Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows Defender Firewall blocks access from WSL2 #4139

Closed
dmchurch opened this issue Jun 14, 2019 · 71 comments
Closed

Windows Defender Firewall blocks access from WSL2 #4139

dmchurch opened this issue Jun 14, 2019 · 71 comments
Labels
needs-investigation likely actionable and/or needs more investigation network wsl2 Issue/feature applies to WSL 2

Comments

@dmchurch
Copy link

  • Your Windows build number: 10.0.18917.1000

  • What you're doing and what's happening:
    Trying to run X11 apps from my Ubuntu installation, which I just upgraded from WSL1 to WSL2. I've configured the X server (VcXsrv) to accept TCP connections, and I've put the IP address of the Windows host into the DISPLAY variable, but the connection times out. Digging into it, I've discovered that the vEthernet adapter is treated as an "Unidentified Network", and so it gets the Public firewall access rules (which, unsurprisingly, includes blocking port 6000). If I disable the firewall entirely, I can connect to the X server just fine. This worked under WSL1, of course.

  • What's wrong / what should be happening instead:
    Connections from a WSL2 VM should be treated as privileged and not subject to firewall rules, probably?

  • Strace of the failing command, if applicable:

$ strace xev
execve("/usr/bin/xev", ["xev"], 0x7ffeee6e64a0 /* 21 vars */) = 0
brk(NULL)                               = 0x55feb7684000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
[cut for brevity]
close(3)                                = 0
socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, IPPROTO_TCP) = 3
setsockopt(3, SOL_TCP, TCP_NODELAY, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(6000), sin_addr=inet_addr("172.17.252.209")}, 16 [hangs here...]
@craigloewen-msft craigloewen-msft added the wsl2 Issue/feature applies to WSL 2 label Jun 14, 2019
@jeffshantz
Copy link

I have the same issue. It would also be nice if it were possible to change the network profile of the vEthernet adapter that WSL2 creates to Private. This way, we could at least disable the firewall for private networks. I tried doing this in PowerShell, but PS claims the adapter doesn't exist (I'm using the correct alias):

PS C:\Users\Jeff> Set-NetConnectionProfile -InterfaceAlias "vEthernet (WSL)" -NetworkCategory Private
Set-NetConnectionProfile : No MSFT_NetConnectionProfile objects found with property 'InterfaceAlias' equal to
'vEthernet (WSL)'.  Verify the value of the property and retry.
At line:1 char:1
+ Set-NetConnectionProfile -InterfaceAlias "vEthernet (WSL)" -NetworkCa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (vEthernet (WSL):String) [Set-NetConnectionProfile], CimJobException
    + FullyQualifiedErrorId : CmdletizationQuery_NotFound_InterfaceAlias,Set-NetConnectionProfile

@faymek
Copy link

faymek commented Jul 15, 2019

I want to connect from WSL2 to X410. And this works currently:
Check Settings -> Firewall -> Advance Settings.
In the opened window, check in-site rules, you can find TCP & UDP rules of X410. You can double click each rule, switch to advance tab in the dialog, check on all three checkboxes: domain, private, universal. This changes the profile private to all.

For xeyes demo:

sudo apt install libgtk2.0-0 libxss1 libasound2
export DISPLAY=$(cat /etc/resolv.conf | grep nameserver | awk '{print $2}'):0.0
sudo apt install x11-apps -y && xeyes

@jovton
Copy link

jovton commented Oct 27, 2019

Allowing traffic for Public networks via firewall rules works as described by @faymek, But it's kind-of working on my nerves security-wise.

So I tried to make the network private using the tricks mentioned here and here, but to no avail. Even after disabling and re-enabling the device (vEthernet (WSL) / Hyper-V Virtual Ethernet Adapter) the firewall still blocks it. And rebooting the host recreates the keys in the registry. I even tried protecting the keys with access permissions, but Windows can still overwrite them on reboot.

