Windows subsystem for Linux - tips, tricks and notes

2 minute read

Enabling internet in WSL while connected to VPN

By default, WSL is not connected to the internet when connected to your VPN. To enable internet access, you need to do the following:

Source Stackoverflow The following is a verbatim copy from

  1. Find out nameserver with windows powershell (during VPN Session)


    You’ll get the IPv4 address of your corporate nameserver. Copy this address.

  2. Disable resolv.conf generation in wsl:

     sudo vi /etc/wsl.conf

    Copy this text to the file (to disable resolve.conf generation, when wsl starts up)

     generateResolvConf = false
  3. In wsl Add your corporate nameserver to resolv.conf

     sudo vi /etc/resolv.conf

    Remove other entries and add your corporate nameserver IP (if you have a secondary nameserver, add it in a separate line)

    • nameserver X.X.X.X (where X.X.X.X is your address obtained in step 1)
  4. Set your VPN adapter (if you have Cisco AnyConnect) open a admin powershell

    • Find out your VPN adapter name: Get-NetIPInterface (in my case: “Cisco AnyConnect”)
    • Set adapter metric (Replace -Match with your name), in my case I have to run this after ever reboot or VPN reconnect:
     Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

    (What is interface metric: Used to determine route, windows use interface with lowest metric)

  5. Restart wsl in powershell: wsl.exe --shutdown

  6. Test it in wsl run: ping - if this command works, you are done.

In my case I get DNS issues when try to connect to internal stuff via browser (on Windows 10, f.e.: intranet), caused by the high metric value set in step 4 (basically kind of disabling VPN Route). So here is the workaround for the workaround:

  1. Check your default metric (of VPNs Interface) in powershell (replace -Match with your interface name)

     Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Get-NetIPInterface
  2. When running into problems on Windows 10 restore this default value with admin powershell (replace value at the end with your default value):

     Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 1

Bridge between windows pageant and wsl

Pageant is an SSH authentication agent. It holds your private keys in memory, already decoded, so that you can use them often without needing to type a passphrase every time. In my windows machine, I load my primary keys into Pagent at startup and then use wsl2-ssh-pageant to bridge between WSL and pageant. This is a simple script that runs in WSL and connects to the pageant daemon on the Windows machine and I don’t have to copy my private keys to the WSL machine.

Download and setup instructions are available in the wsl2-ssh-pageant GitHub page. However, the .bashrc entry prints warnings from ss at startup. Since these are harmless, I am routing them to /dev/null with the modification below. (Only line2 is modified from the original instructions)

  export SSH_AUTH_SOCK="$HOME/.ssh/agent.sock"
  if ! ss -a 2>/dev/null | grep -q "$SSH_AUTH_SOCK"; then
  rm -f "$SSH_AUTH_SOCK"
  if test -x "$wsl2_ssh_pageant_bin"; then
      (setsid nohup socat UNIX-LISTEN:"$SSH_AUTH_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin" >/dev/null 2>&1 &)
      echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
  unset wsl2_ssh_pageant_bin

Leave a comment