Skip to main content

Curious case of Cisco AnyConnect and WSL2

One thing Covid has taught me is the importance of VPN. Also one other thing COVID has taught me while I work from home is that your Windows Machine can be brilliant as long as you have WSL2 configured in it.

So imagine my dismay when I realized I cannot access my University resources while being inside the University provided VPN client.



Both of the institutions I have affiliation with, requires me to use VPN software which messes up WSL2 configuration (which of course I realized at 1:30 AM). Don't get me wrong, I have faced this multiple times last two years (when I was stuck in India), and mostly I have been lazy and bypassed the actual problem by side-stepping with my not-so-noble alternatives, which mostly include one of the following:
  • Connect to a physical machine exposed to the internet and do an ssh tunnel from there (not so reliable since this is my actual box sitting at lab desk, also not secure enough)
  • Create a poor man's socks proxy in that same box to have my own VPN (OpenVPN and wireguard both works fine with WSL2). Again a security nightmare if IT guy finds out
  • And my least favorite method, use Putty
Tonight though high on 7 coffee, I decided to take a shot at it finally to figure out what the heck is even going on with this AnyConnect scenario. Lo and behold a google search reveals thousands of complaints and even more solutions (most of which didn't work for me).

So I ended up cobbling together the solution which worked for me. Actually, two solutions since it seem the most efficient one is only working for one of my machines and not the other one, for which I had to choose an even more esoteric way.

So hopefully one of these will work for you.

Method 1: Auto-manually rewrite WSL2's DNS config by getting the VPN values 

There of course is a manual solution. But whats the fun in that. Just download or copy paste this gist inside your WSL2 instance. A lot of this has been taken from this Github issue https://github.com/microsoft/WSL/issues/1350#issuecomment-844452775

Download vpn-fix.sh 

#!/bin/bash

echo "Getting current DNS servers, this takes a couple of seconds"

/mnt/c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -Command '
$ErrorActionPreference="SilentlyContinue"
Get-NetAdapter -InterfaceDescription "Cisco AnyConnect*" | Get-DnsClientServerAddress | Select -ExpandProperty ServerAddresses
Get-NetAdapter | ?{-not ($_.InterfaceDescription -like "Cisco AnyConnect*") } | Get-DnsClientServerAddress | Select -ExpandProperty ServerAddresses
' | \
        awk 'BEGIN { print "# Generated by vpn-fix on", strftime("%c"); print } { print "nameserver", $1 }' | \
        tr -d '\r' > /etc/resolv.conf

clear
Mark it as executable
sudo chmod a+x vpn-fix.sh
Now just run this using sudo ./vpn-fix.sh
And you should something like this
You can automate so that this gets called everytime you open WSL. Not to mess with VPN again and again. Note, you will have to run it after you have connected via anyconnect.

Method 2: Use the awesome gvisor-tap-vsock to tunnel your connection

This utilizes the awesome wsl-vpn toolkit. Since this uses a lot of third party code and was a bit overkill, I did not prefer this initially. But one of my machines did not update the resolve conf even after I restarted the wsl backend multiple times, so I had to go this path (that one has kali linux on it instead of ubuntu)

Just follow the below procedure

# download wsl-vpnkit
VERSION=v0.3.x
wget https://github.com/sakai135/wsl-vpnkit/releases/download/$VERSION/wsl-vpnkit.tar.gz
tar --strip-components=1 -xf wsl-vpnkit.tar.gz app/wsl-vpnkit files/wsl-gvproxy.exe files/wsl-vm
rm wsl-vpnkit.tar.gz

# place Windows exe
USERPROFILE=$(wslpath "$(powershell.exe -c 'Write-Host -NoNewline $env:USERPROFILE')")
mkdir -p "$USERPROFILE/wsl-vpnkit"
mv wsl-gvproxy.exe "$USERPROFILE/wsl-vpnkit/wsl-gvproxy.exe"

# place Linux bin
chmod +x wsl-vm
sudo chown root:root wsl-vm
sudo mv wsl-vm /usr/local/sbin/wsl-vm

# run the wsl-vpnkit script
chmod +x wsl-vpnkit
sudo ./wsl-vpnkit

This should get your VPN and WSL2 working again.
Labels:

Comments

Post a Comment

Popular posts from this blog

ARCore and Arkit, What is under the hood: SLAM (Part 2)

In our last blog post ( part 1 ), we took a look at how algorithms detect keypoints in camera images. These form the basis of our world tracking and environment recognition. But for Mixed Reality, that alone is not enough. We have to be able to calculate the 3d position in the real world. It is often calculated by the spatial distance between itself and multiple keypoints. This is often called Simultaneous Localization and Mapping (SLAM). And this is what is responsible for all the world tracking we see in ARCore/ARKit. What we will cover today: How ARCore and ARKit does it's SLAM/Visual Inertia Odometry Can we D.I.Y our own SLAM with reasonable accuracy to understand the process better Sensing the world: as a computer When we start any augmented reality application in mobile or elsewhere, the first thing it tries to do is to detect a plane. When you first start any MR app in ARKit, ARCore, the system doesn't know anything about the surroundings. It starts pro
Post a Comment
Read more

ARCore and Arkit: What is under the hood : Anchors and World Mapping (Part 1)

Reading Time: 7 MIn Some of you know I have been recently experimenting a bit more with WebXR than a WebVR and when we talk about mobile Mixed Reality, ARkit and ARCore is something which plays a pivotal role to map and understand the environment inside our applications. I am planning to write a series of blog posts on how you can start developing WebXR applications now and play with them starting with the basics and then going on to using different features of it. But before that, I planned to pen down this series of how actually the "world mapping" works in arcore and arkit. So that we have a better understanding of the Mixed Reality capabilities of the devices we will be working with. Mapping: feature detection and anchors Creating apps that work seamlessly with arcore/kit requires a little bit of knowledge about the algorithms that work in the back and that involves knowing about Anchors. What are anchors: Anchors are your virtual markers in the real wo
Post a Comment
Read more

IRCTC blocking certain countries?

Indian Railway Catering and Tourism Corporation or most commonly known as IRCTC is the only authorized government portal in India through which someone can book a Train Ticket. It also provides booking for flights and buses but its primary use for most people is to book rail tickets online. And like thousands of other people I also use the site intermittently while booking train tickets, especially for my parents who are in India and when I want to book tickets for them. A few days back they asked me to book a ticket for them and that is when the fun started. I found out that when I tried to access the website day before yesterday (4th July 2018), instead of the familiar login page I was greeted with an error that page cannot be loaded. I thought maybe something wrong and I would try later. After a day I tried and faced the same error. Now a little bit curious since I actually never seen the site down for a prolonged time, blamed it on my Comcast connection and connecte
Post a Comment
Read more