WSL2 breaks by default #502
Comments
|
Hey @fifty-six, thanks for reporting this. First of all, I want to be sure you know about #166 - we do not have explicit support for VMs yet. WSL2 uses a VM. That said, I don't see any DNS requests in the debug info you provided. There are only NetBIOS request and request to port 8080 to the host (I guess). I'm not sure how WSL2 configures the VM. If you can change the network configuration of the VM, try changing it to "NAT". Depending on type of NAT, this might result in WSL2 showing up as an App in Portmaster. |
|
I didn't realize WSL2 wasn't explicitly supported yet, my bad. I couldn't find a to change the network configuration to NAT for WSL2. As far as DNS goes, I saw it in the System DNS Client as under LAN incoming there are requests from WSL's internal ip which are blocked by the default incoming rules. More specifically, under |
|
No problem. It's good for us to see where our current limits are. It definitely seems to be DNS, which is the problem. Would be interesting if this still works for @chriskrams - he reported some time ago that it works for him: #259 (comment) |
I get this in the logs when I If I change my dns to not route through localhost then it works out though, e.g. 8.8.8.8 in WSL works fine. Another thing of note is, even with the DNS set to 8.8.8.8, other things like There's a lot of logs which drop incoming connections by default with addresses like |
|
Thanks the outputs. So as far as I understand it, WSL2 runs in hypervisor and uses hypervisor networking, which fully bypasses the host's networking stack. I don't know why git would still not work. Maybe there is something in the caches. Try rebooting your whole machine. The incoming connections being dropped in the "Unidentified Processes" app are most likely just broadcast pings or someone trying to find a service, which your PC does not offer. Eg. spotify or dropbox looking for other instances locally. This is normal and expected. |
|
Auto-closing this issue after waiting for input for a month. If anyone finds the time to provide the requested information, please re-open the issue and we will continue handling it. |
|
I confirm the problem under 0.9.3 with windows 11 pro. |
i tried this dint work sadly |
|
For me disabling |
|
Hey, do you mind pointing out where the setting is? Are you talking about the below option? |
|
On Should be similar to this: Then on the app settings search for If you do not set a connection from WSL2 to outside the That worked for me, hope for you too. |
|
Thanks for the help! But I got the idea to try to update using I disabled Appreciate your help. |
|
@Shouri14 Glad that it helped! For anyone with the same problem, it seems that the process to disable It may change with the OS or device, for me in Windows 11 is To identify the process you could run in WSL |
|
For anyone with the same windows version (windows 11 Home 22621.2506), it's |
|
Confirming I needed to fully shut down and restart LxssManager in |
|
@fifty-six - Portmaster do not support WSL2. However, you can bypass portmaster by changing the nameserver from resolv.conf file (in WSL2 instance). Try this -
add below nameserver Keep in mind that with this you are bypassing all traffic from Portmaster. This could be a potential privacy concern for some individuals. |
|
as mentioned in #1391 thanks for the note. I can not confirm if that works, but be aware that this workaround might stop working at some point when we are looking into adding support for VMs The issue is not that Portmaster does not see it, and this "bypass" is not actually going past Portmaster it just allows the VM to pass through Portmaster and because we are ignoring it at the moment it works. If we start making changes to how we look at this traffic than can result in breaking this. Just something to be aware of. |
|
@Raphty perhaps this is one for your colleagues or even exec team: Isn't a massive population of Portmaster's most sought-after potential users and customers be technical users / powerusers, IT pros, and developers... And thus not having support or at least documentation to cover use with WSL2 means there's often an unpleasant and/or alienating experience when trying out Portsmaster? Per my comment above, Windows Service: Shared Access worked for me (for now). IMHO even the full DNS bypass option for WSL2 could also be documented or even supported as a feature -- along with clear user feedback of the ramifications of doing that. At least then I would have a better perception that the app is actually doing its best to protect me in how I use a PC, and helping with awareness if I was ever weakening anything, and it would save a lot of time troubleshooting / reading docs / reading issues. |
|
@firxworx thanks for the feedback. I get what you are saying, and we see the need for a firewall that targets IT professionals and developers but this is not what Portmasters vision is. Portmaster is Easy Privacy - and we know we made trade offs to achieve the best privacy for some restrictions in how you can use it. After all as an IT Professional you know that the highest security risk is user error. So sometimes not giving options is a way to navigate how much a user can mess up their Privacy. We are thinking about a Professional offer, but it will not come from Safing but Daniel and I will lead this venture as well 😁 If you are are interested pleas reach out via mail |
|
@Raphty thanks for the reply. So far my experience has been that one would need to be reasonably technical to troubleshoot through allowing various everyday tasks with Portmaster. At least in my experience, non-technical users are often the least privacy aware people. I have no idea of actual user demographics data as you presumably do, however I imagine that a lot of portmaster users are what I would describe as power users and at least to me these do seem to be the types of user-base commenting on reddit and elsewhere. I see where you're coming from regarding certain product decisions, I suppose my feedback is the execution doesn't always make them easy to find or even allow users to selectively disable things, or perhaps better yet, enable or disable by use-case with there being recommended settings. I appreciate the huge challenge: security vs. usability is a classic trade-off. For an example, here's a very recent example of every day computing task: I just needed to print something. For another: what if someone worked in marketing, communications, ecom, etc. (i.e. not a developer -- an every day user) and needed to use Google Analytics for their work? Even for 5 min? There's no clean way to selectively allow this, at least that I'm aware of. At the risk of getting too far off topic vs. this issue thread I could go on. Feel free to send me an email. And if y'all need anyone to help with technical product let me know, you guys do have a cool product and I do see a lot of promise in it :) Overall great work this is one hell of a tool :) |
Pre-Submit Checklist:
What worked?
Can allow it mostly via incoming rules, I used
192.168.128.0/12and172.0.0.1/24for the dns, had to go for LAN on unidentified processes.What did not work?
By default, Portmaster blocks WSL2's incoming requests, which causes it to be unable to resolve DNS requests. It also appears as 'unidentified processes' which makes it a bit harder to work around.
Having to allow the range under
192.x.x.x.xis a bit annoying as WSL doesn't have a deterministic IP (I've gotten 192.168.235.x, 192.168.135.x, and 127.x.x.x at least) and there's no way I can see to have Portmaster allow only it, so my options are limited to the 2 ranges, one being rather large and actually used by local subnets, or allowing all LAN incoming. In addition it's under Unidentified Processes so there's not much granularity to it.Similarly, the System DNS Client blocks the DNS requests from WSL2 as they don't use the normal ports from LAN so I had to allow that as well.
git clonealso seems to break, though I don't see any requests show up when it executes so I'm not sure where to allow it. It works if portmaster is off though.NOTE: Some of the incoming Unidentified Processes connections are shown as allowed within the debug info as I added the rule to fix it during the session.
Debug Information (Unidentified Process):
Version 0.7.14
Platform: Microsoft Windows 10 Enterprise N 10.0.18363 Build 18363
Status: Trusted
Resolvers: 3/3
Network: 4/17 Connections
No Module Error
Unexpected Logs
Goroutine Stack
System DNS Client
Network: 233/254 Connections
No Module Error
Unexpected Logs
Goroutine Stack
Version 0.7.14
Platform: Microsoft Windows 10 Enterprise N 10.0.18363 Build 18363
Status: Trusted
Resolvers: 3/3
Network: 9/67 Connections
No Module Error
Unexpected Logs
Goroutine Stack
The text was updated successfully, but these errors were encountered: