesn't have support, and you will need to upgrade. These features will eventually be coming to Windows 11 22H2. |
|
These new networking features are now available on the latest version of Win11 22H2! Please make sure you're on the latest build to get these features, you can do that by clicking "Check for Updates" in Windows settings. You can check you have the right build by either ensuring you have KB5031354 installed, or run |
|
@craigloewen-msft do you know if |
right on, thanks craig. |
|
Hi ! Please try the latest networking features that we've added in WSL. Those should greatly improve compatibility with VPN's. If the issue still remains, please reopen this issue. |
|
I did the following, which worked for me (Windows 10 & WSL2):
|
and others
Your Windows build number:
Microsoft Windows [Version 10.0.19013.1122]
What you're doing and what's happening:
wget --timeout=30 http://packages.microsoft.com/ubuntu/18.04/prod, which succeeds.wget --timeout=30 https://packages.microsoft.com/ubuntu/18.04/prod, which also succeeds.wget --timeout=30 http://packages.microsoft.com/ubuntu/18.04/prod, which still succeeds.wget --timeout=30 https://packages.microsoft.com/ubuntu/18.04/prod, which fails with message "Unable to establish SSL connection".wget -TimeoutSec 30 https://packages.microsoft.com/ubuntu/18.04/prod, which still succeeds.What's wrong / what should be happening instead:
The 5th step should also have been succeeded.
Notes:
datecommand in WSL shows correct date-time.--no-hstsand--no-check-certificateoptions, but result is the samefirefox(in WSL) and it also waited for "Performing a TSL handshake to packages.microsoft.com", couldn't finish connection and gave "The connection has timed out" error after a while.The text was updated successfully, but these errors were encountered: