WSL 2.0 uses a Hyper-V Virtual Network adapter. Network connectivity works without any issue when a VPN is not in use. However when a Cisco AnyConnect VPN session is established Firewall Rules and Routes are added which breaks connectivity within the WSL 2.0 VM. This issue is tracked WSL/issues/4277

Below outline steps to automatically configure the Interface metric on VPN connect and update DNS settings (/etc/resolv.conf) on connect/disconnect.

After connecting to the VPN, you'll want to modify the Interface Metric of the Cisco VPN Adapter

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

You'll need to run the following command in a Powershell session with Administrative permission.

At this point you should have connectivity in your container (but no dns/name resolution). You can test this by running ping 8.8.8.8.

You'll need to install the /opt/wsl_dns.py script for each Linux VM/instance.
The script is located here: https://gist.github.com/pyther/20bba4aee1a7e1485dd065adbf736891\ The script needs python3, make sure python3 is installed.

$ curl https://gist.github.com/pyther/20bba4aee1a7e1485dd065adbf736891/raw/bb00f46d30da1b1eb7ba0fec4e6946a654c7b186/wsl_dns.py --output /opt/wsl_dns.py
$ chmod +x /opt/wsl_dns.py

$ /opt/wsl_dns.py

For each Linux instance:

1. Disable automatic updating of resolv.conf by WSL

   $ cat <<EOF > /etc/wsl.conf
   [network]
   generateResolvConf = false
   EOF
   

2. Restart/Shutdown WSL: wsl --shutdown (WARNING: this will kill all current sessions!)

Create a powershell script for the Interface Metric command

%HOMEPATH%/wsl/UpdateAnyConnectMetric.ps1

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

Windows Scheduled Tasks allows you to trigger an action when a certain log event comes in. The Cisco AnyConnect VPN client generates a number of log events.

We will create two tasks. The first task, will configure the interface metric when the VPN connects. The second task, will execute the dns update script inside of your Linux VM when the VPN Connects and Disconnects.

• 2127: VPN Adapter Configuration
• 2080: Host Configuration
• 2039: VPN Established and Passing Data
• 2057: Automatic Configuration of Routing Table
• 2010: VPN Termination

1. Open Task Scheduler
2. Create a Folder called WSL (Optional, but easier to find rules later)
3. Create Rules
   1. Update AnyConnect Adapter Interface Metric for WSL2
      • General: Check: Run with highest privileges
      • Triggers: On an Event, Log: Cisco AnyConnect Secure Mobility Client, Source: acvpnagent, Event ID: 2039
      • Action: Start a program, Program: Powershell.exe, Add arguments: -ExecutionPolicy Bypass -File %HOMEPATH%\wsl\UpdateAnyConnectMetric.ps1
      • Condition: Uncheck: Start the task only if the computer is on AC power
   2. Update DNS in WSL2 Linux VMs
      • Triggers:
        • On an Event, Log: Cisco AnyConnect Secure Mobility Client, Source: acvpnagent, Event ID: 2039
        • On an Event, Log: Cisco AnyConnect Secure Mobility Client, Source: acvpnagent, Event ID: 2010
      • Action: Start a program, Program: wsl.exe, Add arguments: -d fedora -u root /opt/wsl_dns.py
      • Condition: Uncheck: Start the task only if the computer is on AC power
4. Test: Connect to the VPN, a powershell windown and command prompt window (wsl) should pop-up briefly

Q: Does traffic orginating from the Linux VM still route through the VPN?
A: Yes, I believe so. I did not see any leaked traffic when running a tcpdump on my router.

Q: Are VPN resources accessible from the Linux VM?
A: Yes

Q: Can the Linux VM communicate with Windows?
A: No, it appears a firewall rule is preventing traffic between Windows and the Linux VM.

Q: Can I still run WSL1 instances?
A: Yes, you can run WSL1 and WSL2 insatnces simutaneously

Q: How do I revert/disable these changes?
A: Disable scheduled Tasks, remove/modify /etc/wsl.conf from each WSL Instance, Reboot