[HN Gopher] Linux under WSL2 can be leaking
___________________________________________________________________
Linux under WSL2 can be leaking
Author : Voline
Score : 232 points
Date : 2020-09-30 17:48 UTC (5 hours ago)
(HTM) web link (mullvad.net)
(TXT) w3m dump (mullvad.net)
| kodablah wrote:
| I have noticed similar simply because the Cisco AnyConnect client
| doesn't work with WSL2 and is a known issue [0]. But that seemed
| to be blocking traffic instead of just allowing all traffic over
| non-VPN. However, openconnect does work fine as does the UWP-
| based AnyConnect client. I wonder how those latter two are
| successful tunneling traffic (or if it's only if they are started
| before the wsl2 vm is).
|
| 0 - https://github.com/microsoft/WSL/issues/4277
| filmgirlcw wrote:
| Yeah, there are some issues with some corporate VPNs and WSL2
| right now (disclosure: I work at Microsoft but not on WSL2 but
| I've been in touch with that team regarding some of the issues)
| that are actively being worked on.
|
| I think that's a bit different than this, though it's possibly
| related. As you said, the situation there is traffic is
| blocked.
|
| WSL and WSL2 are fundamentally different in how they work. In
| fact, the poor I/O performance (caused in part by Windows
| Defender) in WSL is part of what led to the Hyper-V based
| approach to begin with.
|
| My guess is that something might need to change either in the
| way VPNs use the firewall rules in Windows when passing on to
| WSL2 or in WSL2 to make for more granular control over how that
| stuff is passed on - to address the Mullvad. Because as it
| stands now, the way Mullvad performs under WSL2 seems to be by
| design (by WSL2 design, if not Mullvad's design).
|
| Obviously, many users who enable a VPN in Windows will want
| that connection to persist when they use WSL2 -- but I can also
| think of plenty of scenarios where that might not be the case,
| which I imagine makes coming up with a solution more difficult.
|
| I will say, the WSL2 team is incredibly responsive to feedback.
| You can file issues on GitHub and the team is very active on
| Twitter. If this is something that can be fixed on the WSL2
| side, I feel confident the team will work to do it.
| mdoms wrote:
| > But that seemed to be blocking traffic instead of just
| allowing all traffic over non-VPN
|
| Not what's happening here (despite the title).
| shmerl wrote:
| Using WSL should be a very last resort anyway. Just use Linux
| straight on your hardware if you have a choice and ditch Windows.
| Jonnax wrote:
| Why? In my opinion Linux desktop environments are terrible
| compared to Windows.
|
| How's the display scaling these days? Is it still a better
| experience to run a 4k monitor at a lower resolution? What's
| the Nvidia driver situation? Still janky because their drivers
| are doing their own thing?
| shmerl wrote:
| Because in my opinion Windows is terrible :) For many
| reasons.
|
| Linux users don't use Nvidia if they are interested in the
| modern desktop use case. That's a well known factor. If
| someone migrates to Linux using Nvidia, chances are high
| they'll change it to AMD on the next GPU upgrade.
| filmgirlcw wrote:
| > Linux users don't use Nvidia if they are interested in
| the modern desktop use case.
|
| Which rules out anyone who wants to game or do CUDA stuff.
|
| Everyone is welcome to their own opinions and preferences,
| but if you ask me, if the response to a request to use the
| most powerful/performant graphics cards is to switch to AMD
| (and AMD has some good cards but Nvidia's are better and
| OpenCL can't compete with CUDA when it comes to any machine
| learning work), well, that's part of why Linux's modern
| desktop adoption is still so small.
|
| If the only option is to use an AMD GPU, you might as well
| just get a Mac and use actual UNIX.
|
| And honestly, to each their own! But you asked why anyone
| would use WSL2 and you've got a good answer: they want to
| be able to take advantage of their chosen hardware _and_
| access the various Linux tools.
| shmerl wrote:
| I didn't see an answer that explains how WSL is better
| than Linux proper, at least not in case when you don't
| care about Windows itself.
|
| AMD is fine for gaming, I'm using 5700XT on Linux for
| playing games. And AMD will match Nvidia higher end cards
| next month. So I don't see any reason to use Nvidia for
| that.
|
| WSL offers nothing for gaming or similar use cases that
| regular Linux can't. If you need to use CUDA with Nvidia
| hardware, you can do it on Linux proper just fine, you
| don't need WSL for it - Nvidia provide support.
| marcan_42 wrote:
| I just switched to a 4K monitor last week. Set display
| scaling to 1.5x in the KDE settings, logged in again, and
| everything looks great and scales cleanly. I haven't noticed
| any weird artifacts or bizarre UIs yet. It just works.
|
| Except Spotify, that needs a command line flag to set the
| scale factor, but that app is well known to be half-assed on
| Linux (they also don't support input methods, so searching
| for Japanese songs is a copy and paste exercise) and that's
| not Linux's fault.
|
| AIUI the nvidia drivers are a lot better these days, but most
| Linux users, myself included, know to stay away from nvidia
| unless you have very good reasons not to. AMD cards work
| beautifully.
