Linux under WSL2 can be leaking
mullvad.netSo, if I'm understanding correctly the Linux system gets access to the raw Ethernet system, and so bypasses the Windows firewall. Seems not entirely unreasonable - if you want Linux to use a firewall then install one into it.
But it should definitely be well publicised/documented, because otherwise people won't realise they have a gaping hole in their greens m defences.
Right, this is as much a feature as it is a bug. But it's absolutely something that should be documented and under control of the host-side security layer.
vmswitch is configurable by the host. these VPN authors have no clue what they're doing, windows firewall rules should not in any case be applied to traffic coming from a VM. ridiculous.
> windows firewall rules should not in any case be applied to traffic coming from a VM
I can't agree with this. Everything is running on Windows. The VM runs on Windows and WSL exchanges data with Windows all the time. That the data on the Windows side can leak because I installed a Microsoft-approved product from the Microsoft store on a Windows box with a Microsoft firewall is unacceptable.
Here’s the issue with your issue: if you are using WSL2 (or other various win10 configurations involving hyper-v), then windows is not running on bare metal anymore. In this scenario, windows is just another guest operating system subject to a hypervisor. Windows is a VM, and your in-VM firewall applies to the VM in which its running.
This is how you get real linux “on” windows - the on part is an illusion, trickery to make using linux transparent and integrated. By comparison, WSL1, which is still supported, is “just” (it’s actually pretty impressive in its own right) syscalls translated to the NT kernel.
Microsoft could do a better job communicating this, but I don’t think any of their design decisions are bad in this regard.
In which case it sounds like the Windows tools for configuring things should configure HyperV's networking too.
You know, just like the software inside the Windows VM can launch a separate Linux VM; you're already controlling HyperV from inside that VM.
So this is also an issue (by which I mean something to be aware of, that I think most aren't) with Linux docker containers on Windows/macOS?
It makes perfect sense now you say it - I knew hyper-v was a hypervisor, I knew in basic broad strokes what a hypervisor is and where it sits, but for some reason this didn't occur to me.
It could be very alarming to people running containers 'on a Windows' server, but then such people are probably more familiar with hypervisors anyway.
Is hyper-v networking still somehow configurable from the 'host', or is it undesirable for containers unless you don't want to do anything to the network (in software on that machine)?
So WSL1 is reverse wine basically?
Nope, WSL 1 uses pico processes, a technology based on Drawbridge research.
https://www.microsoft.com/en-us/research/project/drawbridge/
https://docs.microsoft.com/en-us/archive/blogs/wsl/windows-s...
https://channel9.msdn.com/Blogs/Seth-Juarez/Windows-Subsyste...
It is a bit more advanced than Wine, with first class support from NT kernel.
Whereas WSL 2 uses Hyper-V, which is a type 1 hypervisor, all OSes run as guest, including Windows itself.
Not _exactly_, but it's a pretty close analogy. Certainly moreso than WSL2 is.
As far as I know this is how Hyper-V worked since at least Windows 8(.1?). Installing the role would relegate the Windows OS to guest VM status, albeit with more privileges than any other VM.
Microsoft should make it more obvious since most Windows 10 users shouldn't be expected to make this distinction by themselves.
> Everything is running on Windows. The VM runs on Windows
As far as I understand, that is not quite right. With WSL2, everything is running on Hyper-V, the VM and Windows both run in parallel on Hyper-V.
Wow! Just installing WSL-2 makes such a fundamental change to how Windows itself runs?
Enabling hyper-v does.
> If you want Linux to use a firewall then install one into it
Granted, I don't know much about WSL, but that's a very surprising model to me. I would naively assume that anything in userspace is controlled by the Windows OS-level firewall, not that Linux gets to emit raw packets. To say the least, I'm a little more hesitant than you are to call that reasonable.
As mentioned other places int the article, in the WSL2 model, Linux is running under a Hyper-V hypervisor, and isn't in user space.
Huh - you want linux distributions to have to play with the windows firewall rules? You want windows firewall getting messed up by linux containers?
These VPN authors are just idiots - let's stop over complicating things. Half the time people LIKE that they can use linux firewall features on their linux hosts for stuff.
No, I'm pretty sure that is the exact opposite of what they are saying.
Maybe work on your reading comprehension?
Here is what they say is the "leak"
"How it leaks
WSL2 uses Hyper-V virtual networking and therein lies the problem. The Hyper-V Virtual Ethernet Adapter passes traffic to and from guests without letting the host’s firewall inspect the packets"
So they are complaining that the linux subsystem and distribution packets are not processed by the windows firewall. I don't know what to tell you, but the idea that the windows firewall should be in the mix on a fedora distro seems a bit rediculous?
You didn't reply to the article directly, you replied to a comment on the article - one that was making the exact point that you are repeating.
I thought they were saying microsoft needs to document this third party software behavior. Definitely the VPN folks should document this.
For reference, this kind of problem is avoided on QubesOS (another, Xen-based, hypervisor system) by routing all traffic through another VM that entirely owns the network hardware. I run my Wireguard on that VM.
The host OS image, dom0, also routes its network traffic through that VM, to get updates. (It doesn't trust the updates it gets that way; it checks their signatures.)
QubesOS provides another VM as a dedicated firewall just to route untrusted guests' traffic through, first. With enough cores, it all runs fast.
For many users, all guest VMs are untrusted. Dodgy programs like browsers get their own VMs, spun up as needed and discarded. That does take a fair bit of RAM; my maxed-out 16GB laptop notices the strain. But memory is cheap these days, if you have the sockets to put it in.
As an aside, dom0 also mediates access to the UI hardware, including display RAM. Each guest can run X, but its pixels are copied to the real display by dom0. Guest VMs can't see one another's pixels or input traffic. dom0 also mediates access to audio and video streams, and can route them to selected VMs as needed. (In a future release they plan to manage the display in its own VM, because display drivers are a big attack surface of their own.)
It all works astonishingly well.
Incidentally, this model of a hypervisor with all the user-level OSes as VMs, including the host, originated at IBM in the 1960s. That worked in a megabyte or two, which seemed like a lot at the time.
This is interesting, I wonder if it's possible to simulate this behavior configuring the hyper-V networking layer.
Almost certainly.
I know of people who run Windows 10 in a Qubes VM. It is dizzying to think of what they are really doing: running a Hyper-V system, with its own VMs, in a VM on a Xen hypervisor.
The title is wrong. The VPN traffic does NOT leak. What leaks is the traffic that the VPN software tries to block when the VPN connection is not active. Mullvad uses Windows Firewall to block all internet access if VPN is not active (if the user configured so) and WSL2 bypasses this by not going through Windows Firewall. When the VPN is active, WSL2 traffic IS tunneled through the VPN.
UPD: The solution may be to have Windows Firewall rules apply to WSL2 or have Mullvad control Linux internet access through on-the-fly UFW settings update or completely disconnect internet (but that likely does not work nicely and is why Mullvad went for the Windows Firewall based solution in the first place).
A good reminder that you really want proxying done on a separate device (router, Raspberry Pi, etc) physically between the endpoint and the internet.
This sounds like working as designed and not a flaw. If your Linux box needs a firewall then put one on it. As the article says, the VM is using Hyper-V networking so it is likely that the connection is either bridged with a virty software switch or is NATted in some way but with a short cut through the host firewall. If the VM has an IP on your LAN it is bridged and if it doesn't and you don't have to fiddle with your internet router then NAT is in play.
Linux has lots of options for firewalling. For Windows sysadmins, firewalld with a GUI could be a reasonably familiar option. Failing that, ufw is quick and reasonably easy for simple use cases. If you are feeling macho, then roll your own with iptables or nftables. The last time I did that properly was with ipchains ...
I think the key idea is that Mullvad client changes firewall config on the fly to insert a 2nd highest prio rule "deny outgoing" allowing outgoing internet access only to itself until the VPN tunnel is established and then withdraws it automatically afterwards. So, a generic firewall advice is not applicable here as it's used in quite a specific way. If Microsoft does not fix the problem described in the blog post, I assume the easiest way would be to introduce some kind of daemon in a Windows client that a slave client tool installed in WSL env would have to connect to or the other way around to mirror a firewall config inside the Linux machine. And that will only work on recent versions, see https://github.com/microsoft/WSL/issues/4212#issue-459183662
UPD: I think it will be resolved in a much neater way soon https://github.com/microsoft/WSL/issues/4277#issuecomment-69...
I assume you mean this because I can't find any mention in the article about 2nd highest prio rules:
"How it leaks WSL2 uses Hyper-V virtual networking and therein lies the problem. The Hyper-V Virtual Ethernet Adapter passes traffic to and from guests without letting the host’s firewall inspect the packets in the same way normal packets are inspected. The forwarded (NATed) packets are seen in the lower layers of WFP (OSI layer 2) as Ethernet frames only. This type of leak can happen to any guest running under Windows Sandbox or Docker as well if they are configured to use Hyper-V for networking."
That is how virtual machines are supposed to work. Hyper-V is a virtualisation thing. Whatever Mullvad is doing is immaterial - they are only worrying about the host. If you use full on virty stuff, you need to treat each VM as a VM, not a container.
Does anyone have a raspberry pi hardened disk image for this? I just don't have time to troubleshoot all these things anymore
1000 times this. See https://mullvad.net/en/help/openwrt-routers-and-mullvad-vpn/ for a relevant guide, see under the "Add a kill switch" for the equivalent functionality.
I like this VPN gateway approach. It feels rock solid.
exactly. It's amazing how many things bypass on-device firewalls. Docker is a good example.
We changed the title from "Linux Under Windows Subsystem for Linux 2 Leaks VPN Traffic" to the article's own title. That's in the site guidelines: "Please use the original title, unless it is misleading or linkbait; don't editorialize."
The title is correct. For example, a remote attacker could induce the transmission of unencrypted packets by taking the tunnel down by means of DoS attack.
Basically, the tunnel doesn't leak under ideal conditions, with non-ideal conditions being trivial to induce.
For example, StrongSwan (IPSec) talks about this in their best practices page here: https://wiki.strongswan.org/projects/strongswan/wiki/Securit...
The StrongSwan process can do some tricks to tell linux to not allow this outbound traffic by creating a kind of dummy/shunt tunnel. Also, iptables should be used to prevent the outbound transmission of non-ipsec traffic to that destination.
It's notable that I had a run-in with this issue a year or so ago with Ubiquiti Edgerouters, which run a fork of Vyatta. They don't allow the "-m policy --pol none --dir out" iptables module to be used in configuration, even though the underlaying linux kernel supports it. They even support it's use in-bound. Pure stupidity, if not malice.
Yes I am a network engineer.
If you were to inspect the Mullvad client and how it works on Linux, you'd find that it uses nftables to ensure that traffic only flows through the tunnel. The issue here is that a similar OS provided construct doesn't do that on Windows.
That’s exactly what leaking means. Traffic that is supposed to be vpn-or-nothing is going out in the clear.
Is Windows firewall supposed to apply to WSL? I never expected that! I'm serious - I run a different firewall on my onlinux.
Can you confirm that WSL is supposed to be dealing with (the nightmare) of the windows firewall for internet access? How does fedora / ubuntu etc coordinate / know to do this?
It's somewhat unintuitive that a virtualized guest can circumvent the host's firewall/network stack when the guest doesn't have an explicitly bridged or passthrough'd physical adapter.
It's not circumventing. It exists outside it.
As for the parent, if it's a Microsoft product running on Windows and Windows has a firewall, I'd expect it to be an effective firewall, at least for the things Microsoft gives me.
Windows while Hyper-V is enabled runs atop Hyper-V VMM as a VM, same ways as Linux running as Xen Dom0.
WSL2 uses Hyper-V, so Windows running WSL2 is running on Hyper-V, not bare metal. Being a different VM than Windows “Dom0”, Linux Kernel in WSL2 would have direct connection to Hyper-V virtual ethernet switch. I think that’s what is happening.
The host is the hypervisor though isn't it? Not the Windows inside it.
Exactly this. If you're running WSL2 then you're in Hyper-V mode, which means Windows itself is also running virtualized. The WSL VM is a sibling of Windows on the hypervisor stack, not hosted inside of.
The firewall probably applied in the non-virtualized WLS1, but doesn't anymore in the new Hyper-V-based WSL2.
No one is disputing the definition of "leak(ing)" rather what traffic is being leaked, which is not VPN traffic as the title suggests and the Mullvad link clearly explains. edit: the title has since been modified.
A bit off topic, but this sort of transparency is why I don't mind paying $6 / mo for a vpn when mullvad's competitors are much cheaper. Their wireguard support is great, and their speeds are much faster than what I got through openVpn on pia.
Also a huge fan of paying with BTC and their use of account ids instead of emails, wish they would accept XMR also.
Did you consider the average pollution of bitcoin transactions?
Good question.
OTOH, did anyone ever consider the average pollution of the banking system? 10.000th of banks, 200+ central banks, BIS, IMF, ECB, etc, etc. Millions of employees, millions of desktops & servers, day-in-day out. Anyone with a link to a guestimate?
The Bitcoin network allegedly uses the amount of energy as the whole country of Denmark. This includes heavy industries like aluminum smelting that more or less use as much power as they are allowed to.
A Bitcoin transaction uses about 1,005 kWh, while 100,000 VISA transactions use 169 kWh, according to https://www.statista.com/statistics/881541/bitcoin-energy-co...
Unclear what goes into calculating the visa transactions. Is it just the literal cost of sending the bits over the wire? Does it include the cost of servers, man-power, real estate, etc?
It's basically the cost of Visa running divided by the number of transactions they do. So yes it includes everything. You don't need to play silly tricks like that to make Bitcoin look bad. Bitcoin uses similar or more energy than the banking system while processing vastly fewer transactions. Somehow people can't comprehend how ridiculously inefficient bitcoin transactions are.
It's the inflation that's expensive, not the transaction processing. The threshold for economical power use in bitcoin mining scales in proportion to the block reward, not block size or number of transactions. Since the rate of inflation decreases exponentially (the block reward in BTC halves every four years) this issue will eventually resolve itself.
According to the numbers above a bitcoin transaction is currently 591715 times as expensive (in kwh) as a visa transaction.
If a transaction costs half as much power every 4 years that's only 193 years until it's cheaper than visa[0]! Truly the financial instrument of the (distant) future!
[0] https://www.wolframalpha.com/input/?i=x%5E2+%3D+%281005%2F%2...
Visa doesn't solve the same problems as Bitcoin, so this isn't comparing apples to apples. Bitcoin isn't a centralized, credit-based payment network; it was designed as an electronic alternative to cash. (Don't forget to include the economic and social cost of global anti-counterfeiting measures necessary to maintain the USD market value in the cost of the Visa system!) Also, the reward halving schedule applies to blocks, not transactions. Any of the scaling solutions which increase the number of transactions per block (e.g. the Lightning network) will proportionally reduce the power expended per transaction.
Credit-based transactions are a subset of Visa transactions. Visa Debit and V PAY were indeed designed as an electronic alternative to cash (as were MasterCard Debit and Maestro on the MasterCard side).
> Visa Debit and V PAY were indeed designed as an electronic alternative to cash …
These are not alternatives to cash, they're alternatives to checks. The actual cash is held in accounts at centralized third parties (banks) who must be trusted to maintain accurate records, remain solvant, and not interfere with transactions legitimately approved by the account holders. What we see, however, is that the records are not always accurate, and banks do interfere with account holder-approved transactions, based on either their own policies or legal constraints. As for solvency… let's just hope that particular house of cards is never really put to the test.
Bitcoin, like physical cash, does not depend on trusted third parties. There are technological measures in place to guarantee accurate record-keeping, and while the sender of an "illegal" payment may be prosecuted after the fact (if they can be identified) there is little anyone can do either to prevent the payment from going through or to claw back the funds once they have been confirmed by the network.
There's no way that a single $6 credit card transaction uses as much energy as sending $6 worth of bitcoin, which is the relevant measure.
Yea but a whole fraud department of humans emits a ton of carbon. There's no way the banking and finance industry doesn't compete emissions wise with bitcoin.
>There's no way the banking and finance industry doesn't compete emissions wise with bitcoin
not on a per transaction basis, which is the only relevant measure because the banking system supports a lot more people than bitcoin does.
A single bitcoin transaction uses 610.20 kWh right now, which is comparable to the energy consumption of an average US household over 20 days.[1]
Also for a comparison of scope, Tenpay, Tencents payment service processes about 1.2 billion transactions per day, Bitcoin does about 300k. If all financial transactions conducted in China alone would consume the amount of energy that a bitcoin transaction does, it would roughly eclipse the energy the country consumes in a year, in one day.
I cannot wait for nuclear fusion to finally be here so people will stop worrying about the electricity consumption, and high consumption will not mean pollution or whatever.
All the electricity we generate becomes waste heat in the atmoshpere. Global energy use is currently ~0.1% of Sun power hitting the Earth. USA uses ~10x more electricity per person than India does, assume bringing everyone up to USA levels means we'll be around 1% of Sun power. Grow the population from ~8Bn to predicted ~12Bn and we'll be around 1.5%.
And then everyone gets "too cheap to meter" fusion power? There is not a /lot/ of headroom there, we surely can't go to outputting as much waste heat again as the planet gets from The Sun - and before you say "solar", you already said "fusion".
Energy usage will explode! Imagine all the ways to use energy that hasn't been economically viable before. I think the only way that will work out, is if the energy consumption happens off-planet.
Pretty sure the difficulty will go up accordingly then
Luckily there is a mechanism for resource allocation and it is called price. I pay for 1 MWh, you pay for 1MWh and it doesn't matter what we use the energy for.
If you have an issue with how the energy is generated take it up with your local government.
Most Bitcoins are mined in places I do not live, since my electricity prices are nowhere near economical to mine in.
>Luckily there is a mechanism for resource allocation and it is called price
I mean we don't really have that in the case of bitcoin, which is predominantly mined in China these days probably precisely because state subsidised energy projects have created a ton of useless energy surplus, on which bitcoin lives.
Which is ironic in and of itself, the libertarian currency de jure runs on the misallocated resources of a state planned economy lol.
Just imagine if the transactions actually costed as much as their energy consumption suggests and environmental damage priced in.
I'm not sure that's ironic. A lot of libertarian types don't seem to mind authoritarians as business partners, they just don't want to live that way.
Yea, after reading more I got a sense of the scale.
Still, I think that's the proper comparison—human processes are the analogue to keeping a blockchain online and mining.
The difference is that there's no mechanism in banking that keeps ramping up the difficulty exponentially.
All the energy in bitcoin is not wasted on keeping and organizing that tiny ledger (barely 300 GB of data!), it's wasted on brute forcing hashes, with the energy required ramping up exponentially with interest in bitcoin.
As ingenious as bitcoin is, that is a fatal flaw. Using bitcoin is like rolling coal, only worse for the environment.
Fraud departments provide a pretty useful service to consumers. The existing finance system is so much larger than the Bitcoin economy that it's no surprise if they, in total, rival Bitcoin in energy intensity. It processes orders of magnitude more transactions and provides other services that people use that have no Bitcoin equivalents.
This isn't a defense of the modern financial system, which is arguably a trash fire for plenty of reasons, but of course it's fairly energy intensive. It's massive. If it were replaced entirely by Bitcoin, it would be even more intensive.
Yes, they did! Note that, like you, 0 bitcoiners who have ever raised this objection put a number in.
* Bitcoin: 0.1% of all electricity, 7 transactions per second.
* THE ENTIRE REST OF CIVILISATION, FINANCIAL SYSTEM AND ALL: 99.9% of electricity, a heck of a lot more than 6,993 transactions per second.
I personally can't wait until most crypto currencies move to proof of stake over proof of work. I wish the UN would coordinate some sort of global carbon tax initiative. Want to mine crypto? Ok, but you're paying for the co2. No more free rides!
Do you have a number for us?
cleancoins.io
I love everything about Mullvad except their device limit, which is unfortunately a deal breaker for me. 5 is completely inadequate for my use cases.
Mullvad uses the superior way of not having a real account at all - you just get a number you can "deposit" money into.
It's the only way they can reliably prevent abuse like a thousand people using one number - because this way you can just track the number of open connections per account number.
This is superior to tracking IP-addresses to detect fraud for obvious privacy reasons. I do a similar thing for a service I run.
Out of curiosity, how do you even manage to use more than five devices for private use at once? Even just owning that many is unlikely.
As much as I appreciate Mullvad's stance around privacy, I don't actually use a VPN for privacy (I use Tor for that), but mostly for bypassing geo-restrictions on my entertainment devices for games and streaming services and whatnot.
For that use case, I can't justify paying double/triple the price as other providers that offer 2/3x the devices for the same price. The provider I use now, Surfshark, offers unlimited devices for about 1/3 of the price, and also recently started offering WireGuard, it would be financially irresponsible for me to choose Mullvad which would effectively 10x what I'm paying right now for the same number of devices.
FWIW I understand that their account number mechanism is superior from a privacy perspective, and that there's no way to support unlimited devices while combating fraud using that mechanism. It's just not the right set of tradeoffs for my use case.
It's easy enough to get to 5 devices, for a family. Especially given the current remote work/schooling situation. Figure 1 laptop or tablet per person (adults and kids) and 1 phone per adult. If you have two kids, that's 6 devices right there. And that's assuming none of the kids are old enough to have phones, none of the adults have separate work/personal laptops, no separate work phones for the adults, etc.
> Out of curiosity, how do you even manage to use more than five devices for private use at once? Even just owning that many is unlikely.
I’m not GP and I certainly don’t take GP’s stance about limiting to 5 devices (I think it makes sense), but claiming it’s unlikely that someone owns more than five devices is silly, especially if someone has a family. My non-tech sister’s family of four has two phones, three iPads, two laptops, etc. As another example, I literally own over an order of magnitude more devices than just five devices for private use (yes, I’m an outlier).
> but claiming it’s unlikely that someone owns more than five devices is silly
No I specifically said use, not own. You can own more than 5 devices with your mullvad account number, you just can't be connected on all of them at the same time. Also I wasn't expecting people would share their accounts with their family, which is already questionable.
> Also I wasn't expecting people would share their accounts with their family, which is already questionable.
Do families not already share Netflix, iTunes, Spotify, Amazon Prime, etc etc? I’m not sure why it would be such a leap for them to share a VPN, especially if the reason they are using the VPN at all is simply to get around GeoIP restrictions (which I’m not condoning, but obviously many do it).
> Even just owning that many is unlikely.
> No I specifically said use, not own.
These two verbatim quotes from you seem to be in conflict with each other.
My question was about using that many devices. And I'll quote myself here fully:
> Out of curiosity, how do you even manage to use more than five devices for private use at once? Even just owning that many is unlikely.
One sentence is a question, the other is a statement which I consider to be true (and explains how I arrived at that question).
Also it was quite clear from my argument that I was talking about people singular, and you responded pretending I was saying that an entire family owning more than 5 devices is unlikely.
I can't imagine why you'd be arguing like this, I just hope it's not on purpose.
> I can't imagine why you'd be arguing like this, I just hope it's not on purpose.
Seriously? OP never said just me and only me uses all five plus devices. I and others gave you multiple examples of how that could be very possible realistically, and then you shift goal posts and say it’s us being argumentative. I’m done, have a good life!
Is it not fair that you pay for another subscription if you go beyond 5 devices? They do provide a service with their finite resources. It is not a mega corporation.
Does your router run Merlin or DD-WRT? Throw it on there for your whole home and you'll free up some slots.
I vehemently agree with your position. It's also worth mentioning (albeit anecdotal) their prompt and verbose support when/if necessary.
The idea of the a linux distribution is going to be using the WINDOWS firewall?? seems a bit crazy to me.
I expect the distributions on WSL to use their own firewall - that's half of the fun of using WSL.
PLEASE don't push fake news like this that results in distribution on WSL having to deal with / modify the window firewall - that would be a total nightmare!
My guess is people are confused because Microsoft has marketed WSL2 as a replacement for WSL1, and it makes sense for WSL1 to go through the Windows firewall, so people assumed WSL2 would behave similarly.
If nothing else, I now understand that I'm going to have to read up more on how WSL2 actually works, because I found WSL1 to be a really elegant way of running Linux on Windows without having a whole bunch of virtualisation in place, but it sounds like there's more virtualisation now, and also Hyper V networking has previously broken my network stack.
tl;dr is WSL2 is just a VM running under Hyper-V. The host is hence Hyper-V, not Windows.
We have tested a few other VPN clients from competitors and found that all of them leak in the same way. The way Microsoft has implemented virtual networking for Linux guests makes it very difficult to properly secure them.
Sometimes that's a feature. At least with VirtualBox I have made the experience that NAT virtual networking leads to significant slowdown on a linux guest compared to bridging one of the host's ethernet adapters. I suspect that's due to windows' firewall software or similar things happening in the host system. It also means one less hop to debug when it comes to network issues.
I think the question is whether you consider a VM more like another machine in your network that merely happens to run on the same hardware or a part of the host system.
From a firewall POV: Can the host system reliably interact mechanically with the VM? I.e., can the host get root in the VM? If so, a firewall only reduces the attack surface by eliminating the obvious.
It’s a shit show. Can’t trace packets either via wireshark on the host and tcpdump doesn’t work on the guest. I’ve gone back to virtualbox and eviscerated WSL. Another total waste of my life.
Were you using WSL 1 or 2? WSL 1 networking didn't work the way I expected, but WSL 2 seems to support proper Linux networking since it's just a Linux VM under the hood.
Conceptually this makes sense. It doesn't really run Under windows, it runs beside windows. Unlike WSL1 which was basically part of Windows. It's strange tcpdump doesn't run though as WSL2 is running a real kernel.
Personally I really liked the resource efficient WSL1 approach and I lament that they dropped it. But I know for some usecases (e.g. docker) a real Linux kernel was needed.
>It's strange tcpdump doesn't run though as WSL2 is running a real kernel.
It works just fine. Just tested it
Try dumping UDP packets from the host to the WSL machine...
The WSL machine is a Hyper-V VM. Why would you expect the default configuration to be able to sniff traffic from the host operating system? That would be a massive security hole.
I’m taking about traffic sent to the guest not on the interfaces.
It was theoretically more resource efficient but practically worse and harder to optimize. A state of affairs that VMware has exploited for a couple decades.
Better yet just install linux and if you need windows, use it in a locked down VM
I would think that anyone who relies on a VPN for safety or is really particularly security conscious (1) isn't using Windows 10, (2) has networking disabled if they are using it, for example, in a VM, and (3) is probably using a dedicated device like a Slate router or pfSense box as their VPN point.
With the way these companies advertise, they make it seem like a silver bullet for internet anonymity. Almost every YouTube video I've seen recently seems to have one as a sponsor, and I am sure they are picking up many non-technical customers.
I don't think users of NordVPN, ExpressVPN, MullvadVPN et al. are as sophisticated as you think.
The non-technical customers probably aren't running WSL2 either. In fact I think very few of them actually need a VPN. Those who torrent in litigious countries have a benefit from their VPN provider but I doubt most others don't know about the behaviour changes that need to take place to make a VPN effective.
I think VPNs can be a powerful tool for many people who would normally not be able to find out about their existence, but the predatory nature modern VPN ads have taken is quite sad.
This leads to some cases of Youtube fan bases angrily calling out shitty VPN ads while the video creators just want to pay their bills, a situation nobody wants.
The way Express VPN's ad copy reads it seems their own people don't understand the difference between encryption and traffic tunneling (much less encryption in transit versus encryption at rest).
If they're not that sophisticated they probably won't use WSL anyway though, so it's not a huge issue in that sense (unless some malware specifically installs WSL2 to get around it).
The reason why I route all of my traffic through a VPN is simple - in the UK all ISPs have to keep the history of all your browsing for a year. I want to avoid that. That's it. I just don't like this requirement, especially since lots of agencies can access this data without any kind of warrant - so this is like my own little personal protest against this stupid law. Nothing more complex than that.
"UK-based VPN companies may be subject to the same data retention laws as the country's internet service providers. The UK has also made news in the past as some carriers have blocked certain VPNs. However, the use of VPNs remains legal."
Not sure how much of it is true. I cannot imagine what would happen to some people there were it to be illegal. I would move out.
You can use a VPN that isn't based in your home country. It's much harder to switch to a non-local ISP.
I don't think that's true, plenty of security conscious but not particularly tech savvy people use a VPN with Windows.
Using WSL2 though... you kind of have to be tech savvy to do use it, and those people are probably willing to work around the issue.
Are you saying that you don't think there is anyone on Windows who is using a VPN to hide their pirating activities? If so, you can borrow a needle from me and pop that bubble.
Potential workaround: is it possible to configure VPN clients to _ignore_ the WSL2 runtime and instead run a VPN client inside WSL2?
That way the Linux network config can deal with the Linux side of things and the Windows network config can deal with the Windows VPN routing.
Of course you can just configure OpenVPN inside WSL2 and also run a VPN on the desktop but that's tunnels in tunnels and that way madness and network issues lies.
If I read it correctly that wouldn't be tunnels in tunnels. It would be 2 separate tunnels side by side. Which is not necessarily a bad thing.
WSL2 is basically a VM and any VM which binds directly to the Adapter (e.g. not NAT mode) will have the same behaviour. In some cases you'd even want it to do this.
If I read the article correctly, the traffic only leaks when the VPN disconnects or reconnects. This means the default situation would be a tunnel inside a tunnel.
WSL2's NAT is close to a standard Hyper-V NAT adapter but there's unexpected differences (like the localhost binding) that make it stand out.
>Of course you can just configure OpenVPN inside WSL2 and also run a VPN on the desktop but that's tunnels in tunnels and that way madness and network issues lies.
It's tunnels, all the way down :-)
This is the exact reason I didn't try running weird VPN configs like this. The reliable way is to run Linux inside a VirtualBox and have it connected to VPN on its own.
Currently, I run Linux on a Xen domU and configure VPN client inside the guest.
PS: I don't want all my traffic to go through VPN. Especially things like Netflix or Youtube where VPNs are blocked (and VPN BW is lower anyway).
WSL2 _is_ Linux inside a VM that's a peer of Windows. Having it connect to VPN on its own is _exactly_ what you have to do.
It is a VM with a lot of hacks. For most tasks it is good but for complicated situations it will get you.
I used to run Linux VM inside HyperV before WSL2 released, and it worked like a charm. WSL2 just adds a lot of hacks to integrate Windows & Linux experience.
You can set up a docker vpn client as well
I tried docker. "Always Require VPN" didn't work with docker.
I do it like this, can provide scripts if you're interested.
One docker image with openvpn:
1. at startup erases all routes except to VPN gateway and 8.8.8.8.
2. before and after connect it only has routes through VPN (no default ones - if vpn goes down, network goes down until re-established)
Start it like:
# ... --name vpn ...
Another docker image with what I want VPNed gets started with the network of the first
# ... --net container:vpn ...
I keep a browser within the second docker image (firefox) and use my main machine to show it. Note: you want to pass '--no-remote' to it and likely split /dev/shm
It can't really leak since it doesn't have routes to do anything other then through VPN.
Let me get this right: Installing WSL2 causes HyperV to be installed. When Hyper-V is installed, HyperV replaces Windows as the Machine Host. Therefore Windows itself becomes a guest OS of Hyper-V, and the installed Linux also becomes a guest of HyperV.
So what mullvad would prefer is that Linux traffic to be routed through the adjacent Windows Guest by default, so that the windows software can control the Linux network traffic.
I think a better solution would be to explore creating a VPN solution for HyperV OS itself if possible...
If you run your VPN tunnel on the same machine that is emitting your super-serious must-be-tunneled traffic, you are always just one configuration mishap or even software exploit (if you happen to be a Firefox Tor browser user) away from revealing your real connection.
I have noticed similar simply because the Cisco AnyConnect client doesn't work with WSL2 and is a known issue [0]. But that seemed to be blocking traffic instead of just allowing all traffic over non-VPN. However, openconnect does work fine as does the UWP-based AnyConnect client. I wonder how those latter two are successful tunneling traffic (or if it's only if they are started before the wsl2 vm is).
Yeah, there are some issues with some corporate VPNs and WSL2 right now (disclosure: I work at Microsoft but not on WSL2 but I’ve been in touch with that team regarding some of the issues) that are actively being worked on.
I think that’s a bit different than this, though it’s possibly related. As you said, the situation there is traffic is blocked.
WSL and WSL2 are fundamentally different in how they work. In fact, the poor I/O performance (caused in part by Windows Defender) in WSL is part of what led to the Hyper-V based approach to begin with.
My guess is that something might need to change either in the way VPNs use the firewall rules in Windows when passing on to WSL2 or in WSL2 to make for more granular control over how that stuff is passed on - to address the Mullvad. Because as it stands now, the way Mullvad performs under WSL2 seems to be by design (by WSL2 design, if not Mullvad’s design).
Obviously, many users who enable a VPN in Windows will want that connection to persist when they use WSL2 — but I can also think of plenty of scenarios where that might not be the case, which I imagine makes coming up with a solution more difficult.
I will say, the WSL2 team is incredibly responsive to feedback. You can file issues on GitHub and the team is very active on Twitter. If this is something that can be fixed on the WSL2 side, I feel confident the team will work to do it.
> But that seemed to be blocking traffic instead of just allowing all traffic over non-VPN
Not what's happening here (despite the title).
This is due to Hyper-V, which is being rolled out on Windows 10 and required for WSL2. The OS is now running as a VM, and virtualized programs like WSL2 are running alongside - these VMs can't control each other's traffic. It's interesting that a feature meant to improve sandboxing actually makes firewalling and VPN more difficult, in its current state. I think the the proper fix is at the Hyper-V level, which might need to explicitly manage firewall and VPN features.
Windows 10 can control the Linux VMs traffic because it can control Hyper-V.
Nope, it can request Hyper-V to do stuff, just like any other guest.
Docker on Windows can run on WSL2 backend as well. So I assume this would also apply to Docker traffic too.
Other interesting note, Docker Windows does some funky stuff with firewalls too. It puts and any/any exception in the firewall when you install it [1]. So may also be important to know with VPN stuff.
[1] https://twitter.com/richturn_ms/status/1270766764356366336
> Other interesting note, Docker Windows does some funky stuff with firewalls too. It puts and any/any exception in the firewall when you install it
It does something similar on Linux, actually. Huge pain when trying to firewall servers only to discover that Docker happily bypasses all of your rules.
Related issue with some workarounds that people are reporting various levels of success with: https://github.com/microsoft/WSL/issues/5068
Strange then that the WSL2 guest gets a RFC1918 private address, because that would imply that the host is NATing traffic to and from the guest. However that does not happen through the ordinary Hyper-V NAT routing machinery -- at least Get-NetNat shows nothing in Powershell and in fact multiple people have reported broken WSL2 networking because they had leftover NAT rules from old Hyper-V VM's. It would help to have some conceptual documentation here about what WSL2 is doing.
Why would someone run a VPN client on Linux under Windows, anyway, as opposed to just running it on Windows?
They are running it on Windows. It attempts to deny all outbound traffic if the VPN is not connected, but the WSL2 traffic does not follow that rule and gets out anyways.
A little bit off-topic, but I have a problem with WSL2 and Wireguard for Windows. When I enable Wireguard for Windows, WSL2's default DNS server will stop working, but directly setting dns server to 8.8.8.8, 1.1.1.1 or something similar works.
I can’t re-create the issue with the mullvad client, or on my work-issued laptop with the Cisco Any-Connect VPN. Everything is dropped the second the VPN goes up.
As I can bypass Kaspersky SSL interception for basically the same reason, I see this as a win and hope it won't change
Is there a wireshark config for WSL2 so you can browse traffic? eBPF support in WSL2 sufficent?
I can't even get mine to work or install at my work machine...
WSL 2 also leaks memory, by default it consumes up to 4GB. It's awful.
"WSL2 uses Hyper-V virtual networking and therein lies the problem"
Pretty much sums it up.
Using WSL should be a very last resort anyway. Just use Linux straight on your hardware if you have a choice and ditch Windows.
WSL is actually really good. To me, it gives you the best of both worlds. Linux for dev stuff, Windows for GUI and games. And its actual Linux, so I am dev'ing a little closer to prod than those on Macs. But that's less of a factor now everything is in Docker and we are all using the same containers. I also feel I have a superior Docker (runs on WSL2) experience to them, better interface and much better battery life. Its of course all personal opinion, but I have no desire or need to move off Windows.
That's really over-selling it. WSL is okay. It's better than the previous monstrosities, but that's not saying much. You can't run VS Code in WSL, it literally has code to prevent you from doing that, even if you have a functioning X Server (which is a jolly pain to set up).
(Disclosure: I work at Microsoft but not on WSL2. I’m just a huge fan and I say that as a dedicated/devout Mac user)
Two things:
First, GUI support is coming [1] and the team is working to support both X11 and Wayland [2].
Second, the Remote Development Extension for VS Code [3] lets you do this seamlessly. It auto-configs to work with WSL or WSL2 and can also connect to a container or remote machine or GitHub Codespaces codespace. It’s awesome and all of your files, your terminal, everything is mapped to WSL2, with all the GUI parts from Windows. It’s one of my favorite things.
I’m not trying to convince people that WSL2 is the end-all be-all, even though I’m an unabashed fan, but I just want to correct the record a bit (regarding VS Code) and share that X11/Wayland GUI support is coming
[1]: https://devblogs.microsoft.com/commandline/whats-new-in-the-... [2]: https://youtu.be/b2mnbyRgXkY [3]: https://code.visualstudio.com/docs/remote/remote-overview
Why do you want to run VSCode from inside WSL?
The Windows version can be fully integrated with WSL. Windows handles the GUI, Linux handles the CLI and all that. [1]
I have not found any need that it does not meet this way, but as I mentioned in another comment, I have a very narrow focus. So would not be surprised if I was missing something.
[1] https://marketplace.visualstudio.com/items?itemName=ms-vscod...
One reason to move off of Windows would be running graphical Linux apps. But that'll change soon.
Yeah, I do have a narrow focus though and don't use any Linux GUI apps. Its been a while, but if you run an X11 Server on Windows you can make many things work, though definitely not all of them. And I know its getting better. I tend to live in VSCode though, and that natively works with WSL under the hood.
Probably going to check out this for GUI stuff again soon: https://github.com/cascadium/wsl-windows-toolbar-launcher
If you are playing games on Linux, WSL doesn't help anything for sure, it only adds overhead.
Why would you ever play games on WSL when you already are on the superior platform for playing games...
Which was exactly my point - I play them directly on Linux.
But legit question, why would you want to play a game in Linux and not in Windows?
I’m not even being rhetorical, I’m genuinely curious if there are games with significantly better performance under Linux (and I’m assuming we would have to be talking about using an AMD card so I’m also curious if that performance under Linux is better than an Nvidia card under either OS), because maybe there are and I’m just totally unaware.
Because Linux is my OS of preference in general, so I play games on it as well.
But it's good to clarify a few things to avoid confusion:
1. You can use Nvidia on Linux, including for gaming. Nvidia's problems are related to lack of support for modern features (Wayland use cases and so on) caused by the fact that their blob driver in not upstreamed. But it's usable otherwise.
2. AMD drivers are open source and upstreamed, that's why it's a common preference for Linux gamers. Performance of AMD is very good on Linux (amdgpu, radeonsi, radv/aco and etc. all provide very good performance). That stereotype that "Nvidia drivers are faster" has been false for quite a while already. When comparing same classes of cards, AMD is totally on par with Nvidia if not better.
3. Besides native games, you can play many Windows only games using Wine + dxvk / vkd3d, Proton and etc. Performance in such cases usually is slightly lower than on Windows, but not significantly. The only problems now remain mostly with intrusive, rootkit styled "anti-cheats" that don't work in Wine, but I personally wouldn't even touch such games, so that doesn't bother me.
To sum up - using Linux for gaming is totally doable, as long as you want to use Linux in the first place and don't want to use Windows.
To clarify, I’m aware you can use Nvidia on Linux. This was a phrased this way because the driver issues you mention impact performance games under Linux.
And again, I understand Linux is your chosen OS — I’m happy you’re so happy. My question was why a person who is using WSL2 would want to run a game in Linux instead of inside Windows. I understand you can game in Linux. That’s not the question. The question is why would a person run a game inside Linux, which is running side-by-side Windows, run the game in that subsystem instead of just using Linux.
I didn’t know if there was a place where a game would get better performance in Linux, making that a better target.
I just don’t understand the criticism of doing something inside a subsystem that could be done just as well/better outside the subsystem. If you don’t want to use WSL2 or Windows or macOS or anything else, that’s fine. But for people who DO choose to use it, I don’t understand why “games inside Linux are slower inside of it” makes much sense.
