WSL 2 Internet connection doesn't work when connected to VPN (wireguard)

[lucashmsilva]

Version

Microsoft Windows [Version 10.0.19044.1415]

WSL Version

• WSL 2
• WSL 1

Kernel Version

5.10.16.3

Distro Version

20.04

Other Software

Wireguard client version: 0.5.3
Wireguard driver version: 0.10.1
Wireguard server version: v1.0.20200513

Repro Steps

Configure a Wireguard server
Setup a client in Windows without fulltunnel blockin (AllowedIPs = 0.0.0.0/1, 128.0.0.0/1)
Activate the tunnel
Start WSL2
run wget https://www.google.com

Expected Behavior

wget should connect to the server and download the page

Actual Behavior

After running wget, it can resolve the DNS but hangs on the connection to the server:

$ wget https://www.google.com
--2022-01-06 19:48:56--  https://www.google.com/
Resolving www.google.com (www.google.com)... 142.250.65.196, 2607:f8b0:4006:81d::2004
Connecting to www.google.com (www.google.com)|142.250.65.196|:443... connected.

Diagnostic Logs

Wireguard server config:

[Interface]
Address = 10.200.0.69/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -o %i -j ACCEPT
ListenPort = 51820
PrivateKey = pppppppppppppppppppppppp

[Peer]
PublicKey = uuuuuuuuuuuuuuuuuuuuuuuuuu
AllowedIPs = 10.200.0.70/32
Endpoint = zzz.zzz.zzz.zzz:yyyyy

Wireguard client config:

[Interface]
PrivateKey = ppppppppppppppppppp
Address = 10.200.0.70/32
DNS = 1.1.1.1

[Peer]
PublicKey = uuuuuuuuuuuuuuuuuuuuuuuu
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = xxx.xxx.xxx.xxx:51820

Server sysctl.conf has IPv4 fowarding configured:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

I've tried many solutions proposed in other issues, but none of them changed the current behavior.
Some solutions I tryed:
edit resolv.conf file
update network interface metrics
change the wireguard client config to fulltunnel back and forth

Other issues seems to focus on DNS resolution. In my case, the DNS resolution from inside WLS2 works normally:

$ nslookup www.google.com
Server:         172.21.144.1
Address:        172.21.144.1#53

Non-authoritative answer:
Name:   www.google.com
Address: 142.250.81.228
Name:   www.google.com
Address: 2607:f8b0:4006:81c::2004

[fatkhanfauzi]

i faced the same issue, but then it's solved when i changed the DNS and allowedIPS as stated in #5784 (comment)

[Interface]
DNS = 1.1.1.1

[Peer]
AllowedIPs = ::/128, 0.0.0.0/1, 128.0.0.0/1

[lucashmsilva]

i faced the same issue, but then it's solved when i changed the DNS and allowedIPS as stated in #5784 (comment)

[Interface]
DNS = 1.1.1.1

[Peer]
AllowedIPs = ::/128, 0.0.0.0/1, 128.0.0.0/1

Hi! I feel king stupid right now... I was just about to type that I already tried those same steps without success, but then I realized that I didn't acctally tried applying those configs to the wg server. When I defined the DNS configuration on the server Interface I started reaching the internet from WSL while connected to the wireguard tunnel.

[hiiamboris]

Solution above didn't work for me: I could ping things, but couldn't wget them.
What worked is sudo ip link set eth0 mtu 1420 in WSL2 (1420 taken from Wireguard entry in the output of netsh interface ipv4 show subinterface on the host). Taken from this post