[HN Gopher] Linux under WSL2 can be leaking ___________________________________________________________________ Linux under WSL2 can be leaking Author : Voline Score : 232 points Date : 2020-09-30 17:48 UTC (5 hours ago) (HTM) web link (mullvad.net) (TXT) w3m dump (mullvad.net) | kodablah wrote: | I have noticed similar simply because the Cisco AnyConnect client | doesn't work with WSL2 and is a known issue [0]. But that seemed | to be blocking traffic instead of just allowing all traffic over | non-VPN. However, openconnect does work fine as does the UWP- | based AnyConnect client. I wonder how those latter two are | successful tunneling traffic (or if it's only if they are started | before the wsl2 vm is). | | 0 - https://github.com/microsoft/WSL/issues/4277 | filmgirlcw wrote: | Yeah, there are some issues with some corporate VPNs and WSL2 | right now (disclosure: I work at Microsoft but not on WSL2 but | I've been in touch with that team regarding some of the issues) | that are actively being worked on. | | I think that's a bit different than this, though it's possibly | related. As you said, the situation there is traffic is | blocked. | | WSL and WSL2 are fundamentally different in how they work. In | fact, the poor I/O performance (caused in part by Windows | Defender) in WSL is part of what led to the Hyper-V based | approach to begin with. | | My guess is that something might need to change either in the | way VPNs use the firewall rules in Windows when passing on to | WSL2 or in WSL2 to make for more granular control over how that | stuff is passed on - to address the Mullvad. Because as it | stands now, the way Mullvad performs under WSL2 seems to be by | design (by WSL2 design, if not Mullvad's design). | | Obviously, many users who enable a VPN in Windows will want | that connection to persist when they use WSL2 -- but I can also | think of plenty of scenarios where that might not be the case, | which I imagine makes coming up with a solution more difficult. | | I will say, the WSL2 team is incredibly responsive to feedback. | You can file issues on GitHub and the team is very active on | Twitter. If this is something that can be fixed on the WSL2 | side, I feel confident the team will work to do it. | mdoms wrote: | > But that seemed to be blocking traffic instead of just | allowing all traffic over non-VPN | | Not what's happening here (despite the title). | shmerl wrote: | Using WSL should be a very last resort anyway. Just use Linux | straight on your hardware if you have a choice and ditch Windows. | Jonnax wrote: | Why? In my opinion Linux desktop environments are terrible | compared to Windows. | | How's the display scaling these days? Is it still a better | experience to run a 4k monitor at a lower resolution? What's | the Nvidia driver situation? Still janky because their drivers | are doing their own thing? | shmerl wrote: | Because in my opinion Windows is terrible :) For many | reasons. | | Linux users don't use Nvidia if they are interested in the | modern desktop use case. That's a well known factor. If | someone migrates to Linux using Nvidia, chances are high | they'll change it to AMD on the next GPU upgrade. | filmgirlcw wrote: | > Linux users don't use Nvidia if they are interested in | the modern desktop use case. | | Which rules out anyone who wants to game or do CUDA stuff. | | Everyone is welcome to their own opinions and preferences, | but if you ask me, if the response to a request to use the | most powerful/performant graphics cards is to switch to AMD | (and AMD has some good cards but Nvidia's are better and | OpenCL can't compete with CUDA when it comes to any machine | learning work), well, that's part of why Linux's modern | desktop adoption is still so small. | | If the only option is to use an AMD GPU, you might as well | just get a Mac and use actual UNIX. | | And honestly, to each their own! But you asked why anyone | would use WSL2 and you've got a good answer: they want to | be able to take advantage of their chosen hardware _and_ | access the various Linux tools. | shmerl wrote: | I didn't see an answer that explains how WSL is better | than Linux proper, at least not in case when you don't | care about Windows itself. | | AMD is fine for gaming, I'm using 5700XT on Linux for | playing games. And AMD will match Nvidia higher end cards | next month. So I don't see any reason to use Nvidia for | that. | | WSL offers nothing for gaming or similar use cases that | regular Linux can't. If you need to use CUDA with Nvidia | hardware, you can do it on Linux proper just fine, you | don't need WSL for it - Nvidia provide support. | marcan_42 wrote: | I just switched to a 4K monitor last week. Set display | scaling to 1.5x in the KDE settings, logged in again, and | everything looks great and scales cleanly. I haven't noticed | any weird artifacts or bizarre UIs yet. It just works. | | Except Spotify, that needs a command line flag to set the | scale factor, but that app is well known to be half-assed on | Linux (they also don't support input methods, so searching | for Japanese songs is a copy and paste exercise) and that's | not Linux's fault. | | AIUI the nvidia drivers are a lot better these days, but most | Linux users, myself included, know to stay away from nvidia | unless you have very good reasons not to. AMD