The argument before was "WSL2 will become good for graphical applications" (which also means games). So I answered, that if you want to run games on Linux, you can as well do it straight on Linux running on your hardware without intermediaries. I.e. it wasn't about running games on Windows.
Personally I don't see any benefit that WSL can offer that regular Linux can't. But I don't have any interest in Windows, so your case might differ.
Yeah, I have a few things that keep me in Windows. The primary users of the apps I work on are all on Windows, so having a Windows box around tends to be useful to check everything is good.
ArcGIS - Windows only, has enough issues as it is, virtualizing it doesn't tend to go well. Though you can do something like VMWare Fusion mostly successfully.
MS Office - Yes there are alternatives, but we sill operate primarily in Office, and the alternatives are not perfectly compatible. Especially when collaborating with other companies its important. Teams / O365 are certainly getting better, but still not there yet.
Steam - Although that is certainly getting better on Linux as well. And my gaming time is pretty limited these days.
If they can't work in Wine, you can always run the outliers in Windows VM on Linux, instead of doing the reverse :)
WSL2 is by far superior to running Windows in a VM, mostly because it's not "just" Linux in VM.
And anyway, just the way it lets me manage multiple instances of Linux is far superior to anything I experienced on Mac or Linux itself. By the current standards, Wine is just _painful_ to use. Meanwhile Windows window management and the terminal app have made great strides in last couple years.
WSL2 still can't be superior to Linux proper even if it's not just Linux in VM (which it mostly is, just with specific integration with Windows). There is still hypervisor involved no matter how you slice it.
So if you do need to run something that's Windows only but can work in Wine, I'd totally recommend running using Wine ditch Windows for good. For me it's a benefit, not a hindrance.
And you can run multiple VMs on Linux too if you need actual Windows still (KVM, virt-manager and etc. are quite handy).
Why? In my opinion Linux desktop environments are terrible compared to Windows.
How's the display scaling these days? Is it still a better experience to run a 4k monitor at a lower resolution? What's the Nvidia driver situation? Still janky because their drivers are doing their own thing?
I just switched to a 4K monitor last week. Set display scaling to 1.5x in the KDE settings, logged in again, and everything looks great and scales cleanly. I haven't noticed any weird artifacts or bizarre UIs yet. It just works.
Except Spotify, that needs a command line flag to set the scale factor, but that app is well known to be half-assed on Linux (they also don't support input methods, so searching for Japanese songs is a copy and paste exercise) and that's not Linux's fault.
AIUI the nvidia drivers are a lot better these days, but most Linux users, myself included, know to stay away from nvidia unless you have very good reasons not to. AMD cards work beautifully.
If you have different DPI needs, xorg has a lot of difficulty with it. works on windows.
Wayland doesn't work on nvidia and is missing some features too. Linux desktop sucks.
As an aside for Spotify, the Flatpak version has added some nice hacks around scaling, theming, and deep links.
So, in your opinion, but with ancient information? What is that opinion supposed to be worth?
I have not experienced any NVIDIA driver related issues for over a decade. I cannot comment on the rest.
I think there are great desktop environments and window managers for Linux.
Because in my opinion Windows is terrible :) For many reasons.
Linux users don't use Nvidia if they are interested in the modern desktop use case. That's a well known factor. If someone migrates to Linux using Nvidia, chances are high they'll change it to AMD on the next GPU upgrade.
> Linux users don't use Nvidia if they are interested in the modern desktop use case.
Which rules out anyone who wants to game or do CUDA stuff.
Everyone is welcome to their own opinions and preferences, but if you ask me, if the response to a request to use the most powerful/performant graphics cards is to switch to AMD (and AMD has some good cards but Nvidia’s are better and OpenCL can’t compete with CUDA when it comes to any machine learning work), well, that’s part of why Linux’s modern desktop adoption is still so small.
If the only option is to use an AMD GPU, you might as well just get a Mac and use actual UNIX.
And honestly, to each their own! But you asked why anyone would use WSL2 and you’ve got a good answer: they want to be able to take advantage of their chosen hardware and access the various Linux tools.
I didn't see an answer that explains how WSL is better than Linux proper, at least not in case when you don't care about Windows itself.
AMD is fine for gaming, I'm using 5700XT on Linux for playing games. And AMD will match Nvidia higher end cards next month. So I don't see any reason to use Nvidia for that.
WSL offers nothing for gaming or similar use cases that regular Linux can't. If you need to use CUDA with Nvidia hardware, you can do it on Linux proper just fine, you don't need WSL for it - Nvidia provide support.
Yes, I’m aware that Nvidia supports Linux for CUDA. Linux is a very popular headless environment for this reason.
I was responding to your response that Nvidia drivers for HiDPi and other display issues are subpar with “well, everyone who is serious about using Linux on the desktop uses AMD.”
First, that’s not true (as evidenced by the many people who do CUDA workloads in Linux). Second, my overarching point is that it’s strikes me as being really dismissive to say “well just don’t use the hardware you like/want/need if you want a good Linux on the desktop experience.”
Nvidia's problems are holding the progress of Linux desktop back, so I totally recommend avoiding it for anyone who is using Linux already for that reason alone (besides various other reasons). But it is usable, just your use cases will be more limited. Performance when it works is OK.
WSL2 gave my Windows10 laptop new life. Sound drivers etc just work - WSL2 scales RAM/CPU with your workload. Have Kali Kex gui, AmazonLinux 2 terminal, Ubuntu 20 terminal side by side all doing their thing.
I use WSL just because I can have the best in both worlds, development environment in Linux and GUI, Gaming in Windows. No need to dual boot.
It's getting better all the time though, and it's way better than nothing when you don't have a choice.
Yeah I've never understood the use case there exactly....
One use case MS thought of was to give excuse to lazy corporate IT not to support Linux on the desktop, to prevent Windows usage dropping among developers. I think that was their main intent.