@sandric
Copy link

sandric commented Nov 19, 2019

@jovton also having the same problem. After disabling public profile vEthernet WSL rule - it works untill reboot. Tried with admin privileges also - button "apply" is simply disabled, all you can do is either "OK" or "Cancel" - which in term disabling defender rule for current session only.

Is there any solution to this? Or maybe script I can run at startup to make it automatic?

@paul-reilly
Copy link

@sandric: I wrote this PS script to deal with the WSL2 IP address changing on reboot:

https://github.com/paul-reilly/WSL2-Xming-Init

It works with firewall active on my machine at least.

@rob-solana
Copy link

rob-solana commented Dec 17, 2019

upon reboot, I disable the firewall on the WSL2 interface with an Administrator Powershell:

Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\WINDOWS\system32> Set-NetFirewallProfile -DisabledInterfaceAliases "vEthernet (WSL)"

this only works after I've launched the X client that is trying to talk to my VcXsrv

I launch my X client (xterm) with a desktop shortcut whose "Target" is set to:

C:\Windows\System32\wsl.exe /mnt/c/Users/me/wslrun.sh /usr/bin/X11/xterm -ls

Where wslrun.sh is:

#!/bin/bash
exec 1> wslrun.log 2>&1

PATH=/usr/bin:/bin
# DISPLAY to default gateway
ip_r_l_default=( $(ip r l default) )
export DISPLAY=${ip_r_l_default[2]}:0.0
cd ~
nohup "$@" &
# don't understand why I need this sleep
sleep 1

Tedious parts of this:

  1. the Powershell script, which has to run on every reboot
  2. the fact that the WSL2 interface dies whenever I change WiFi networks (all X clients die, poo)

@jefferai
Copy link

Just chiming in that it was very unintuitive to figure out that the network being created was marked public and that's why I couldn't actually access host services due to the firewall. I'd expect it to be marked private.

@a-schaefers
Copy link

I have the same issue. It would also be nice if it were possible to change the network profile of the vEthernet adapter that WSL2 creates to Private. This way, we could at least disable the firewall for private networks. I tried doing this in PowerShell, but PS claims the adapter doesn't exist (I'm using the correct alias):

PS C:\Users\Jeff> Set-NetConnectionProfile -InterfaceAlias "vEthernet (WSL)" -NetworkCategory Private
Set-NetConnectionProfile : No MSFT_NetConnectionProfile objects found with property 'InterfaceAlias' equal to
'vEthernet (WSL)'.  Verify the value of the property and retry.
At line:1 char:1
+ Set-NetConnectionProfile -InterfaceAlias "vEthernet (WSL)" -NetworkCa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (vEthernet (WSL):String) [Set-NetConnectionProfile], CimJobException
    + FullyQualifiedErrorId : CmdletizationQuery_NotFound_InterfaceAlias,Set-NetConnectionProfile

This would just be a workaround and is not good.

All you need to do is add an inbound firewall rule using the program name

C:\Program Files\VcXsrv\vcxsrv.exe

@fquinner
Copy link

fquinner commented Apr 1, 2020

For the record, I added some more surgical options and documented here:

https://github.com/cascadium/wsl-windows-toolbar-launcher#firewall-rules

For me though the ideal solution would be for this to work:

#4619

@drewhemm
Copy link

Confirmed adding the firewall rule and limiting the source IP scope range works. Functional and secure!

Firewall

@wmertens
Copy link

wmertens commented Apr 23, 2020

Just a note, the settings from the above comment work for me, but I had trouble finding them: control panel > system and security > windows defender firewall > advanced settings > inbound rules > edit the vcxvsrv rule for public networks.

Also, since the hostname is in the DNS forwarder, you can do

export DISPLAY=$(host $HOST | head -n1 | cut -d' ' -f4):0

to set the display

@QingGo
Copy link

QingGo commented May 1, 2020

Confirmed adding the firewall rule and limiting the source IP scope range works. Functional and secure!

Firewall

I tried this method but it didn't work. After some searching I find that there are two block rule of "VcXsrv windows xserver" in my firewall rule list and these rules take precedence. Windows OS will add rules to your firewall when you first start VcXsrv windows xserver, and you should disable these rules manually(not remove it, or Windows OS will try to add it again when you open VcXsrv next time).

@ghost
Copy link

ghost commented May 9, 2020

@QingGo You just need to edit the TCP rule for "VcXsrv windows xserver" from Block to Allow, no need to disable and create a new rule. I have successfully used this approach to allow WSL 2 connect to a Postgres SQL installed on Windows.

P/S: can someone enlighten me why we limit the IP range to 172.16.0.0/12 ?

@fquinner
Copy link

fquinner commented May 9, 2020

@QingGo You just need to edit the TCP rule for "VcXsrv windows xserver" from Block to Allow, no need to disable and create a new rule. I have successfully used this approach to allow WSL 2 connect to a Postgres SQL installed on Windows.

P/S: can someone enlighten me why we limit the IP range to 172.16.0.0/12 ?

It's a standard private ip subnet range that wsl seems to rattle around:

https://tools.ietf.org/html/rfc1918

@ghost
Copy link

ghost commented Jun 13, 2020

WSL may pick the ip range 192.168.0.0/16 too:

image

This firewall setting should cover all case

image

@wmertens
Copy link

Hmm if you add that range, you get most home networks, and there's some chance of an attack via a compromised printer or whatever.
Granted, very unlikely but not impossible.

The rule should only allow connections from the local pc.

@ghost
Copy link

ghost commented Jun 15, 2020

Because powershell allows we to modify firewall rule, so I think writing a script to update wsl 2 ip address for each inbound rules maybe a good idea, we only need to create the rules manually once and run the script after windows startup. Some thing like this: (run in admin shell)

Import-Module -Name 'NetSecurity'

$wsl2Ip = wsl.exe /bin/bash -c "ip addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'"

Get-NetFirewallRule -Direction Inbound | Where-Object {
    $_.DisplayName -eq "postgres.exe" `
        -and ($_ | Get-NetFirewallPortFilter).Protocol -eq "TCP"
} | ForEach-Object {
    Set-NetFirewallRule -Name $_.Name -RemoteAddress $wsl2Ip
}

@cybtachyon
Copy link

cybtachyon commented Jun 19, 2020

Related to #4150

This is the script I use, run via Task Scheduler on login, sourced from #4150 :

$remoteip = wsl.exe /bin/bash -c "ip addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'"
$found = $remoteip -match '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}';

if( !$found ){
  echo "The Script Exited, the ip address of WSL 2 cannot be found";
  exit;
}

#[Ports]

#All the ports you want to forward separated by comma
$ports=@(80,8080,443,10000,3000,5000);


#[Static ip]
#You can change the addr to your ip config to listen to a specific address
$addr='0.0.0.0';
$ports_a = $ports -join ",";


#Remove Firewall Exception Rules
iex "Remove-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock' ";

#adding Exception Rules for inbound and outbound Rules
iex "New-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock' -Direction Outbound -LocalPort $ports_a -Action Allow -Protocol TCP";
iex "New-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock' -Direction Inbound -RemoteAddress $remoteip -Action Allow -Protocol TCP";

for( $i = 0; $i -lt $ports.length; $i++ ){
  $port = $ports[$i];
  iex "netsh interface portproxy delete v4tov4 listenport=$port listenaddress=$addr";
  iex "netsh interface portproxy add v4tov4 listenport=$port listenaddress=$addr connectport=$port connectaddress=$remoteip";
}

@PavelSosin-320
Copy link

Cross WSL 2 distro access via ports published to Windows host should work bypassing all firewalls. Am I right? In the case of Docker Desktop Kubernetes integration using HTTP port 6443 works well. Is it a firewall issue or something else, like of difference between Kubernetes and Docker proxy implementation?

@hwo411
Copy link

hwo411 commented Jun 21, 2020

#4585 (comment) Might be helpful for solving firewall problem.