cards work | beautifully. | totony wrote: | If you have different DPI needs, xorg has a lot of | difficulty with it. works on windows. | | Wayland doesn't work on nvidia and is missing some features | too. Linux desktop sucks. | johnisgood wrote: | I have not experienced any NVIDIA driver related issues for | over a decade. I cannot comment on the rest. | | I think there are great desktop environments and window | managers for Linux. | debian_lover wrote: | This. WSL is like supergluing a BMW motor to the hood of a | burned out 1999 Honda Civic. Its still going to run like | garbage no matter how much you put lipstick on that pig | crb002 wrote: | WSL2 gave my Windows10 laptop new life. Sound drivers etc just | work - WSL2 scales RAM/CPU with your workload. Have Kali Kex | gui, AmazonLinux 2 terminal, Ubuntu 20 terminal side by side | all doing their thing. | [deleted] | Enginerrrd wrote: | Yeah I've never understood the use case there exactly.... | shmerl wrote: | One use case MS thought of was to give excuse to lazy | corporate IT not to support Linux on the desktop, to prevent | Windows usage dropping among developers. I think that was | their main intent. | nikisweeting wrote: | It's getting better all the time though, and it's way better | than nothing when you don't have a choice. | Bedon292 wrote: | WSL is actually really good. To me, it gives you the best of | both worlds. Linux for dev stuff, Windows for GUI and games. | And its actual Linux, so I am dev'ing a little closer to prod | than those on Macs. But that's less of a factor now everything | is in Docker and we are all using the same containers. I also | feel I have a superior Docker (runs on WSL2) experience to | them, better interface and much better battery life. Its of | course all personal opinion, but I have no desire or need to | move off Windows. | garethrowlands wrote: | One reason to move off of Windows would be running graphical | Linux apps. But that'll change soon. | shmerl wrote: | If you are playing games on Linux, WSL doesn't help | anything for sure, it only adds overhead. | filmgirlcw wrote: | But legit question, why would you want to play a game in | Linux and not in Windows? | | I'm not even being rhetorical, I'm genuinely curious if | there are games with significantly better performance | under Linux (and I'm assuming we would have to be talking | about using an AMD card so I'm also curious if that | performance under Linux is better than an Nvidia card | under either OS), because maybe there are and I'm just | totally unaware. | shmerl wrote: | Because Linux is my OS of preference in general, so I | play games on it as well. | | But it's good to clarify a few things to avoid confusion: | | 1. You can use Nvidia on Linux, including for gaming. | Nvidia's problems are related to lack of support for | modern features (Wayland and so on) caused by the fact | that their blob driver in not upstreamed. But it's usable | otherwise. | | 2. AMD drivers are open source and upstreamed, that's why | it's a common preference for Linux gamers. Performance of | AMD is very good on Linux (amdgpu, radoensi, radv/aco and | etc. all provide very good performance). That stereotype | that "Nvidia drivers are faster" has been false for quite | some time already. | | 3. You can play many Windows only games using Wine + dxvk | / vkd3d and etc. Performance is slightly lower than on | Windows, but not significantly. The only problems now | remain mostly with intrusive, rootkit styled "anti- | cheats" that don't work in Wine, but I personally | wouldn't even touch such games. | | To sum up - using Linux for gaming is totally doable, as | long as you want to use Linux in the first place and | don't want to use Windows. | cdash wrote: | Why would you ever play games on WSL when you already are | on the superior platform for playing games... | Bedon292 wrote: | Yeah, I do have a narrow focus though and don't use any | Linux GUI apps. Its been a while, but if you run an X11 | Server on Windows you can make many things work, though | definitely not all of them. And I know its getting better. | I tend to live in VSCode though, and that natively works | with WSL under the hood. | | Probably going to check out this for GUI stuff again soon: | https://github.com/cascadium/wsl-windows-toolbar-launcher | shmerl wrote: | Personally I don't see any benefit that WSL can offer that | regular Linux can't. But I don't have any interest in | Windows, so your case might differ. | Bedon292 wrote: | Yeah, I have a few things that keep me in Windows. The | primary users of the apps I work on are all on Windows, so | having a Windows box around tends to be useful to check | everything is good. | | ArcGIS - Windows only, has enough issues as it is, | virtualizing it doesn't tend to go well. Though you can do | something like VMWare Fusion mostly successfully. | | MS Office - Yes there are alternatives, but we sill operate | primarily in Office, and the alternatives are not perfectly | compatible. Especially when collaborating with other | companies its important. Teams / O365 are certainly getting | better, but still not there yet. | | Steam - Although that is certainly getting better on Linux | as well. And my gaming time is pretty limited these days. | shmerl wrote: | If they can't work in Wine, you can always run the | outliers in Windows VM on Linux, instead of doing the | reverse :) | frenchyatwork wrote: | That's really over-selling it. WSL is okay. It's better than | the previous monstrosities, but that's not saying much. You | can't run VS Code in WSL, it literally has code to prevent | you from doing that, even if you have a functioning X Server | (which is a jolly pain to set up). | Bedon292 wrote: | Why do you want to run VSCode from inside WSL? | | The Windows version can be fully integrated with WSL. | Windows handles the GUI, Linux handles the CLI and all | that. [1] | | I have not found any need that it does not meet this way, | but as I mentioned in another comment, I have a very narrow | focus. So would not be surprised if I was missing | something. | | [1] https://marketplace.visualstudio.com/items?itemName=ms- | vscod... | filmgirlcw wrote: | (Disclosure: I work at Microsoft but not on WSL2. I'm just | a huge fan and I say that as a dedicated/devout Mac user) | | Two things: | | First, GUI support is coming [1] and the team is working to | support both X11 and Wayland [2]. | | Second, the Remote Development Extension for VS Code [3] | lets you do this seamlessly. It auto-configs to work with | WSL or WSL2 and can also connect to a container or remote | machine or GitHub Codespaces codespace. It's awesome and | all of your files, your terminal, everything is mapped to | WSL2, with all the GUI parts from Windows. It's one of my | favorite things. | | I'm not trying to convince people that WSL2 is the end-all | be-all, even though I'm an unabashed fan, but I just want | to correct the record a bit (regarding VS Code) and share | that X11/Wayland GUI support is coming | | [1]: https://devblogs.microsoft.com/commandline/whats-new- | in-the-... [2]: https://youtu.be/b2mnbyRgXkY [3]: | https://code.visualstudio.com/docs/remote/remote-overview | crb002 wrote: | Is there a wireshark config for WSL2 so you can browse traffic? | eBPF support in WSL2 sufficent? | debian_lover wrote: | Is anyone really Surprised by this? If you want security then you | dont use Windows. Windows subsystem for linux is a joke. Just | install linux like everyone else | AcerbicZero wrote: | "WSL2 uses Hyper-V virtual networking and therein lies the | problem" | | Pretty much sums it up. | wing-_-nuts wrote: | A bit off topic, but this sort of transparency is why I don't | mind paying $6 / mo for a vpn when mullvad's competitors are much | cheaper. Their wireguard support is great, and their speeds are | much faster than what I got through openVpn on pia. | [deleted] | ss3000 wrote: | I love everything about Mullvad except their device limit, | which is unfortunately a deal breaker for me. 5 is completely | inadequate for my use cases. | chmod775 wrote: | Mullvad uses the superior way of not having a real account at | all - you just get a number you can "deposit" money into. | | It's the only way they can reliably prevent abuse like a | thousand people using one number - because this way you can | just track the number of open connections per account number. | | This is superior to tracking IP-addresses to detect fraud for | obvious privacy reasons. I do a similar thing for a service I | run. | | Out of curiosity, how do you even manage to _use_ more than | five devices for private use at once? Even just owning that | many is unlikely. | jsjohnst wrote: | > Out of curiosity, how do you even manage to use more than | five devices for private use at once? Even just owning that | many is unlikely. | | I'm not GP and I certainly don't take GP's stance about | limiting to 5 devices (I think it makes sense), but | claiming it's unlikely that someone owns more than five | devices is silly, especially if someone has a family. My | non-tech sister's family of four has two phones, three | iPads, two laptops, etc. As another example, I literally | own over an order of magnitude more devices than just five | devices for private use (yes, I'm an outlier). | ss3000 wrote: | As much as I appreciate Mullvad's stance around privacy, I | don't actually use a VPN for privacy (I use Tor for that), | but mostly for bypassing geo-restrictions on my | entertainment devices for games and streaming services and | whatnot. | | For that use case, I can't justify paying double/triple the | price as other providers that offer 2/3x the devices for | the same price. The provider I use now, Surfshark, offers | unlimited devices for about 1/3 of the price, and also | recently started offering WireGuard, it would be | financially irresponsible for me to choose Mullvad which | would effectively 10x what I'm paying right now for the | same number of devices. | | FWIW I understand that their account number mechanism is | superior from a privacy perspective, and that there's no | way to support unlimited devices while combating fraud | using that mechanism. It's just not the right set of | tradeoffs for my use case. | unixhero wrote: | Is it not fair that you pay for another subscription if you | go beyond 5 devices? They do provide a service with their | finite resources. Its not a mega corporation. | logical_person wrote: | very strange shilling considering mullvad doesn't know how the | windows networking stack works and this bug exposes them as | such. edit: to be clear, it's the responsibility of a VPN | provider to fully understand the platform they're selling a VPN | solution for. the fact that a virtual machines on windows do | not use the host's NDIS stack/firewall is well-known. | jefftk wrote: | Speaking positively of a company is not in itself shilling. | dymax78 wrote: | I vehemently agree with your position. It's also worth | mentioning (albeit anecdotal) their prompt and verbose support | when/if necessary. | Aaronstotle wrote: | Also a huge fan of paying with BTC and their use of account ids | instead of emails, wish they would accept XMR also. | speedgoose wrote: | Did you consider the average pollution of bitcoin | transactions? | smartbit wrote: | Good question. | | OTOH, did anyone ever consider the average pollution of the | banking system? 