| totony wrote:
| If you have different DPI needs, xorg has a lot of
| difficulty with it. works on windows.
|
| Wayland doesn't work on nvidia and is missing some features
| too. Linux desktop sucks.
| johnisgood wrote:
| I have not experienced any NVIDIA driver related issues for
| over a decade. I cannot comment on the rest.
|
| I think there are great desktop environments and window
| managers for Linux.
| debian_lover wrote:
| This. WSL is like supergluing a BMW motor to the hood of a
| burned out 1999 Honda Civic. Its still going to run like
| garbage no matter how much you put lipstick on that pig
| crb002 wrote:
| WSL2 gave my Windows10 laptop new life. Sound drivers etc just
| work - WSL2 scales RAM/CPU with your workload. Have Kali Kex
| gui, AmazonLinux 2 terminal, Ubuntu 20 terminal side by side
| all doing their thing.
| [deleted]
| Enginerrrd wrote:
| Yeah I've never understood the use case there exactly....
| shmerl wrote:
| One use case MS thought of was to give excuse to lazy
| corporate IT not to support Linux on the desktop, to prevent
| Windows usage dropping among developers. I think that was
| their main intent.
| nikisweeting wrote:
| It's getting better all the time though, and it's way better
| than nothing when you don't have a choice.
| Bedon292 wrote:
| WSL is actually really good. To me, it gives you the best of
| both worlds. Linux for dev stuff, Windows for GUI and games.
| And its actual Linux, so I am dev'ing a little closer to prod
| than those on Macs. But that's less of a factor now everything
| is in Docker and we are all using the same containers. I also
| feel I have a superior Docker (runs on WSL2) experience to
| them, better interface and much better battery life. Its of
| course all personal opinion, but I have no desire or need to
| move off Windows.
| garethrowlands wrote:
| One reason to move off of Windows would be running graphical
| Linux apps. But that'll change soon.
| shmerl wrote:
| If you are playing games on Linux, WSL doesn't help
| anything for sure, it only adds overhead.
| filmgirlcw wrote:
| But legit question, why would you want to play a game in
| Linux and not in Windows?
|
| I'm not even being rhetorical, I'm genuinely curious if
| there are games with significantly better performance
| under Linux (and I'm assuming we would have to be talking
| about using an AMD card so I'm also curious if that
| performance under Linux is better than an Nvidia card
| under either OS), because maybe there are and I'm just
| totally unaware.
| shmerl wrote:
| Because Linux is my OS of preference in general, so I
| play games on it as well.
|
| But it's good to clarify a few things to avoid confusion:
|
| 1. You can use Nvidia on Linux, including for gaming.
| Nvidia's problems are related to lack of support for
| modern features (Wayland and so on) caused by the fact
| that their blob driver in not upstreamed. But it's usable
| otherwise.
|
| 2. AMD drivers are open source and upstreamed, that's why
| it's a common preference for Linux gamers. Performance of
| AMD is very good on Linux (amdgpu, radoensi, radv/aco and
| etc. all provide very good performance). That stereotype
| that "Nvidia drivers are faster" has been false for quite
| some time already.
|
| 3. You can play many Windows only games using Wine + dxvk
| / vkd3d and etc. Performance is slightly lower than on
| Windows, but not significantly. The only problems now
| remain mostly with intrusive, rootkit styled "anti-
| cheats" that don't work in Wine, but I personally
| wouldn't even touch such games.
|
| To sum up - using Linux for gaming is totally doable, as
| long as you want to use Linux in the first place and
| don't want to use Windows.
| cdash wrote:
| Why would you ever play games on WSL when you already are
| on the superior platform for playing games...
| Bedon292 wrote:
| Yeah, I do have a narrow focus though and don't use any
| Linux GUI apps. Its been a while, but if you run an X11
| Server on Windows you can make many things work, though
| definitely not all of them. And I know its getting better.
| I tend to live in VSCode though, and that natively works
| with WSL under the hood.
|
| Probably going to check out this for GUI stuff again soon:
| https://github.com/cascadium/wsl-windows-toolbar-launcher
| shmerl wrote:
| Personally I don't see any benefit that WSL can offer that
| regular Linux can't. But I don't have any interest in
| Windows, so your case might differ.
| Bedon292 wrote:
| Yeah, I have a few things that keep me in Windows. The
| primary users of the apps I work on are all on Windows, so
| having a Windows box around tends to be useful to check
| everything is good.
|
| ArcGIS - Windows only, has enough issues as it is,
| virtualizing it doesn't tend to go well. Though you can do
| something like VMWare Fusion mostly successfully.
|
| MS Office - Yes there are alternatives, but we sill operate
| primarily in Office, and the alternatives are not perfectly
| compatible. Especially when collaborating with other
| companies its important. Teams / O365 are certainly getting
| better, but still not there yet.
|
| Steam - Although that is certainly getting better on Linux
| as well. And my gaming time is pretty limited these days.
