My workstation setup is: Windows 10 (1909) + WSL2 (ubuntu)
My Linux distribution connects to the external network. I can ping www.google.com, download packages with apt-get, and so on.
But, once I connect to the corporate VPN with Pulse Secure (9.1.5), connectivity suddenly stops:
Before connecting to VPN:
ut06609@ES28P01315583T1:~$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.17.135.17 0.0.0.0 UG 0 0 0 eth0 172.17.135.16 0.0.0.0 255.255.255.240 U 0 0 0 eth0 ut06609@ES28P01315583T1:~$ ping 172.17.135.17 PING 172.17.135.17 (172.17.135.17) 56(84) bytes of data. 64 bytes from 172.17.135.17: icmp_seq=1 ttl=128 time=0.410 ms 64 bytes from 172.17.135.17: icmp_seq=2 ttl=128 time=0.568 ms ^C --- 172.17.135.17 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1031ms rtt min/avg/max/mdev = 0.410/0.489/0.568/0.079 ms
After connecting to VPN:
ut06609@ES28P01315583T1:~$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.17.135.17 0.0.0.0 UG 0 0 0 eth0 172.17.135.16 0.0.0.0 255.255.255.240 U 0 0 0 eth0 ut06609@ES28P01315583T1:~$ ping 172.17.135.17 PING 172.17.135.17 (172.17.135.17) 56(84) bytes of data. ^C --- 172.17.135.17 ping statistics --- 320 packets transmitted, 0 received, 100% packet loss, time 331775ms
Note that I cannot even connect to the default gateway, which is the virtual network adapter for WLS:
PS C:\Users\UT06609> Get-NetIPConfiguration -InterfaceAlias "*WSL*" InterfaceAlias : vEthernet (WSL) InterfaceIndex : 66 InterfaceDescription : Hyper-V Virtual Ethernet Adapter #2 IPv4Address : 172.17.135.17 IPv6DefaultGateway : IPv4DefaultGateway : DNSServer : 10.144.145.179 10.144.57.198
I tried to "manipulate" the routing rules created by Pulse Secure (e.g. change metrics), but couldn't make it work. Is PulseSecure compatible with WSL2? If so, should I open a bug ticket (and how)?
Thank you in advance.
Hello and thank you for your post. Without knowing the specifics of the VPN policy for your company, I can only assume that your connection is set for FULL TUNNEL aka Disable Split Tunnel. In other words, all traffic is sent down the tunneled interface to the appliance...this would include non-company related internet traffic. In other words, you are basically a virtual node on your company's subnet as if you were in the office. If your company doesn't explicitly allow traffic for sites and denies all non-company related traffic, this could explain the behavior you are seeing. Again, this is speculation on my part.
There are also config options avialble to the VPN administrator where they can limit your access to local subnets on your home network. You should consult your IT department to see if this is the case or not.
Yes, probably the configuration is Full Tunnel, because some sites are restricted while I'm connected to the VPN. Is there any way to share with you my Pulse Secure client configuration?
Regarding the limitation of local subnets, I'm not sure that is the case. When connected to the VPN, my Docker containers can still reach other domains (both corporate and external). See the example below. Note that "Docker for Windows" is using WSL2 under-the-hood.
ut06609@ES28P01315583T1:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.1 LTS Release: 20.04 Codename: focal ut06609@ES28P01315583T1:~$ ping www.google.com ping: www.google.com: Temporary failure in name resolution ut06609@ES28P01315583T1:~$ ping kibana.es.telefonica ping: kibana.es.telefonica: Temporary failure in name resolution ut06609@ES28P01315583T1:~$ docker run -it --rm busybox /bin/sh / # ping www.google.com PING www.google.com (22.214.171.124): 56 data bytes 64 bytes from 126.96.36.199: seq=0 ttl=37 time=16.116 ms 64 bytes from 188.8.131.52: seq=1 ttl=37 time=19.486 ms ^C --- www.google.com ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 16.116/17.801/19.486 ms / # ping kibana.es.telefonica PING kibana.es.telefonica (10.148.136.56): 56 data bytes 64 bytes from 10.148.136.56: seq=0 ttl=37 time=23.034 ms 64 bytes from 10.148.136.56: seq=1 ttl=37 time=28.450 ms ^C --- kibana.es.telefonica ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 23.034/25.742/28.450 ms
Apparently, it's quite common to have connectivity issues with WSL2 and VPN. However, all the workarounds I have found are for other products, such as Citrix or Cisco AnyConnect. For example: https://github.com/microsoft/WSL/issues/5764
I have tried out many workarounds, but none of them seem to work.
Thanks for the reply. I failed to answer your previous question. Pulse has not qualifed or test WSL2 Linux...so I don't know if the client will work as expected.
The client config won't really tell me much as the config is sent dynamically from the server side everytime you connect. Things like what networks are allowed and not allowed, traffic enforcement, etc. We'd need to see the debug logs from the client side to get an understanding of what is going on.
Also, are you using the Windows Pulse Client or the Linux client to connect? Should have asked that at the start. If you are running the Windows Client, you can open the client, go to the File menu, select Connections and then select Advanced Connection Details. This will pop up a window and will show you the tunnel configuration for your active connections. Are there any networks that overlap with your local nets?
Thanks for the reply. I'm using Windows Pulse Client (9.1). My connection detais are:
Tiempo restante de la sesión: 7h 58m 12s Duración de la sesión: 1m 48s Tipo de túnel: VPN Tipo de VPN: ESP IPV4 asignada:: 10.57.181.148 Bytes recibidos: 347713 Bytes enviados: 198792 Origen de conexión: Añadido por el usuario
Regarding WSL2 Linux compatibility with Windows Pulse Secure client, is the feature expected at some point? Could you consider to enhance it?
It seems that there is already some support for "Linux on Windows", as stated in the release notes of version 9.1.5:
Pulse Linux Client on Windows now supports Fedora 30, Ubuntu 19.10 and Debian 10
However, that is quite the opposite of my setup. I'd need Pulse Windows Client support for WSL2 distributions (Ubuntu, etc.). To sum up, both my local workstation (Windows PC) and local virtual machines (WSL2 distributions) should be capable of connecting to the corporate network through the VPN.
I am being hit by what appears to be a similar (possibly same) issue related to network connectivity from Ubuntu 20.04 running via WSL2 on Windows 10 (19042.630).
Any chance that you'll be looking at supporting connectivity from WSL2? It's a part of Windows experience now, and quite a few people seem to be stuck in a similar rut (example: https://github.com/microsoft/WSL/issues/5068).
It worked for me after adding the Pulse DNS servers from Windows and DNS Suffix to /etc/resolv.conf inside WSL2
It looks like below now
# This file was automatically generated by WSL. To stop automatic generation of this file, add the following entry to /etc/wsl.conf:
# generateResolvConf = false
The *s above are wildcards
Also, you have to edit the /etc/wsl.conf as mentioned in the comments above. Else /etc/resolv.conf will be overwritten
I think I have to refresh the addresses above when those DNS servers change
I try all the solution from here dans from here https://github.com/microsoft/WSL/issues/5068
But no internet connection...