10.000th of banks, 200+ central banks, BIS, | IMF, ECB, etc, etc. Millions of employees, millions of | desktops & servers, day-in-day out. Anyone with a link to a | guestimate? | roywiggins wrote: | There's no way that a single $6 credit card transaction | uses as much energy as sending $6 worth of bitcoin, which | is the relevant measure. | monadic2 wrote: | Yea but a whole fraud department of humans emits a ton of | carbon. There's no way the banking and finance industry | doesn't compete emissions wise with bitcoin. | roywiggins wrote: | Fraud departments provide a pretty useful service to | consumers. The existing finance system is _so much | larger_ than the Bitcoin economy that it 's no surprise | if they, in total, rival Bitcoin in energy intensity. It | processes orders of magnitude more transactions and | provides other services that people use that have no | Bitcoin equivalents. | | This isn't a defense of the modern financial system, | which is arguably a trash fire for plenty of reasons, but | _of course_ it 's fairly energy intensive. It's | _massive_. If it were replaced entirely by Bitcoin, it | would be even more intensive. | [deleted] | [deleted] | Barrin92 wrote: | >There's no way the banking and finance industry doesn't | compete emissions wise with bitcoin | | not on a per transaction basis, which is the only | relevant measure because the banking system supports a | lot more people than bitcoin does. | | A single bitcoin transaction uses 610.20 kWh right now, | which is comparable to the energy consumption of an | average US household over 20 days.[1] | | Also for a comparison of scope, Tenpay, Tencents payment | service processes about 1.2 billion transactions per day, | Bitcoin does about 300k. If all financial transactions | conducted in China alone would consume the amount of | energy that a bitcoin transaction does, it would roughly | eclipse the energy the country consumes in a year, in one | day. | | [1]https://digiconomist.net/bitcoin-energy-consumption/ | monadic2 wrote: | Yea, after reading more I got a sense of the scale. | | Still, I think that's the proper comparison--human | processes are the analogue to keeping a blockchain online | and mining. | cedilla wrote: | The difference is that there's no mechanism in banking | that keeps ramping up the difficulty exponentially. | | All the energy in bitcoin is not wasted on keeping and | organizing that tiny ledger (barely 300 GB of data!), | it's wasted on brute forcing hashes, with the energy | required ramping up exponentially with interest in | bitcoin. | | As ingenious as bitcoin is, that is a fatal flaw. Using | bitcoin is like rolling coal, only worse for the | environment. | drexlspivey wrote: | Luckily there is a mechanism for resource allocation and | it is called price. I pay for 1 MWh, you pay for 1MWh and | it doesn't matter what we use the energy for. | | If you have an issue with how the energy is generated | take it up with your local government. | saagarjha wrote: | Most Bitcoins are mined in places I do not live, since my | electricity prices are nowhere near economical to mine | in. | johnisgood wrote: | I cannot wait for nuclear fusion to finally be here so | people will stop worrying about the electricity | consumption, and high consumption will not mean pollution | or whatever. | carlob wrote: | Pretty sure the difficulty will go up accordingly then | jodrellblank wrote: | All the electricity we generate becomes waste heat in the | atmoshpere. Global energy use is currently ~0.1% of Sun | power hitting the Earth. USA uses ~10x more electricity | per person than India does, assume bringing everyone up | to USA levels means we'll be around 1% of Sun power. Grow | the population from ~8Bn to predicted ~12Bn and we'll be | around 1.5%. | | And then everyone gets "too cheap to meter" fusion power? | There is not a /lot/ of headroom there, we surely can't | go to outputting as much waste heat again as the planet | gets from The Sun - and before you say "solar", you | already said "fusion". | foepys wrote: | The Bitcoin network allegedly uses the amount of energy | as the whole country of Denmark. This includes heavy | industries like aluminum smelting that more or less use | as much power as they are allowed to. | | A Bitcoin transaction uses about 1,005 kWh, while 100,000 | VISA transactions use 169 kWh, according to | https://www.statista.com/statistics/881541/bitcoin- | energy-co... | kenforthewin wrote: | Unclear what goes into calculating the visa transactions. | Is it just the literal cost of sending the bits over the | wire? Does it include the cost of servers, man-power, | real estate, etc? | rcxdude wrote: | It's basically the cost of Visa running divided by the | number of transactions they do. So yes it includes | everything. You don't need to play silly tricks like that | to make Bitcoin look bad. Bitcoin uses similar or more | energy than the banking system while processing vastly | fewer transactions. Somehow people can't comprehend how | ridiculously inefficient bitcoin transactions are. | nybble41 wrote: | It's the inflation that's expensive, not the transaction | processing. The threshold for economical power use in | bitcoin mining scales in proportion to the block reward, | not block size or number of transactions. Since the rate | of inflation decreases exponentially (the block reward in | BTC halves every four years) this issue will eventually | resolve itself. | jdc wrote: | Do you have a number for us? | CameronNemo wrote: | cleancoins.io | agustif wrote: | I can't even get mine to work or install at my work machine... | smarx007 wrote: | The title is wrong. The VPN traffic does NOT leak. What leaks is | the traffic that the VPN software tries to block when the VPN | connection is not active. Mullvad uses Windows Firewall to block | all internet access if VPN is not active (if the user configured | so) and WSL2 bypasses this by not going through Windows Firewall. | When the VPN is active, WSL2 traffic IS tunneled through the VPN. | | UPD: The solution may be to have Windows Firewall rules apply to | WSL2 or have Mullvad control Linux internet access through on- | the-fly UFW settings update or completely disconnect internet | (but that likely does not work nicely and is why Mullvad went for | the Windows Firewall based solution in the first place). | closeparen wrote: | A good reminder that you really want proxying done on a | separate device (router, Raspberry Pi, etc) physically between | the endpoint and the internet. | gerdesj wrote: | This sounds like working as designed and not a flaw. If your | Linux box needs a firewall then put one on it. As the article | says, the VM is using Hyper-V networking so it is likely that | the connection is either bridged with a virty software switch | or is NATted in some way but with a short cut through the | host firewall. If the VM has an IP on your LAN it is bridged | and if it doesn't and you don't have to fiddle with your | internet router then NAT is in play. | | Linux has lots of options for firewalling. For Windows | sysadmins, firewalld with a GUI could be a reasonably | familiar option. Failing that, ufw is quick and reasonably | easy for simple use cases. If you are feeling macho, then | roll your own with iptables or nftables. The last time I did | that properly was with ipchains ... | smarx007 wrote: | I think the key idea is that Mullvad client changes | firewall config on the fly to insert a 2nd highest prio | rule "deny outgoing" allowing outgoing internet access only | to itself until the VPN tunnel is established and then | withdraws it automatically afterwards. So, a generic | firewall advice is not applicable here as it's used in | quite a specific way. If Microsoft does not fix the problem | described in the blog post, I assume the easiest way would | be to introduce some kind of daemon in a Windows client | that a slave client tool installed in WSL env would have to | connect to or the other way around to mirror a firewall | config inside the Linux machine. And that will only work on | recent versions, see https://github.com/microsoft/WSL/issue | s/4212#issue-459183662 | | UPD: I think it will be resolved in a much neater way soon | https://github.com/microsoft/WSL/issues/4277#issuecomment-6 | 9... | gerdesj wrote: | I assume you mean this because I can't find any mention | in the article about 2nd highest prio rules: | | "How it leaks WSL2 uses Hyper-V virtual networking and | therein lies the problem. The Hyper-V Virtual Ethernet | Adapter passes traffic to and from guests without letting | the host's firewall inspect the packets in the same way | normal packets are inspected. The forwarded (NATed) | packets are seen in the lower layers of WFP (OSI layer 2) | as Ethernet frames only. This type of leak can happen to | any guest running under Windows Sandbox or Docker as well | if they are configured to use Hyper-V for networking." | | That is how virtual machines are supposed to work. | Hyper-V is a virtualisation thing. Whatever Mullvad is | doing is immaterial - they are only worrying about the | host. If you use full on virty stuff, you need to treat | each VM as a VM, not a container. | smarx007 wrote: | 1000 times this. See https://mullvad.net/en/help/openwrt- | routers-and-mullvad-vpn/ for a relevant guide, see under the | "Add a kill switch" for the equivalent functionality. | vmception wrote: | Does anyone have a raspberry pi hardened disk image for this? | I just don't have time to troubleshoot all these things | anymore | sneak wrote: | That's exactly what leaking means. Traffic that is supposed to | be vpn-or-nothing is going out in the clear. | donor20 wrote: | Is Windows firewall supposed to apply to WSL? I never | expected that! I'm serious - I run a different firewall on my | onlinux. | | Can you confirm that WSL is supposed to be dealing with (the | nightmare) of the windows