1

I access two Meraki VPNs from my Windows 10 Pro (10.0.19042 Build 19042) machine:

  • One which is not behind a NAT - when I switch this on, I can do git clone [...] or git fetch [...] just fine.
  • Second, which is behind a NAT - when I switch that on and run git fetch, I am geting error message: "fatal: unable to access 'https://bitbucket.org/[project]/[project-name].git/': gnutls_handshake() failed: Error in the pull function."

To make the second VPN work, I've executed following commands in the PowerShell:

  • Set-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Services\PolicyAgent" -Name "AssumeUDPEncapsulationContextOnSendRule" -Type DWORD -Value 2 –Force;
  • reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters" /v AllowL2TPWeakCrypto /t REG_DWORD /d 1 /f
  • reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters" /v ProhibitIpSec /t REG_DWORD /d 0 /f

It was also necessary to disable IPv6.

That made the VPN work for Windows, but not for Linux inside WSL2. Any suggestions? Thank you very much!

Michal Gow
  • 197
  • 1
  • 9

2 Answers2

2

The problem was in a mismatch between VPN MTU and Linux under WSL2 MTU sizes.

It can be identified via 2 commands:

Windows PowerShell (run as administrator)

netsh interface ipv4 show subinterfaces

Notice the first row - it shows how big MTU is allowed in your VPN.

Linux (inside WSL2) console

ip addr

Notice the row starting 'eth0' - its MTU must match or be lower that the one above.

In my case the MTU in Linux was higher.

Solution

The following command instantly solves the problem:

sudo ip link set dev eth0 mtu 1400 (update MTU value to fit your VPN)

I have put it inside my ~/.bashrc and put /usr/sbin/ip into sudoers NOPASSWD for my account.

Better solution

So far I haven't managed to use any of the standard Linux tools to change MTU on Linux startup inside WSL2 (and hence to avoid putting it into .bashrc).

  • rc-local doesn't work under WSL2
  • /etc/dhcp/dhcpclient.conf doesn't propagate changes into default interface-mtu nor supersede interface-mtu
  • netsh interface ipv4 set subinterface "vEthernet (WSL)" mtu=1400 store=persistent doesn't affect Linux
  • /etc/netplan doesn't run inside WSL2

If you find the way, I'd be more than happy to have it here!

Michal Gow
  • 197
  • 1
  • 9
  • I found this helpful implementing this solution https://askubuntu.com/questions/216804/want-to-execute-sudo-command-on-shell-startup – Nick Mar 23 '22 at 18:55
  • I'm not an expert, but I think you need to allow an extra 28 bits to be eaten on top of the VPN MTU, so make the MTU 28 lower than the VPN's MTU. – Nick Mar 23 '22 at 18:57
0

My solution here was:

sudo ip link set dev eth0 mtu 1350

NOT:

sudo ip link set dev eth0 mtu 1400

Test it by lowering the MTU value to adapt to your network settings.

GHAV
  • 1