| shmerl wrote:
| If they can't work in Wine, you can always run the
| outliers in Windows VM on Linux, instead of doing the
| reverse :)
| frenchyatwork wrote:
| That's really over-selling it. WSL is okay. It's better than
| the previous monstrosities, but that's not saying much. You
| can't run VS Code in WSL, it literally has code to prevent
| you from doing that, even if you have a functioning X Server
| (which is a jolly pain to set up).
| Bedon292 wrote:
| Why do you want to run VSCode from inside WSL?
|
| The Windows version can be fully integrated with WSL.
| Windows handles the GUI, Linux handles the CLI and all
| that. [1]
|
| I have not found any need that it does not meet this way,
| but as I mentioned in another comment, I have a very narrow
| focus. So would not be surprised if I was missing
| something.
|
| [1] https://marketplace.visualstudio.com/items?itemName=ms-
| vscod...
| filmgirlcw wrote:
| (Disclosure: I work at Microsoft but not on WSL2. I'm just
| a huge fan and I say that as a dedicated/devout Mac user)
|
| Two things:
|
| First, GUI support is coming [1] and the team is working to
| support both X11 and Wayland [2].
|
| Second, the Remote Development Extension for VS Code [3]
| lets you do this seamlessly. It auto-configs to work with
| WSL or WSL2 and can also connect to a container or remote
| machine or GitHub Codespaces codespace. It's awesome and
| all of your files, your terminal, everything is mapped to
| WSL2, with all the GUI parts from Windows. It's one of my
| favorite things.
|
| I'm not trying to convince people that WSL2 is the end-all
| be-all, even though I'm an unabashed fan, but I just want
| to correct the record a bit (regarding VS Code) and share
| that X11/Wayland GUI support is coming
|
| [1]: https://devblogs.microsoft.com/commandline/whats-new-
| in-the-... [2]: https://youtu.be/b2mnbyRgXkY [3]:
| https://code.visualstudio.com/docs/remote/remote-overview
| crb002 wrote:
| Is there a wireshark config for WSL2 so you can browse traffic?
| eBPF support in WSL2 sufficent?
| debian_lover wrote:
| Is anyone really Surprised by this? If you want security then you
| dont use Windows. Windows subsystem for linux is a joke. Just
| install linux like everyone else
| AcerbicZero wrote:
| "WSL2 uses Hyper-V virtual networking and therein lies the
| problem"
|
| Pretty much sums it up.
| wing-_-nuts wrote:
| A bit off topic, but this sort of transparency is why I don't
| mind paying $6 / mo for a vpn when mullvad's competitors are much
| cheaper. Their wireguard support is great, and their speeds are
| much faster than what I got through openVpn on pia.
| [deleted]
| ss3000 wrote:
| I love everything about Mullvad except their device limit,
| which is unfortunately a deal breaker for me. 5 is completely
| inadequate for my use cases.
| chmod775 wrote:
| Mullvad uses the superior way of not having a real account at
| all - you just get a number you can "deposit" money into.
|
| It's the only way they can reliably prevent abuse like a
| thousand people using one number - because this way you can
| just track the number of open connections per account number.
|
| This is superior to tracking IP-addresses to detect fraud for
| obvious privacy reasons. I do a similar thing for a service I
| run.
|
| Out of curiosity, how do you even manage to _use_ more than
| five devices for private use at once? Even just owning that
| many is unlikely.
| jsjohnst wrote:
| > Out of curiosity, how do you even manage to use more than
| five devices for private use at once? Even just owning that
| many is unlikely.
|
| I'm not GP and I certainly don't take GP's stance about
| limiting to 5 devices (I think it makes sense), but
| claiming it's unlikely that someone owns more than five
| devices is silly, especially if someone has a family. My
| non-tech sister's family of four has two phones, three
| iPads, two laptops, etc. As another example, I literally
| own over an order of magnitude more devices than just five
| devices for private use (yes, I'm an outlier).
| ss3000 wrote:
| As much as I appreciate Mullvad's stance around privacy, I
| don't actually use a VPN for privacy (I use Tor for that),
| but mostly for bypassing geo-restrictions on my
| entertainment devices for games and streaming services and
| whatnot.
|
| For that use case, I can't justify paying double/triple the
| price as other providers that offer 2/3x the devices for
| the same price. The provider I use now, Surfshark, offers
| unlimited devices for about 1/3 of the price, and also
| recently started offering WireGuard, it would be
| financially irresponsible for me to choose Mullvad which
| would effectively 10x what I'm paying right now for the
| same number of devices.
|
| FWIW I understand that their account number mechanism is
| superior from a privacy perspective, and that there's no
| way to support unlimited devices while combating fraud
| using that mechanism. It's just not the right set of
| tradeoffs for my use case.
| unixhero wrote:
| Is it not fair that you pay for another subscription if you
| go beyond 5 devices? They do provide a service with their
| finite resources. Its not a mega corporation.
| logical_person wrote:
| very strange shilling considering mullvad doesn't know how the
| windows networking stack works and this bug exposes them as
| such. edit: to be clear, it's the responsibility of a VPN
| provider to fully understand the platform they're selling a VPN
| solution for. the fact that a virtual machines on windows do
| not use the host's NDIS stack/firewall is well-known.
| jefftk wrote:
| Speaking positively of a company is not in itself shilling.
| dymax78 wrote:
| I vehemently agree with your position. It's also worth
| mentioning (albeit anecdotal) their prompt and verbose support
| when/if necessary.
| Aaronstotle wrote:
| Also a huge fan of paying with BTC and their use of account ids
| instead of emails, wish they would accept XMR also.
| speedgoose wrote:
| Did you consider the average pollution of bitcoin
| transactions?
| smartbit wrote:
| Good question.
|
| OTOH, did anyone ever consider the average pollution of the
| banking system? 10.000th of banks, 200+ central banks, BIS,
| IMF, ECB, etc, etc. Millions of employees, millions of
| desktops & servers, day-in-day out. Anyone with a link to a
| guestimate?
| roywiggins wrote:
| There's no way that a single $6 credit card transaction
| uses as much energy as sending $6 worth of bitcoin, which
| is the relevant measure.
| monadic2 wrote:
| Yea but a whole fraud department of humans emits a ton of
| carbon. There's no way the banking and finance industry
| doesn't compete emissions wise with bitcoin.
| roywiggins wrote:
| Fraud departments provide a pretty useful service to
| consumers. The existing finance system is _so much
| larger_ than the Bitcoin economy that it 's no surprise
| if they, in total, rival Bitcoin in energy intensity. It
| processes orders of magnitude more transactions and
| provides other services that people use that have no
| Bitcoin equivalents.
|
| This isn't a defense of the modern financial system,
| which is arguably a trash fire for plenty of reasons, but
| _of course_ it 's fairly energy intensive. It's
| _massive_. If it were replaced entirely by Bitcoin, it
| would be even more intensive.
| [deleted]
| [deleted]
| Barrin92 wrote:
| >There's no way the banking and finance industry doesn't
| compete emissions wise with bitcoin
|
| not on a per transaction basis, which is the only
| relevant measure because the banking system supports a
| lot more people than bitcoin does.
|
| A single bitcoin transaction uses 610.20 kWh right now,
| which is comparable to the energy consumption of an
| average US household over 20 days.[1]
|
| Also for a comparison of scope, Tenpay, Tencents payment
| service processes about 1.2 billion transactions per day,
| Bitcoin does about 300k. If all financial transactions
| conducted in China alone would consume the amount of
| energy that a bitcoin transaction does, it would roughly
| eclipse the energy the country consumes in a year, in one
| day.
|
| [1]https://digiconomist.net/bitcoin-energy-consumption/
| monadic2 wrote:
| Yea, after reading more I got a sense of the scale.
|
| Still, I think that's the proper comparison--human
| processes are the analogue to keeping a blockchain online
| and mining.
| cedilla wrote:
| The difference is that there's no mechanism in banking
| that keeps ramping up the difficulty exponentially.
|
| All the energy in bitcoin is not wasted on keeping and
| organizing that tiny ledger (barely 300 GB of data!),
| it's wasted on brute forcing hashes, with the energy
| required ramping up exponentially with interest in
| bitcoin.
|
| As ingenious as bitcoin is, that is a fatal flaw. Using
| bitcoin is like rolling coal, only worse for the
| environment.
| drexlspivey wrote:
| Luckily there is a mechanism for resource allocation and
| it is called price. I pay for 1 MWh, you pay for 1MWh and
| it doesn't matter what we use the energy for.
|
| If you have an issue with how the energy is generated
| take it up with your local government.
| saagarjha wrote:
| Most Bitcoins are mined in places I do not live, since my
| electricity prices are nowhere near economical to mine
| in.
| johnisgood wrote:
| I cannot wait for nuclear fusion to finally be here so
| people will stop worrying about the electricity
| consumption, and high consumption will not mean pollution
| or whatever.
| carlob wrote:
| Pretty sure the difficulty will go up accordingly then
| jodrellblank wrote:
| All the electricity we generate becomes waste heat in the
| atmoshpere. Global energy use is currently ~0.1% of Sun
| power hitting the Earth. USA uses ~10x more electricity
| per person than India does, assume bringing everyone up
| to USA levels means we'll be around 1% of Sun power. Grow
| the population from ~8Bn to predicted ~12Bn and we'll be
| around 1.5%.
|
| And then everyone gets "too cheap to meter" fusion power?
| There is not a /lot/ of headroom there, we surely can't
| go to outputting as much waste heat again as the planet
| gets from The Sun - and before you say "solar", you
| already said "fusion".
| foepys wrote:
| The Bitcoin network allegedly uses the amount of energy
| as the whole country of Denmark. This includes heavy
| industries like aluminum smelting that more or less use
| as much power as they are allowed to.
|
| A Bitcoin transaction uses about 1,005 kWh, while 100,000
| VISA transactions use 169 kWh, according to
| https://www.statista.com/statistics/881541/bitcoin-
| energy-co...
| kenforthewin wrote:
| Unclear what goes into calculating the visa transactions.
| Is it just the literal cost of sending the bits over the
| wire? Does it include the cost of servers, man-power,
| real estate, etc?
| rcxdude wrote:
| It's basically the cost of Visa running divided by the
| number of transactions they do. So yes it includes
| everything. You don't need to play silly tricks like that
| to make Bitcoin look bad. Bitcoin uses similar or more
| energy than the banking system while processing vastly
| fewer transactions. Somehow people can't comprehend how
| ridiculously inefficient bitcoin transactions are.
| nybble41 wrote:
| It's the inflation that's expensive, not the transaction
| processing. The threshold for economical power use in
| bitcoin mining scales in proportion to the block reward,
| not block size or number of transactions. Since the rate
| of inflation decreases exponentially (the block reward in
| BTC halves every four years) this issue will eventually
| resolve itself.
| jdc wrote:
| Do you have a number for us?
| CameronNemo wrote:
| cleancoins.io
| agustif wrote:
| I can't even get mine to work or install at my work machine...
| smarx007 wrote:
| The title is wrong. The VPN traffic does NOT leak. What leaks is
| the traffic that the VPN software tries to block when the VPN
| connection is not active. Mullvad uses Windows Firewall to block
| all internet access if VPN is not active (if the user configured
| so) and WSL2 bypasses this by not going through Windows Firewall.
| When the VPN is active, WSL2 traffic IS tunneled through the VPN.
|
| UPD: The solution may be to have Windows Firewall rules apply to
| WSL2 or have Mullvad control Linux internet access through on-
| the-fly UFW settings update or completely disconnect internet
| (but that likely does not work nicely and is why Mullvad went for
| the Windows Firewall based solution in the first place).
| closeparen wrote:
| A good reminder that you really want proxying done on a
| separate device (router, Raspberry Pi, etc) physically between
| the endpoint and the internet.
| gerdesj wrote:
| This sounds like working as designed and not a flaw. If your
| Linux box needs a firewall then put one on it. As the article
| says, the VM is using Hyper-V networking so it is likely that
| the connection is either bridged with a virty software switch
| or is NATted in some way but with a short cut through the
| host firewall. If the VM has an IP on your LAN it is bridged
| and if it doesn't and you don't have to fiddle with your
| internet router then NAT is in play.
|
| Linux has lots of options for firewalling. For Windows
| sysadmins, firewalld with a GUI could be a reasonably
| familiar option. Failing that, ufw is quick and reasonably
| easy for simple use cases. If you are feeling macho, then
| roll your own with iptables or nftables. The last time I did
| that properly was with ipchains ...
| smarx007 wrote:
| I think the key idea is that Mullvad client changes
| firewall config on the fly to insert a 2nd highest prio
| rule "deny outgoing" allowing outgoing internet access only
| to itself until the VPN tunnel is established and then
| withdraws it automatically afterwards. So, a generic
| firewall advice is not applicable here as it's used in
| quite a specific way. If Microsoft does not fix the problem
| described in the blog post, I assume the easiest way would
| be to introduce some kind of daemon in a Windows client
| that a slave client tool installed in WSL env would have to
| connect to or the other way around to mirror a firewall
| config inside the Linux machine. And that will only work on
| recent versions, see https://github.com/microsoft/WSL/issue
| s/4212#issue-459183662
|
| UPD: I think it will be resolved in a much neater way soon
| https://github.com/microsoft/WSL/issues/4277#issuecomment-6
| 9...
| gerdesj wrote:
| I assume you mean this because I can't find any mention
| in the article about 2nd highest prio rules:
|
| "How it leaks WSL2 uses Hyper-V virtual networking and
| therein lies the problem. The Hyper-V Virtual Ethernet
| Adapter passes traffic to and from guests without letting
| the host's firewall inspect the packets in the same way
| normal packets are inspected. The forwarded (NATed)
| packets are seen in the lower layers of WFP (OSI layer 2)
| as Ethernet frames only. This type of leak can happen to
| any guest running under Windows Sandbox or Docker as well
| if they are configured to use Hyper-V for networking."
|
| That is how virtual machines are supposed to work.
| Hyper-V is a virtualisation thing. Whatever Mullvad is
| doing is immaterial - they are only worrying about the
| host. If you use full on virty stuff, you need to treat
| each VM as a VM, not a container.
| smarx007 wrote:
| 1000 times this. See https://mullvad.net/en/help/openwrt-
| routers-and-mullvad-vpn/ for a relevant guide, see under the
| "Add a kill switch" for the equivalent functionality.
| vmception wrote:
| Does anyone have a raspberry pi hardened disk image for this?
| I just don't have time to troubleshoot all these things
| anymore
| sneak wrote:
| That's exactly what leaking means. Traffic that is supposed to
| be vpn-or-nothing is going out in the clear.
| donor20 wrote:
| Is Windows firewall supposed to apply to WSL? I never
| expected that! I'm serious - I run a different firewall on my
| onlinux.
|
| Can you confirm that WSL is supposed to be dealing with (the
| nightmare) of the windows firewall for internet access? How
| does fedora / ubuntu etc coordinate / know to do this?
| wasmitnetzen wrote:
| The firewall probably applied in the non-virtualized WLS1,
| but doesn't anymore in the new Hyper-V-based WSL2.
| eptcyka wrote:
| It's somewhat unintuitive that a virtualized guest can
| circumvent the host's firewall/network stack when the guest
| doesn't have an explicitly bridged or passthrough'd
| physical adapter.
| mehrdadn wrote:
| The host is the hypervisor though isn't it? Not the
| Windows inside it.
| rbanffy wrote:
| It's not circumventing. It exists outside it.
|
| As for the parent, if it's a Microsoft product running on
| Windows and Windows has a firewall, I'd expect it to be
| an effective firewall, at least for the things Microsoft
| gives me.
| dymax78 wrote:
| No one is disputing the definition of "leak(ing)" rather what
| traffic is being leaked, which is not VPN traffic as the
| title suggests and the Mullvad link clearly explains. edit:
| the title has since been modified.
| TwoNineFive wrote:
| The title is correct. For example, a remote attacker could
| induce the transmission of unencrypted packets by taking the
| tunnel down by means of DoS attack.
|
| Basically, the tunnel doesn't leak under ideal conditions, with
| non-ideal conditions being trivial to induce.
|
| For example, StrongSwan (IPSec) talks about this in their best
| practices page here:
| https://wiki.strongswan.org/projects/strongswan/wiki/Securit...
|
| The StrongSwan process can do some tricks to tell linux to not
| allow this outbound traffic by creating a kind of dummy/shunt
| tunnel. Also, iptables should be used to prevent the outbound
| transmission of non-ipsec traffic to that destination.
|
| It's notable that I had a run-in with this issue a year or so
| ago with Ubiquiti Edgerouters, which run a fork of Vyatta. They
| don't allow the "-m policy --pol none --dir out" iptables
| module to be used in configuration, even though the underlaying
| linux kernel supports it. They even support it's use in-bound.
| Pure stupidity, if not malice.
|
| Yes I am a network engineer.
| eptcyka wrote:
| If you were to inspect the Mullvad client and how it works on
| Linux, you'd find that it uses nftables to ensure that
| traffic only flows through the tunnel. The issue here is that
| a similar OS provided construct doesn't do that on Windows.
| [deleted]
| dang wrote:
| We changed the title from "Linux Under Windows Subsystem for
| Linux 2 Leaks VPN Traffic" to the article's own title. That's
| in the site guidelines: " _Please use the original title,
| unless it is misleading or linkbait; don 't editorialize._"
|
| https://news.ycombinator.com/newsguidelines.html
| Bedon292 wrote:
| Docker on Windows can run on WSL2 backend as well. So I assume
| this would also apply to Docker traffic too.
|
| Other interesting note, Docker Windows does some funky stuff with
| firewalls too. It puts and any/any exception in the firewall when
| you install it [1]. So may also be important to know with VPN
| stuff.
|
| [1] https://twitter.com/richturn_ms/status/1270766764356366336
| yjftsjthsd-h wrote:
| > Other interesting note, Docker Windows does some funky stuff
| with firewalls too. It puts and any/any exception in the
| firewall when you install it
|
| It does something similar on Linux, actually. Huge pain when
| trying to firewall servers only to discover that Docker happily
| bypasses all of your rules.
| vilifiedtwin wrote:
| Can't you run VPN client on the Linux guest? I think it is good
| that the Linux subsystem bypasses Windows firewall.
| stefan_ wrote:
| If you run your VPN tunnel on the same machine that is emitting
| your super-serious must-be-tunneled traffic, you are always just
| one configuration mishap or even software exploit (if you happen
| to be a Firefox Tor browser user) away from revealing your real
| connection.
| [deleted]
| siproprio wrote:
| WSL 2 also leaks memory, by default it consumes up to 4GB. It's
| awful.
| sally1620 wrote:
| This is the exact reason I didn't try running weird VPN configs
| like this. The reliable way is to run Linux inside a VirtualBox
| and have it connected to VPN on its own.
|
| Currently, I run Linux on a Xen domU and configure VPN client
| inside the guest.
|
| PS: I don't want all my traffic to go through VPN. Especially
| things like Netflix or Youtube where VPNs are blocked (and VPN BW
| is lower anyway).
| garethrowlands wrote:
| WSL2 _is_ Linux inside a VM that's a peer of Windows. Having it
| connect to VPN on its own is _exactly_ what you have to do.
| adriancr wrote:
| You can set up a docker vpn client as well
| sally1620 wrote:
| I tried docker. "Always Require VPN" didn't work with docker.
| Voline wrote:
| We have tested a few other VPN clients from competitors and found
| that all of them leak in the same way. The way Microsoft has
| implemented virtual networking for Linux guests makes it very
| difficult to properly secure them.
| the8472 wrote:
| Sometimes that's a feature. At least with VirtualBox I have
| made the experience that NAT virtual networking leads to
| significant slowdown on a linux guest compared to bridging one
| of the host's ethernet adapters. I suspect that's due to
| windows' firewall software or similar things happening in the
| host system. It also means one less hop to debug when it comes
| to network issues.
|
| I think the question is whether you consider a VM more like
| another machine in your network that merely happens to run on
| the same hardware or a part of the host system.
| rrobukef wrote:
| From a firewall POV: Can the host system reliably interact
| mechanically with the VM? I.e., can the host get root in the
| VM? If so, a firewall only reduces the attack surface by
| eliminating the obvious.
| mikece wrote:
| I would think that anyone who relies on a VPN for safety or is
| really particularly security conscious (1) isn't using Windows
| 10, (2) has networking disabled if they are using it, for
| example, in a VM, and (3) is probably using a dedicated device
| like a Slate router or pfSense box as their VPN point.
| gambiting wrote:
| The reason why I route all of my traffic through a VPN is
| simple - in the UK all ISPs have to keep the history of all
| your browsing for a year. I want to avoid that. That's it. I
| just don't like this requirement, especially since lots of
| agencies can access this data without any kind of warrant -
| so this is like my own little personal protest against this
| stupid law. Nothing more complex than that.
| johnisgood wrote:
| "UK-based VPN companies may be subject to the same data
| retention laws as the country's internet service providers.
| The UK has also made news in the past as some carriers have
| blocked certain VPNs. However, the use of VPNs remains
| legal."
|
| Not sure how much of it is true. I cannot imagine what
| would happen to some people there were it to be illegal. I
| would move out.
| nybble41 wrote:
| You can use a VPN that isn't based in your home country.
| It's much harder to switch to a non-local ISP.
| wutwutwutwut wrote:
| Are you saying that you don't think there is anyone on
| Windows who is using a VPN to hide their pirating activities?
| If so, you can borrow a needle from me and pop that bubble.
| jetpackjoe wrote:
| With the way these companies advertise, they make it seem
| like a silver bullet for internet anonymity. Almost every
| YouTube video I've seen recently seems to have one as a
| sponsor, and I am sure they are picking up many non-technical
| customers.
|
| I don't think users of NordVPN, ExpressVPN, MullvadVPN et al.
| are as sophisticated as you think.
| mikece wrote:
| The way Express VPN's ad copy reads it seems their own
| people don't understand the difference between encryption
| and traffic tunneling (much less encryption in transit
| versus encryption at rest).
| jeroenhd wrote:
| The non-technical customers probably aren't running WSL2
| either. In fact I think very few of them actually need a
| VPN. Those who torrent in litigious countries have a
| benefit from their VPN provider but I doubt most others
| don't know about the behaviour changes that need to take
| place to make a VPN effective.
|
| I think VPNs can be a powerful tool for many people who
| would normally not be able to find out about their
| existence, but the predatory nature modern VPN ads have
| taken is quite sad.
|
| This leads to some cases of Youtube fan bases angrily
| calling out shitty VPN ads while the video creators just
| want to pay their bills, a situation nobody wants.
| GekkePrutser wrote:
| If they're not that sophisticated they probably won't use
| WSL anyway though, so it's not a huge issue in that sense
| (unless some malware specifically installs WSL2 to get
| around it).
| munchbunny wrote:
| I don't think that's true, plenty of security conscious but
| not particularly tech savvy people use a VPN with Windows.
|
| Using WSL2 though... you kind of have to be tech savvy to do
| use it, and those people are probably willing to work around
| the issue.
| qz2 wrote:
| It's a shit show. Can't trace packets either via wireshark on
| the host and tcpdump doesn't work on the guest. I've gone back
| to virtualbox and eviscerated WSL. Another total waste of my
| life.
| debian_lover wrote:
| Better yet just install linux and if you need windows, use it
| in a locked down VM
| muricula wrote:
| Were you using WSL 1 or 2? WSL 1 networking didn't work the
| way I expected, but WSL 2 seems to support proper Linux
| networking since it's just a Linux VM under the hood.
| GekkePrutser wrote:
| Conceptually this makes sense. It doesn't really run Under
| windows, it runs beside windows. Unlike WSL1 which was
| basically part of Windows. It's strange tcpdump doesn't run
| though as WSL2 is running a real kernel.
|
| Personally I really liked the resource efficient WSL1
| approach and I lament that they dropped it. But I know for
| some usecases (e.g. docker) a real Linux kernel was needed.
| muststopmyths wrote:
| >It's strange tcpdump doesn't run though as WSL2 is running
| a real kernel.
|
| It works just fine. Just tested it
| qz2 wrote:
| Try dumping UDP packets from the host to the WSL
| machine...
| tw04 wrote:
| The WSL machine is a Hyper-V VM. Why would you expect the
| default configuration to be able to sniff traffic from
| the host operating system? That would be a massive
| security hole.
| qz2 wrote:
| I'm taking about traffic sent to the guest not on the
| interfaces.
| wanderr wrote:
| Related issue with some workarounds that people are reporting
| various levels of success with:
| https://github.com/microsoft/WSL/issues/5068
| jeroenhd wrote:
| Potential workaround: is it possible to configure VPN clients to
| _ignore_ the WSL2 runtime and instead run a VPN client inside
| WSL2?
|
| That way the Linux network config can deal with the Linux side of
| things and the Windows network config can deal with the Windows
| VPN routing.
|
| Of course you can just configure OpenVPN inside WSL2 and also run
| a VPN on the desktop but that's tunnels in tunnels and that way
| madness and network issues lies.
| Digit-Al wrote:
| >Of course you can just configure OpenVPN inside WSL2 and also
| run a VPN on the desktop but that's tunnels in tunnels and that
| way madness and network issues lies.
|
| It's tunnels, all the way down :-)
| GekkePrutser wrote:
| If I read it correctly that wouldn't be tunnels in tunnels. It
| would be 2 separate tunnels side by side. Which is not
| necessarily a bad thing.
|
| WSL2 is basically a VM and any VM which binds directly to the
| Adapter (e.g. not NAT mode) will have the same behaviour. In
| some cases you'd even want it to do this.
| jeroenhd wrote:
| If I read the article correctly, the traffic only leaks when
| the VPN disconnects or reconnects. This means the default
| situation would be a tunnel inside a tunnel.
|
| WSL2's NAT is close to a standard Hyper-V NAT adapter but
| there's unexpected differences (like the localhost binding)
| that make it stand out.
| donor20 wrote:
| The idea of the a linux distribution is going to be using the
| WINDOWS firewall?? seems a bit crazy to me.
|
| I expect the distributions on WSL to use their own firewall -
| that's half of the fun of using WSL.
|
| PLEASE don't push fake news like this that results in
| distribution on WSL having to deal with / modify the window
| firewall - that would be a total nightmare!
| mehrdadn wrote:
| My guess is people are confused because Microsoft has marketed
| WSL2 as a replacement for WSL1, and it makes sense for WSL1 to
| go through the Windows firewall, so people assumed WSL2 would
| behave similarly.
| fphhotchips wrote:
| If nothing else, I now understand that I'm going to have to
| read up more on how WSL2 actually works, because I found WSL1
| to be a really elegant way of running Linux on Windows
| without having a whole bunch of virtualisation in place, but
| it sounds like there's more virtualisation now, and also
| Hyper V networking has previously broken my network stack.
| mehrdadn wrote:
| tl;dr is WSL2 is just a VM running under Hyper-V. The host
| is hence Hyper-V, not Windows.
| xnyan wrote:
| I can't re-create the issue with the mullvad client, or on my
| work-issued laptop with the Cisco Any-Connect VPN. Everything is
| dropped the second the VPN goes up.
| AndrewDucker wrote:
| So, if I'm understanding correctly the Linux system gets access
| to the raw Ethernet system, and so bypasses the Windows firewall.
| Seems not entirely unreasonable - if you want Linux to use a
| firewall then install one into it.
|
| But it should definitely be well publicised/documented, because
| otherwise people won't realise they have a gaping hole in their
| greens m defences.
| ajross wrote:
| Right, this is as much a feature as it is a bug. But it's
| absolutely something that should be documented and under
| control of the host-side security layer.
| logical_person wrote:
| vmswitch is configurable by the host. these VPN authors have
| no clue what they're doing, windows firewall rules should not
| in any case be applied to traffic coming from a VM.
| ridiculous.
| rbanffy wrote:
| > windows firewall rules should not in any case be applied
| to traffic coming from a VM
|
| I can't agree with this. Everything is running on Windows.
| The VM runs on Windows and WSL exchanges data with Windows
| all the time. That the data on the Windows side can leak
| because I installed a Microsoft-approved product from the
| Microsoft store on a Windows box with a Microsoft firewall
| is unacceptable.
| zokier wrote:
| > Everything is running on Windows. The VM runs on
| Windows
|
| As far as I understand, that is not quite right. With
| WSL2, everything is running on Hyper-V, the VM and
| Windows both run in parallel on Hyper-V.
| donor20 wrote:
| Huh - you want linux distributions to have to play with the
| windows firewall rules? You want windows firewall getting
| messed up by linux containers?
|
| These VPN authors are just idiots - let's stop over
| complicating things. Half the time people LIKE that they can
| use linux firewall features on their linux hosts for stuff.
| MiroF wrote:
| No, I'm pretty sure that is the exact opposite of what they
| are saying.
|
| Maybe work on your reading comprehension?
| Angeo34 wrote:
| Microsoft code has bugs in privacy relevant code? Next you gonna
| tell me DDG and Brave are honeypots?
|
| What a surprising coincidence.
| SebSebsensen wrote:
| Did you even read the article or previous comments before the
| MS bashing reflexes kicked in?
| Animats wrote:
| Why would someone run a VPN client on Linux under Windows,
| anyway, as opposed to just running it on Windows?
| Bedon292 wrote:
| They are running it on Windows. It attempts to deny all
| outbound traffic if the VPN is not connected, but the WSL2
| traffic does not follow that rule and gets out anyways.
___________________________________________________________________
(page generated 2020-09-30 23:00 UTC)