Problem

You have installed WSL successfully on your machine only to find out that you cannot connect to the internet. I have encountered this problem before sometimes it can be fixed externally, but from my experience, no matter what you do, you will end up having to mock around with the resolv.conf file within WSL, more on that later.

You may encounter an internet issue in WSL when the network administrator had configured Windows Defender to not allow local fire rules to be merged with rules applied at the enterprise level. You can confirm that this is applicable to you by searching for Windows Defender Firewall with Advance Security on the start menu, then going to Action, then Properties, under properties switching to the Public Profile tab, then clicking customize under settings. Now look under “Rule Merging”, if these options are set to no, then you will not be able to connect from WSL.

Your first option here is to talk to the network administrator, and see if they can change the rule. If they can, then great if not then you will have to follow the guide at the end of this blog post.

Another way you can encounter this issue is when you actually have internet access but you cannot connect to resources behind a VPN. As of October 2022, the only solution that I am aware of that works is modifying the resolve.conf file within WSL. Keep an eye on the following GitHub issues,5068,4277, 1350, I’m hoping that this problem is eventually fixed and becomes a setting that can be applied when WSL is installed.

WSL 101

Before I get into the solution I would like to explain what is happening. When you launch WSL by default it is configured to write a resolv.config file in the /etc directory. This file is what controls DNS resolution in WSL. You can see the contect of the file by running the following command from WSL

1

sudo nano /etc/resolv.config

The content of the file resembles the following code snippet.

1
2
3
4

# This file was automatically generated by WSL. To stop automatic generation of this file, add the following >
# [network]
# generateResolvConf = false
nameserver XXX.XX.XX.X

Where nameserver point to the IP of your machine. What needs to be done is to change the nameserver to point to another DNS provider like 8.8.8.8 (Google) or 1.1.1.1 (Cloudflare), before that, the setting that makes WSL generates a new resolv.config on starts needs to be changed, otherwise, you would lose your settings on every boot of WSL.

Solution

The first step in getting internet in WSL is to update the file wsl.conf located in the /etc directory. This file applies WSL setting per WSL distribution, if you would like to apply a setting across all distributions then you will need to modify the .wslconfig file. For more information, visit Advanced settings configuration in WSL.

Back to wsl.cofig, run the following command to modify the file.

1

sudo nano /etc/wsl.conf

If this is your first time opening this file then it is more than likely empty, if not delete the content and replace it with the following code snippet.

1
2
3

[network]
generateHosts = false
generateResolvConf = false

Save the file and exit nano.

Time to update the resolv.conf file, you can open the file by running the following code snippet

1

sudo nano /etc/resolv.conf

Change the nameserver to your desired provider, in my case I prefer 1.1.1.1 from Cloudflare, so my file ends up looking like the following code snippet.

1
2
3
4

# This file was automatically generated by WSL. To stop automatic generation of this file, add the following >
# [network]
# generateResolvConf = false
nameserver 1.1.1.1

Save and exit nano. Run a ping command.

1

ping google.com

You should get back a response similar to the code snippet below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

PING google.com (142.250.64.174) 56(84) bytes of data.
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=1 ttl=113 time=21.2 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=2 ttl=113 time=23.1 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=3 ttl=113 time=22.3 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=4 ttl=113 time=19.4 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=5 ttl=113 time=19.4 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=6 ttl=113 time=21.2 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=7 ttl=113 time=19.2 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=8 ttl=113 time=20.2 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=9 ttl=113 time=19.7 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=10 ttl=113 time=18.4 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=11 ttl=113 time=19.0 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=12 ttl=113 time=20.6 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=13 ttl=113 time=22.3 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=14 ttl=113 time=22.5 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=15 ttl=113 time=20.2 ms
64 bytes from mia09s22-in-f14.1e100.net (142.250.64.174): icmp_seq=16 ttl=113 time=22.2 ms

Congratulations, you have internet access.

Important, to make these changes permanent you will need to shut down WSL. On a shell/terminal from the host machine, not WSL, run the following command.

1

wsl --shutdown

Wait a few seconds, then open WSL again, and confirm that you still have internet access, if not double-check yourself, and start by confirming that a new instance of WSL did not reset the resolv.conf file.

VPN

Oh, right. You followed the instructions above and were able to restore internet access within WSL. However, you still cannot connect to resources that are behind a VPN. The solution to this problem is simple, you have to add the IP of your VPN provider.

On a shell/terminal on the host machine, not WSL, run nslookup while connected to the VPN, this is essential, you must be connected to the VPN.

1

nslookup

The command should output a result that is similar to the following code snippet.

1
2

Default Server: xoxoxox
Addresss: YY.Y.YYY.YY

Copy the IP address, open WSL, and run the following command to open resolv.conf

1

sudo nano /etc/resolv.conf

Update the content by adding another nameserver, you can put it before or after doesn’t matter. You should note though that there is a 5-second timeout in WSL. So if you look up some DNS and the first server doesn’t find it, it will take about 5 seconds for the first DNS server to time out, then the second DNS server will do a DNS lookup.

After updating the resolv.conf file, the content may look similar to the following code snippet. Where YY.Y.YYY.YY represents the IP obtained from the nslookup command.

1
2
3
4
5

# This file was automatically generated by WSL. To stop automatic generation of this file, add the following >
# [network]
# generateResolvConf = false
nameserver YY.Y.YYY.YY
nameserver 1.1.1.1

Do another ping against google to confirm the internet is still accessible, then do another ping against a resource that seats behind the VPN.

Both ping commands should work.