Skip to content

Instantly share code, notes, and snippets.

@miquelramirez

miquelramirez/wsl2_ciscoanyconnect_workaround.md

Forked from balmeida-nokia/wsl2_ciscoanyconnect_workaround.md
Created March 16, 2023 08:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save miquelramirez/b916bb3e44964c2fbf56e9d2f957082c to your computer and use it in GitHub Desktop.
Save miquelramirez/b916bb3e44964c2fbf56e9d2f957082c to your computer and use it in GitHub Desktop.
Download ZIP
WSL 2 Cisco AnyConnect Networking Workaround
Raw
wsl2_ciscoanyconnect_workaround.md

WSL 2 Cisco AnyConnect Networking Workaround

Overview

WSL 2 uses a Hyper-V Virtual Network adapter. Network connectivity works without any issue when a VPN is not in use. However when a Cisco AnyConnect VPN session is established Firewall Rules and Routes are added which breaks connectivity within the WSL 2 VM. This issue is tracked WSL/issues/4277

Below outline steps to automatically configure the Interface metric on VPN connect and update DNS settings (/etc/resolv.conf) on connect/disconnect.

Acknowledges

This guide is inspired by and a variation of pyther's guide for the networking workaround.

In this guide, the differences exist majorely in the automatic configuration process.
I did this guide because his version was not working for me, specially due to the missing pac proxy and the python script was not running working for me.

Manual Configuration

Set Interface Metrics

After connecting to the VPN, you'll want to modify the Interface Metric of the Cisco VPN Adapter

PS C:\Users\gyurgyik> Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

Run the following command in Powershell with Administrative permission.

At this point you should have connectivity in your container (but without name resolution). You can test this by running ping 8.8.8.8.

Set DNS servers in Linux VM

Once connected the VPN determine the DNS servers that are configured:

PS C:\Users\gyurgyik> (Get-NetAdapter | Where-Object InterfaceDescription -like "Cisco AnyConnect*" | Get-DnsClientServerAddress).ServerAddresses
10.10.0.124
10.10.0.132

Update /etc/resolv.conf

M-machine:~$ cat /etc/resolv.conf
nameserver 10.10.0.124
nameserver 10.10.0.132

Verify Connectivity

ping google.com -c 4

Automatic Configuration

Create Scripts

Save the contents of the zip file you can download here below to %homepath%\wsl\scripts.
Create the directories as needed

Adjust the scripts to you

Task scheduling

The .xml files are windows task scheduler files for importing.

Here's what to keep into account while importing them all to task scheduler:

Suggestion: Create a Folder called WSL so you keep the schedules organized.

While importing each individual one

In the import window:
"General" -> "Security options" -> "When running the task, use the following user account":
Change the user to your own user

Everything else should be already correct to use as-is

Setup proxy

In setVPNON.ps1, change the first line's ip address and port to the IP address and port of the server that provides the pac file.

-> Most likely, that information will be in your browser's proxy settings. If you have a host, you may need to get the IP address that host resolves to in order to work (potential issues with alpaca this method depends on)

Warning: Due to lack of knowledge on my side, both setVPNON.ps1 and setVPNOFF.ps1 need to have the distros you own correctly set. I tried the automatic way of achieving that but the results were not to part. Fell free to propose the fix in the comments.

1st time install script

Run the install.sh script inside WSL %homepath%\wsl\scripts\wsl as root. For example, you can use Powershell like such:

cd "$Home\wsl\scripts\wsl"; wsl.exe -d 'Ubuntu-20.04' -u root "./install.sh"

Explaining: These scheduled tasks and how they work

Windows Scheduled Tasks allows you to trigger an action when a certain log event comes in. The Cisco AnyConnect VPN client generates a number of log events.

3 tasks are necessary.

  1. Will configure the interface metric when the VPN connects.
  2. Will activate the proxy and set the name servers for connections.
  3. Will execute on disconnection to setup the proxy as unconfigured (no pac file) and remove VPN nameservers.

Cisco AnyConnect Events

  • 2039: VPN Established and Passing Data
  • 2061: Network Interface for the VPN has gone down
  • 2010: VPN Termination
  • 2041: The entire VPN connection has been re-established.

Procedure in case importing the xml files does not work

Note: The preferred way of installing these tasks is by importing and adapting the scheduled tasks provided. The explanation below works just both as a fallback and explanation on how to achieve a similar result.

  1. Open Task Scheduler
  2. Create a Folder called WSL (Optional, but easier to find rules later)
  3. Create Rules
    1. Update AnyConnect Adapter Interface Metric for WSL2
      • General: Check: Run with highest privileges
      • Triggers:
        • On an Event, Log: Cisco AnyConnect Secure Mobility Client, Source: acvpnagent, Event ID: 2039
        • On an Event, Log: Cisco AnyConnect Secure Mobility Client, Source: acvpnagent, Event ID: 2041
      • Action: Start a program, Program: Powershell.exe, Add arguments: -WindowStyle Hidden -NonInteractive -ExecutionPolicy Bypass -File %HOMEPATH%\wsl\scripts\setCiscoVpnMetric.ps1
      • Condition: Uncheck: Start the task only if the computer is on AC power
    2. Start proxy for pac and set nameservers
      • General: UnCheck: Run with highest privileges
      • Triggers:
        • On an Event, Log: Cisco AnyConnect Secure Mobility Client, Source: acvpnagent, Event ID: 2039
        • On an Event, Log: Cisco AnyConnect Secure Mobility Client, Source: acvpnagent, Event ID: 2041
      • Action: Start a program, Program: Powershell.exe, Add arguments: -WindowStyle Hidden -NonInteractive -ExecutionPolicy Bypass -File %HOMEPATH%\wsl\scripts\setVPNON.ps1
      • Condition: Uncheck: Start the task only if the computer is on AC power
    3. Start proxy without pac and reset nameservers
      • Triggers:
        • On an Event, Log: Cisco AnyConnect Secure Mobility Client, Source: acvpnagent, Event ID: 2010
        • On an Event, Log: Cisco AnyConnect Secure Mobility Client, Source: acvpnagent, Event ID: 2061
        • At log on: At log on of $USER
      • Action: Start a program, Program: Powershell.exe, Add arguments: -WindowStyle Hidden -NonInteractive -ExecutionPolicy Bypass -File %HOMEPATH%\wsl\scripts\setVPNOFF.ps1
      • Condition: Uncheck: Start the task only if the computer is on AC power
  4. Test: Connect to the VPN, a powershell window should pop-up briefly
    1. Same will happen if you disconnect from VPN

FAQ

Q: Does traffic orginating from the Linux VM still route through the VPN?
A: Yes, I believe so. I did not see any leaked traffic when running a tcpdump on my router.

Q: Are VPN resources accessible from the Linux VM?
A: Yes

Q: Can the Linux VM communicate with Windows?
A: No, it appears a firewall rule is preventing traffic between Windows and the Linux VM. You can still access windows using the /mnt mount

Q: How do I revert/disable these changes?
A:

  1. Run the 3rd scheduled task
  2. Disable scheduled Tasks
  3. Remove the proxy entries from /etc/environment
  4. Reboot wsl wsl --shutdown
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment