Linux under WSL2 can be leaking

We have found that you could be leaking your Internet traffic when running Linux under WSL2 (Windows Subsystem for Linux 2).

Our investigation has shown that these leaks also occur on other VPN software, and even though we do not have a solution to present for now, we feel the need to address the problem. As you read this we are working on a solution to this problem.

Recently, we got a report that said there were leaks from Linux under WSL2. Our investigations concluded that traffic from the Linux guest bypasses all normal layers of WFP (the firewall on the Windows host) and goes directly out onto the network. As such, all the blocking the app does in the firewall is ignored.

Network traffic from the Linux guest always goes out the default route of the host machine without being inspected by the normal layers of WFP. This means that if there is a VPN tunnel up and running, the Linux guest’s traffic will be sent via the VPN  with no leaks! However, if there is no active VPN tunnel, as is the case when the app is disconnected, connecting, reconnecting, or blocking (after an error occurred) then the Linux guest’s traffic will leak out on the regular network, even if “Always require VPN” is enabled.

How it leaks

WSL2 uses Hyper-V virtual networking and therein lies the problem. The Hyper-V Virtual Ethernet Adapter passes traffic to and from guests without letting the host’s firewall inspect the packets in the same way normal packets are inspected. The forwarded (NATed) packets are seen in the lower layers of WFP (OSI layer 2) as Ethernet frames only. This type of leak can happen to any guest running under Windows Sandbox or Docker as well if they are configured to use Hyper-V for networking.

Other VPN software

We have tested a few other VPN clients from competitors and found that all of them leak in the same way. Therefore, this is not a problem with Mullvad VPN specifically, but rather an industry-wide issue that no-one, or very few, have addressed yet. The way Microsoft has implemented virtual networking for Linux guests makes it very difficult to properly secure them.

Full article

Scroll to Top