Internal network not reachable with Pulse Secure and wsl-vpnkit

[rohithmohan]

Hello, thanks for making a great tool! I set up wsl-vpnkit via systemd and once I set it up I am able to access the external network e.g. pinging google.com works but I am not able to ssh to any of the machines on my internal network. Would appreciate any tips to resolve the issue!

Version details:
WSL version: 1.1.6.0
Windows version: 10.0.19044.2728
Ubuntu 22.04.2 LTS

Troubleshooting attempts:
I read the troubleshooting in #151 but it didn't seem to help my case which may be due to the troubleshooting steps playing out slightly different for me.

Using nslookup -type=A example.com gives the following output

➜ nslookup -type=A example.com
Server:         172.22.112.1
Address:        172.22.112.1#53

Non-authoritative answer:
Name:   example.com
Address: 93.184.216.34

While nslookup -type=A example.com 1.1.1.1 gives

➜ nslookup -type=A example.com 1.1.1.1
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; no servers could be reached

Here are the contents of my /etc/wsl.conf, I've tried setting generateResolvConf to both true and false.

[user]
default=rohith

[boot]
systemd=true

[network]
generateResolvConf=true

journalctl logs:

Apr 08 12:01:16 LAPTOP systemd[1]: Started wsl-vpnkit.
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + VPNKIT_GATEWAY_IP=192.168.127.1
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + VPNKIT_HOST_IP=192.168.127.254
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + VPNKIT_LOCAL_IP=192.168.127.2
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + TAP_MAC_ADDR=5a:94:ef:e4:0c:ee
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + VMEXEC_PATH=/app/wsl-vm
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + GVPROXY_PATH=/app/wsl-gvproxy.exe
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + TAP_NAME=wsltap
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + CHECK_HOST=example.com
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + CHECK_DNS=1.1.1.1
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + DEBUG=0
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + set +x
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + WSL2_TAP_NAME=eth0
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + WSL2_GATEWAY_IP=172.22.112.1
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + '[' 0 -eq 0 ]
Apr 08 12:01:17 LAPTOP wsl.exe[341]: + set +x
Apr 08 12:01:19 LAPTOP wsl.exe[341]: starting vm and gvproxy...
Apr 08 12:01:19 LAPTOP wsl.exe[341]: time="2023-04-08T19:01:19Z" level=info msg="waiting for packets..."
Apr 08 12:01:20 LAPTOP wsl.exe[341]: time="2023-04-08T12:01:20-07:00" level=info msg="waiting for clients..."
Apr 08 12:01:20 LAPTOP wsl.exe[341]: time="2023-04-08T12:01:20-07:00" level=info msg="new connection from remote>
Apr 08 12:01:20 LAPTOP wsl.exe[341]: started vm and gvproxy
Apr 08 12:01:20 LAPTOP wsl.exe[341]: check: ✔️ ping success to IPv4 WSL 2 gateway / Windows host (172.22.112.1)
Apr 08 12:01:20 LAPTOP wsl.exe[341]: check: ✔️ ping success to IPv4 Windows host (192.168.127.254)
Apr 08 12:01:20 LAPTOP wsl.exe[341]: check: ✔️ ping success to IPv4 gateway (192.168.127.1)
Apr 08 12:01:20 LAPTOP wsl.exe[341]: check: ✔️ nslookup success for example.com A using 192.168.127.1
Apr 08 12:01:20 LAPTOP wsl.exe[341]: check: ✔️ nslookup success for example.com A using 172.22.112.1
Apr 08 12:01:25 LAPTOP wsl.exe[341]: check: ❌ nslookup fail for example.com A using 1.1.1.1
Apr 08 12:01:25 LAPTOP wsl.exe[341]: check: ✔️ ping success to IPv4 external host domain (example.com)
Apr 08 12:01:25 LAPTOP wsl.exe[341]: check: ✔️ ping success to IPv4 external host IP (1.1.1.1)
Apr 08 12:01:25 LAPTOP wsl.exe[341]: check: ✔️ nslookup success for example.com AAAA using 192.168.127.1
Apr 08 12:01:25 LAPTOP wsl.exe[341]: check: ✔️ nslookup success for example.com AAAA using 172.22.112.1
Apr 08 12:01:30 LAPTOP wsl.exe[341]: check: ❌ nslookup fail for example.com AAAA using 1.1.1.1
Apr 08 12:01:30 LAPTOP wsl.exe[341]: ping: bad address 'example.com'
Apr 08 12:01:30 LAPTOP wsl.exe[341]: check: ➖ ping fail to IPv6 external host (example.com)
Apr 08 12:01:30 LAPTOP wsl.exe[341]: check: ✔️ wget success for http://example.com
Apr 08 12:01:31 LAPTOP wsl.exe[341]: check: ✔️ wget success for https://example.com

[sakai135]

Since you can access external URLs fine, you probably need to set generateResolvConf=false and setup your own /etc/resolv.conf with your internal DNS.

Run Get-DnsClientServerAddress and Get-DnsClient in PowerShell to find any DNS servers and any suffix searches you might be using in Windows. You can test which DNS server to use with nslookup -type=A some.internal.address.domain DNS.SVR.IPA.DDR.

1.1.1.1 is probably blocked by your network.

[rohithmohan]

That seems to have worked, thanks!

As a reference for others:
I found 4 DNS servers after running Get-DnsClientServerAddress in PowerShell that worked with nslookup -type=A example.com DNS.SVR.IPA.DDR
I added each of those to /etc/resolv.conf in the form of nameserver DNS.SVR.IPA.DDR

Running Get-DnsClient showed a truncated list of suffix searches so I ran (Get-DnsClientGlobalSetting).SuffixSearchList and added relevant suffix searches from there to /etc/resolv.conf in the form of search suffixsearch1 suffixsearch2 suffixsearch3

After doing this I was able to connect to internal machines/domains on my network.