@therealkenc
Copy link
Collaborator

#4585 (comment) Might be helpful for solving firewall problem.

Inlining here since this issue ended up being the landing zone. Props go to @dansanduleac

New-NetFirewallRule -DisplayName "WSL" -Direction Inbound  -InterfaceAlias "vEthernet (WSL)"  -Action Allow

@boardbloke
Copy link

boardbloke commented Jul 21, 2022

I've struggling to understand why this is still an issue after 3 years of being open. What the hell is going on at Microsoft? My company is now telling me that I can't use WSL2 precisely because they want to enforce a policy of not allowing Public domain firewalls to be disabled. I'm sure I'm not the only person in that boat.

Can we have some kind of update please. @craigloewen-msft - Is there anybody else that could be added to this issue to get some traction?

@whentimeslows
Copy link

whentimeslows commented Jul 31, 2022

My missing piece was the firewall Public Profile Firewall State Inbound Connections was set to "Block all connections". After changing this to "Block (default)" adding the rules below using PowerShell as Administrator allowed WSL connections in and out.

New-NetFirewallRule -DisplayName "WSL" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow
New-NetFirewallRule -DisplayName "WSL" -Direction Outbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

image

EDIT: Note that this basically turns off the firewall for WSL - use with caution! For more granular access you can define the specific ports you want to allow in and out with the New-NetFirewallRule PowerShell cmdlet.

@LMRW
Copy link

LMRW commented Sep 5, 2022

Same issue here. Have to not use the block all incoming firewall setting on public networks, otherwise WSL2 is broken when accessing the internet.

Microsoft: please let us designate WSL2 as private.

@jonkadelic
Copy link

jonkadelic commented Sep 7, 2022

Same issue here. Have to not use the block all incoming firewall setting on public networks, otherwise WSL2 is broken when accessing the internet.

Microsoft: please let us designate WSL2 as private.

Just found a workaround that seems to allow this.

First, install Hyper-V Manager if necessary. This is purely to get access to the PowerShell tools it provides to manage VM switches.

Run Set-VmSwitch "WSL" -SwitchType Internal. This converts the switch from a private VM switch to an internal one. It also makes it appear in Network Connections in Control Panel, as well as appearing when you run Get-NetConnectionProfile in PowerShell. You'll see that for vEthernet (WSL) NetworkCategory is listed as Public.

Manually assign an IP to the adapter via Control Panel, something in the 172.XX.XX.1 range, and make sure that your WSL install is on the same subnet.

Run Set-NetConnectionProfile -InterfaceAlias "vEthernet (WSL)" -NetworkCategory Private. You should now be able to ping the host machine from inside the VM without needing to modify any firewall rules.

Slight disclaimer: I've literally only just discovered that this works, so haven't tested it extensively, but it seems to be able to reliably access the Internet and the host machine.

EDIT: Unfortunately I've just found that it doesn't survive a reboot. Ah well.

@ItsIgnacioPortal
Copy link

ItsIgnacioPortal commented Sep 13, 2022

This is insanely dumb. Why on earth would they choose to set a PURELY INTERNAL NETWORK as "Public" on the firewall settings?? This network has the same level of trust as starbucks wifi. It should be a "Private" network BY DEFAULT. ughh

@ipcjs
Copy link

ipcjs commented Oct 3, 2022

WSL2 already supports systemd and can start the sshd service, so we can use the port forwarding function of ssh to let WSL2 access the host port.
like this:

# In WSL2, you can access port 1080 of the host through port 1081
ssh.exe -f -N -R 1081:127.0.0.1:1080 js@localhost &

@kevlar700
Copy link

Ridiculous. Going back to WSL1. Can't it talk directly to the networking devices anyway?

