|
|
|
|
|
|
by smarx007
2089 days ago
|
|
|
I think the key idea is that Mullvad client changes firewall config on the fly to insert a 2nd highest prio rule "deny outgoing" allowing outgoing internet access only to itself until the VPN tunnel is established and then withdraws it automatically afterwards. So, a generic firewall advice is not applicable here as it's used in quite a specific way. If Microsoft does not fix the problem described in the blog post, I assume the easiest way would be to introduce some kind of daemon in a Windows client that a slave client tool installed in WSL env would have to connect to or the other way around to mirror a firewall config inside the Linux machine. And that will only work on recent versions, see https://github.com/microsoft/WSL/issues/4212#issue-459183662 UPD: I think it will be resolved in a much neater way soon https://github.com/microsoft/WSL/issues/4277#issuecomment-69... |
|
|
"How it leaks WSL2 uses Hyper-V virtual networking and therein lies the problem. The Hyper-V Virtual Ethernet Adapter passes traffic to and from guests without letting the host’s firewall inspect the packets in the same way normal packets are inspected. The forwarded (NATed) packets are seen in the lower layers of WFP (OSI layer 2) as Ethernet frames only. This type of leak can happen to any guest running under Windows Sandbox or Docker as well if they are configured to use Hyper-V for networking."
That is how virtual machines are supposed to work. Hyper-V is a virtualisation thing. Whatever Mullvad is doing is immaterial - they are only worrying about the host. If you use full on virty stuff, you need to treat each VM as a VM, not a container.