firewall for internet access? How | does fedora / ubuntu etc coordinate / know to do this? | wasmitnetzen wrote: | The firewall probably applied in the non-virtualized WLS1, | but doesn't anymore in the new Hyper-V-based WSL2. | eptcyka wrote: | It's somewhat unintuitive that a virtualized guest can | circumvent the host's firewall/network stack when the guest | doesn't have an explicitly bridged or passthrough'd | physical adapter. | mehrdadn wrote: | The host is the hypervisor though isn't it? Not the | Windows inside it. | rbanffy wrote: | It's not circumventing. It exists outside it. | | As for the parent, if it's a Microsoft product running on | Windows and Windows has a firewall, I'd expect it to be | an effective firewall, at least for the things Microsoft | gives me. | dymax78 wrote: | No one is disputing the definition of "leak(ing)" rather what | traffic is being leaked, which is not VPN traffic as the | title suggests and the Mullvad link clearly explains. edit: | the title has since been modified. | TwoNineFive wrote: | The title is correct. For example, a remote attacker could | induce the transmission of unencrypted packets by taking the | tunnel down by means of DoS attack. | | Basically, the tunnel doesn't leak under ideal conditions, with | non-ideal conditions being trivial to induce. | | For example, StrongSwan (IPSec) talks about this in their best | practices page here: | https://wiki.strongswan.org/projects/strongswan/wiki/Securit... | | The StrongSwan process can do some tricks to tell linux to not | allow this outbound traffic by creating a kind of dummy/shunt | tunnel. Also, iptables should be used to prevent the outbound | transmission of non-ipsec traffic to that destination. | | It's notable that I had a run-in with this issue a year or so | ago with Ubiquiti Edgerouters, which run a fork of Vyatta. They | don't allow the "-m policy --pol none --dir out" iptables | module to be used in configuration, even though the underlaying | linux kernel supports it. They even support it's use in-bound. | Pure stupidity, if not malice. | | Yes I am a network engineer. | eptcyka wrote: | If you were to inspect the Mullvad client and how it works on | Linux, you'd find that it uses nftables to ensure that | traffic only flows through the tunnel. The issue here is that | a similar OS provided construct doesn't do that on Windows. | [deleted] | dang wrote: | We changed the title from "Linux Under Windows Subsystem for | Linux 2 Leaks VPN Traffic" to the article's own title. That's | in the site guidelines: " _Please use the original title, | unless it is misleading or linkbait; don 't editorialize._" | | https://news.ycombinator.com/newsguidelines.html | Bedon292 wrote: | Docker on Windows can run on WSL2 backend as well. So I assume | this would also apply to Docker traffic too. | | Other interesting note, Docker Windows does some funky stuff with | firewalls too. It puts and any/any exception in the firewall when | you install it [1]. So may also be important to know with VPN | stuff. | | [1] https://twitter.com/richturn_ms/status/1270766764356366336 | yjftsjthsd-h wrote: | > Other interesting note, Docker Windows does some funky stuff | with firewalls too. It puts and any/any exception in the | firewall when you install it | | It does something similar on Linux, actually. Huge pain when | trying to firewall servers only to discover that Docker happily | bypasses all of your rules. | vilifiedtwin wrote: | Can't you run VPN client on the Linux guest? I think it is good | that the Linux subsystem bypasses Windows firewall. | stefan_ wrote: | If you run your VPN tunnel on the same machine that is emitting | your super-serious must-be-tunneled traffic, you are always just | one configuration mishap or even software exploit (if you happen | to be a Firefox Tor browser user) away from revealing your real | connection. | [deleted] | siproprio wrote: | WSL 2 also leaks memory, by default it consumes up to 4GB. It's | awful. | sally1620 wrote: | This is the exact reason I didn't try running weird VPN configs | like this. The reliable way is to run Linux inside a VirtualBox | and have it connected to VPN on its own. | | Currently, I run Linux on a Xen domU and configure VPN client | inside the guest. | | PS: I don't want all my traffic to go through VPN. Especially | things like Netflix or Youtube where VPNs are blocked (and VPN BW | is lower anyway). | garethrowlands wrote: | WSL2 _is_ Linux inside a VM that's a peer of Windows. Having it | connect to VPN on its own is _exactly_ what you have to do. | adriancr wrote: | You can set up a docker vpn client as well | sally1620 wrote: | I tried docker. "Always Require VPN" didn't work with docker. | Voline wrote: | We have tested a few other VPN clients from competitors and found | that all of them leak in the same way. The way Microsoft has | implemented virtual networking for Linux guests makes it very | difficult to properly secure them. | the8472 wrote: | Sometimes that's a feature. At least with VirtualBox I have | made the experience that NAT virtual networking leads to | significant slowdown on a linux guest compared to bridging one | of the host's ethernet adapters. I suspect that's due to | windows' firewall software or similar things happening in the | host system. It also means one less hop to debug