Using WSL on Corporate VPN

Disclaimer: Be sure to get approval from Cyber/IT team before following this process.

Developers on corporate networks may find that the typical instructions for installing WSL2 do not work. For example running wsl --install might give the following error:

"The service cannot be started, either because it is disabled or because it has no enabled devices associated with it."

Even after enabling all of the required windows features.

Many corporate networks will block the Windows Store and these commands are backed by the store. A manual process, similar to the old WSL1 setup must be used instead.

INITIAL INSTALLATION

1. Open admin command prompt
2. Enable WSL feature. This will result in the LxssManager service being installed.
   a. dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart
3. Enable Virtual Machine Platform. This will result in the VMCompute service being installed.
   a. dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart
   b. Note: You don’t need the full blown Hyper-V feature (which would require additional approval from IT). This is a minimal subset of Hyper-V used to support WSL.
4. Download the latest WSL linux kernel manually (normally this comes from the Windows Store or Windows Updates)
   a. Manual Update: https://wslstorestorage.blob.core.windows.net/wslblob/wsl_update_x64.msi
   b. Source: https://github.com/microsoft/WSL2-Linux-Kernel
   c. Catalog: https://www.catalog.update.microsoft.com/Search.aspx?q=wsl
   d. Note: You can use uname -r from the WSL bash prompt later to see what version of the kernel is running.
5. Run wsl --set-default-version 2 as admin.
6. Manually download the linux distribution instead of using the Windows Store or the WSL command flag -d (which also uses the Windows Store). In our case we want Ubuntu 22.04 LTS package
   a. https://aka.ms/wslubuntu2204
   b. See https://learn.microsoft.com/en-us/windows/wsl/install-manual for more distributions and further instruction.
7. Install the Linux distribution using Add-AppxPackage in powershell.
8. After installation, double click the appx bundle and launch it. It will not appear in WSL until this done.
9. Now you are good to go, unless you need VPN support. Most corporate environments will require a VPN connection and those can give WSL issues without additional configuration, although it appears they may be addressing this in insider releases of Windows https://github.com/microsoft/WSL/issues/416.

CONFIGURE WSL TO SUPPORT YOUR VPN

Until the experimental mirrored networking mode becomes available in WSL additional work will be needed for VPN support. Here is a bit of background on the background infromation on the problem and solution we will implement:

The vEthernet adapter that WSL uses by default stops working when the VPN overrides the routing table among other things. You can observe this happening with route print before and after connecting. Attempts to add new routes or adjust interface metrics for the 255.255.240.0 subnet (that WSL is using) were not working well with the F5 Big-IP client, although other people have reported success using different VPN technologies.

The most reliable way of working in a VPN without making unsafe or intrusive changes seems to be taking advantage of the Hyper-V vsock capability that allows guests to talk directly to the host. WSL supports this and this is a tool container technologies such as Docker for Windows can use to provide their networking capabilities (and still support VPNs).

The gvisor-tap-vsock project allows us to use this feature to create a TAP eth0 interface using vsock to forward all packets straight through the host. One contributor wrote a script that makes setting up gvisor and configuring the new TAP interface in WSL very easy. It can be found here.

Now that we understand the nature of the problem, perform the following commands in your WSL shell to leverage the wsl-vpnkit script. Here we are going to install v0.4.1 using the manual install method. See the wsl-vpnkit repo README for further installation options.

#install dependenciessudo apt-get install iproute2 iptables iputils-ping dnsutils wget #download wsl-vpnkit and unpackVERSION=v0.4.1 wget https://github.com/sakai135/wsl-vpnkit/releases/download/$VERSION/wsl-vpnkit.tar.gz tar –strip-components=1 -xf wsl-vpnkit.tar.gz \ app/wsl-vpnkit \ app/wsl-gvproxy.exe \ app/wsl-vm \ app/wsl-vpnkit.service rm wsl-vpnkit.tar.gz #run the wsl-vpnkit script in the foregroundsudo VMEXEC_PATH=$(pwd)/wsl-vm GVPROXY_PATH=$(pwd)/wsl-gvproxy.exe ./wsl-vpnkit &

If you run into issues with https or SLL connections try running wget --spider -r https://example.com manually and see if you get an SSL certificate issue. You may notice that your company has “Man-in-the-middle” certificate that needs to be installed on the system. You will need to install that in your Ubuntu distribution with the following steps:

1. Obtain a copy of the CA *.crt file. If you need to pull it from the windows certificate store you can follow a process like this to extract a PFX and convert it into a *.crt: https://secure.springshosting.net/knowledgebase/28/Exporting-SSL-certificates-from-Windows-to-Linux.html
2. Copy it to /usr/local/share/ca-certificates
3. Run dpkg-reconfigure ca-certificates
4. Run sudo update-ca-certificates

TROUBLESHOOTING

The following issues could occur occasionally if your group policy settings periodically disable essential services.

• You must stop WSL with shutdown before restart vmcompute or the issues persist. The above fixes the following issues:
• WslRegisterDistribution failed with error: 0x80070002
• Error: 0x80070002 The system cannot find the file specified.
• The user has not been granted the requested logon type at this computer (when trying to launch wsl as non-admin)
• The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Ultimately you will want to contact your administrators to resolve this problem (after all you were already approved to use WSL if you followed the above disclaimer). If they will allow it, you are likely to regain the ability to use WSL temporarily by running the following commands.

sc config lxssmanager start=auto
net start lxssmanager
wsl --shutdown
net stop vmcompute
net start vmcompute

References:

• https://janovesk.com/wsl/2022/01/21/wsl2-and-vpn-routing.html
• https://learn.microsoft.com/en-us/windows/wsl/install-manual
• https://github.com/microsoft/WSL2-Linux-Kernel
• https://www.catalog.update.microsoft.com/Search.aspx?q=wsl
• https://wslstorestorage.blob.core.windows.net/wslblob/wsl_update_x64.msi
• https://superuser.com/questions/1578015/how-can-i-update-wsl2-kernel
• https://superuser.com/questions/437330/how-do-you-add-a-certificate-authority-ca-to-ubuntu
• https://secure.springshosting.net/knowledgebase/28/Exporting-SSL-certificates-from-Windows-to-Linux.html

LET’S BE FRIENDS!

• Instagram: @thecodingcouple
• X: @thecodingcouple
• GitHub: @thecodingcouple
• Other Blog Posts