when it comes | to network issues. | | I think the question is whether you consider a VM more like | another machine in your network that merely happens to run on | the same hardware or a part of the host system. | rrobukef wrote: | From a firewall POV: Can the host system reliably interact | mechanically with the VM? I.e., can the host get root in the | VM? If so, a firewall only reduces the attack surface by | eliminating the obvious. | mikece wrote: | I would think that anyone who relies on a VPN for safety or is | really particularly security conscious (1) isn't using Windows | 10, (2) has networking disabled if they are using it, for | example, in a VM, and (3) is probably using a dedicated device | like a Slate router or pfSense box as their VPN point. | gambiting wrote: | The reason why I route all of my traffic through a VPN is | simple - in the UK all ISPs have to keep the history of all | your browsing for a year. I want to avoid that. That's it. I | just don't like this requirement, especially since lots of | agencies can access this data without any kind of warrant - | so this is like my own little personal protest against this | stupid law. Nothing more complex than that. | johnisgood wrote: | "UK-based VPN companies may be subject to the same data | retention laws as the country's internet service providers. | The UK has also made news in the past as some carriers have | blocked certain VPNs. However, the use of VPNs remains | legal." | | Not sure how much of it is true. I cannot imagine what | would happen to some people there were it to be illegal. I | would move out. | nybble41 wrote: | You can use a VPN that isn't based in your home country. | It's much harder to switch to a non-local ISP. | wutwutwutwut wrote: | Are you saying that you don't think there is anyone on | Windows who is using a VPN to hide their pirating activities? | If so, you can borrow a needle from me and pop that bubble. | jetpackjoe wrote: | With the way these companies advertise, they make it seem | like a silver bullet for internet anonymity. Almost every | YouTube video I've seen recently seems to have one as a | sponsor, and I am sure they are picking up many non-technical | customers. | | I don't think users of NordVPN, ExpressVPN, MullvadVPN et al. | are as sophisticated as you think. | mikece wrote: | The way Express VPN's ad copy reads it seems their own | people don't understand the difference between encryption | and traffic tunneling (much less encryption in transit | versus encryption at rest). | jeroenhd wrote: | The non-technical customers probably aren't running WSL2 | either. In fact I think very few of them actually need a | VPN. Those who torrent in litigious countries have a | benefit from their VPN provider but I doubt most others | don't know about the behaviour changes that need to take | place to make a VPN effective. | | I think VPNs can be a powerful tool for many people who | would normally not be able to find out about their | existence, but the predatory nature modern VPN ads have | taken is quite sad. | | This leads to some cases of Youtube fan bases angrily | calling out shitty VPN ads while the video creators just | want to pay their bills, a situation nobody wants. | GekkePrutser wrote: | If they're not that sophisticated they probably won't use | WSL anyway though, so it's not a huge issue in that sense | (unless some malware specifically installs WSL2 to get | around it). | munchbunny wrote: | I don't think that's true, plenty of security conscious but | not particularly tech savvy people use a VPN with Windows. | | Using WSL2 though... you kind of have to be tech savvy to do | use it, and those people are probably willing to work around | the issue. | qz2 wrote: | It's a shit show. Can't trace packets either via wireshark on | the host and tcpdump doesn't work on the guest. I've gone back | to virtualbox and eviscerated WSL. Another total waste of my | life. | debian_lover wrote: | Better yet just install linux and if you need windows, use it | in a locked down VM | muricula wrote: | Were you using WSL 1 or 2? WSL 1 networking didn't work the | way I expected, but WSL 2 seems to support proper Linux | networking since it's just a Linux VM under the hood. | GekkePrutser wrote: | Conceptually this makes sense. It doesn't really run Under | windows, it runs beside windows. Unlike WSL1 which was | basically part of Windows. It's strange tcpdump doesn't run | though as WSL2 is running a real kernel. | | Personally I really liked the resource efficient WSL1 | approach and I lament that they dropped it. But I know for | some usecases (e.g. docker) a real Linux kernel was needed. | muststopmyths wrote: | >It's strange tcpdump doesn't run though as WSL2 is running | a real kernel. | | It works just fine. Just tested it | qz2 wrote: | Try dumping UDP packets from the host to the WSL | machine... | tw04 wrote: | The WSL machine is a Hyper-V VM. Why would you expect the | default configuration to be able to sniff traffic from | the host operating system? That would be a massive | security hole. | qz2 wrote: | I'm taking about traffic sent to the guest not on the | interfaces. | wanderr wrote: | Related issue with some workarounds that people are reporting | various levels of success with: | https://github.com/microsoft/WSL/issues/5068 | jeroenhd wrote: | Potential workaround: is it possible to configure VPN clients to | _ignore_ the WSL2 runtime and instead run a VPN client inside | WSL2? | | That way the Linux network config can deal with the Linux side of | things and the Windows network config can deal with the Windows | VPN routing. | | Of course you can just configure OpenVPN inside WSL2 and also run | a VPN on the desktop but that's tunnels in tunnels and that way | madness and network issues lies. | Digit-Al wrote: | >Of course you can just configure OpenVPN inside WSL2 and also | run a VPN on the desktop but that's tunnels in tunnels and that | way madness and network issues lies. | | It's tunnels, all the way down :-) | GekkePrutser wrote: | If I read it correctly that wouldn't be tunnels in tunnels. It | would be 2 separate tunnels side by side. Which is not | necessarily a bad thing. | | WSL2 is basically a VM and any VM which binds directly to the | Adapter (e.g. not NAT mode) will have the same behaviour. In | some cases you'd even want it to do this. | jeroenhd wrote: | If I read the article correctly, the traffic only leaks when | the VPN disconnects or reconnects. This means the default | situation would be a tunnel inside a tunnel. | | WSL2's NAT is close to a standard Hyper-V NAT adapter but | there's unexpected differences (like the localhost binding) | that make it stand out. | donor20 wrote: | The idea of the a linux distribution is going to be using the | WINDOWS firewall?? seems a bit crazy to me. | | I expect the distributions on WSL to use their own firewall - | that's half of the fun of using WSL. | | PLEASE don't push fake news like this that results in | distribution on WSL having to deal with / modify the window | firewall - that would be a total nightmare! | mehrdadn wrote: | My guess is people are confused because Microsoft has marketed | WSL2 as a replacement for WSL1, and it makes sense for WSL1 to | go through the Windows firewall, so people assumed WSL2 would | behave similarly. | fphhotchips wrote: | If nothing else, I now understand that I'm going to have to | read up more on how WSL2 actually works, because I found WSL1 | to be a really elegant way of running Linux on Windows | without having a whole bunch of virtualisation in place, but | it sounds like there's more virtualisation now, and also | Hyper V networking has previously broken my network stack. | mehrdadn wrote: | tl;dr is WSL2 is just a VM running under Hyper-V. The host | is hence Hyper-V, not Windows. | xnyan wrote: | I can't re-create the issue with the mullvad client, or on my | work-issued laptop with the Cisco Any-Connect VPN. Everything is | dropped the second the VPN goes up. | AndrewDucker wrote: | So, if I'm understanding correctly the Linux system gets access | to the raw Ethernet system, and so bypasses the Windows firewall. | Seems not entirely unreasonable - if you want Linux to use a | firewall then install one into it. | | But it should definitely be well publicised/documented, because | otherwise people won't realise they have a gaping hole in their | greens m defences. | ajross wrote: | Right, this is as much a feature as it is a bug. But it's | absolutely something that should be documented and under | control of the host-side security layer. | logical_person wrote: | vmswitch is configurable by the host. these VPN authors have | no clue what they're doing, windows firewall rules should not | in any case be applied to traffic coming from a VM. | ridiculous. | rbanffy wrote: | > windows firewall rules should not in any case be applied | to traffic coming from a VM | | I can't agree with this. Everything is running on Windows. | The VM runs on Windows and WSL exchanges data with Windows | all the time. That the data on the Windows side can leak | because I installed a Microsoft-approved product from the | Microsoft store on a Windows box with a Microsoft firewall | is unacceptable. | zokier wrote: | > Everything is running on Windows. The VM runs on | Windows | | As far as I understand, that is not quite right. With | WSL2, everything is running on Hyper-V, the VM and | Windows both run in parallel on Hyper-V. | donor20 wrote: | Huh - you want linux distributions to have to play with the | windows firewall rules? You want windows firewall getting | messed up by linux containers? | | These VPN authors are just idiots - let's stop over | complicating things. Half the time people LIKE that they can | use linux firewall features on their linux hosts for stuff. | MiroF wrote: | No, I'm pretty sure that is the exact opposite of what they | are saying. | | Maybe work on your reading comprehension? | Angeo34 wrote: | Microsoft code has bugs in privacy relevant code? Next you gonna | tell me DDG and Brave are honeypots? | | What a surprising coincidence. | SebSebsensen wrote: | Did you even read the article or previous comments before the | MS bashing reflexes kicked in? | Animats wrote: | Why would someone run a VPN client on Linux under Windows, | anyway, as opposed to just running it on Windows? | Bedon292 wrote: | They are running it on Windows. It attempts to deny all | outbound traffic if the VPN is not connected, but the WSL2 | traffic does not follow that rule and gets out anyways. ___________________________________________________________________ (page generated 2020-09-30 23:00 UTC)