@pduchnovsky
Copy link

pduchnovsky commented Oct 21, 2022

WSL1 isn't a win neither.. (in terms of previously discussed DNS issues)
WSL1 uses direct entries for DNS servers provided by system in /etc/resolv.conf
But when I connect to VPN it does NOT update resolv.conf automatically, only during wsl restart it seems.
I made a minor script that I put in to the .zshrc (since I use ZSH, in case of bash use .bashrc) file that does update the resolv conf automatically (should work for WSL2 as well)

# AutoUpdate DNS
ps -ef | egrep -i "(sl[e]ep 10|pow[e]rshell)" >/dev/null 2>&1 || (while true;do sudo bash -c "for i in $(powershell.exe 'Get-DnsClientServerAddress | Where-Object AddressFamily -Like 2 | Select-Object –ExpandProperty ServerAddresses' | sort -u | tr '\r\n' ' ');do echo nameserver \$i;done > /etc/resolv.conf && echo -e 'options timeout:1\noptions attempts:1' >> /etc/resolv.conf"; sleep 10;done &)

@luxzg
Copy link

luxzg commented Oct 26, 2022

Since I just got bumped on email about this issue, I'd like to point everyone to the fact that vSwitch can now be used to directly connect WSL2 distro, officially, no hacks, using "networkingMode=bridged". You do need W11 Pro, which shouldn't be an issue. I've compiled a nice big tutorial couple of days ago as a comment in main networking thread:
#4150 (comment)

Likewise added it to my GitHub:
https://github.com/luxzg/WSL2-fixes

I went through W10 to W11 upgrade (linked instructions for those with "unsupported" hardware), WSL2 Preview, creation of vSwitch, configuration of a bridge, and as a bonus systemd configuration on Ubuntu with complete systemd based networking setup. It should be doable for both newbies and experienced users. Btw, I can now tear up and setup new WSL2 instance with proper networking and full apt upgrades and all in less than 10 minutes, easy-peasy.

@boardbloke
Copy link

For those of you that cannot for whatever reason install Windows 11, its now possible to run WSLg (https://github.com/microsoft/wslg) in WSL2 on Windows 10 builds that have a UBR>= 2311. So, if you are reading this issue because you are trying to run Linux GUIs in Windows using an X-11 server like VcxSrv installed in Windows, then one alternative is to use WSLg instead.

This is solved all the problems I was personally having as I now do not have to disable the Defender firewall for the WSL2 connection in order to get the GUI processes in WSL2 to be able to connect to the X-11 port running in Windows. That in turn allows me to connect to my corporate VPN (which otherwise blocked dues to security policies related to firewall settings).

If you don't have the .2311 build of Windows 10, then install all the latest updates from Windows Update. You need to be updated to Version 22H2. I took the advice from here - https://superuser.com/questions/1754138/running-wsl-that-was-installed-from-the-microsoft-store-results-in-windows-vers. Note if that doesn't get you to UBR 2311, then you may need the preview update https://support.microsoft.com/en-gb/topic/november-15-2022-kb5020030-os-builds-19042-2311-19043-2311-19044-2311-and-19045-2311-preview-237a9048-f853-4e29-a3a2-62efdbea95e2.

I actually couldn't get that via Windows Update - probably because it's a preview release, but I found I could install it manually by downloading from https://www.catalog.update.microsoft.com/Search.aspx?q=KB5020030. Do this at your own risk though - it's a preview release. People seem to think it will be out of preview in a few months, so you might want to wait and use Windows Update.

After that - I rebooted and ensured my DISPLAY env variable setting was set to :0, and WAYLAND_DISPLAY was set to wayland-0 (the required values for WSLg) and WSLg started serving my Linux GUIs!!

Hope you find this helpful!

@ScottShingler
Copy link

I wasn't sure if the New-NetFirewallRule command mentioned above might allow external traffic in, so I added -RemoteAddress LocalSubnet:

New-NetFirewallRule -DisplayName "WSL2toHost" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow -RemoteAddress LocalSubnet

My understanding is that this will allow only traffic from the local subnet. I'm not sure if it's strictly needed though. Can anyone confirm one way or the other?

@kkm000
Copy link

kkm000 commented Jun 24, 2023

@therealkenc This has had the status "investigation required" for 2.5 years. How is... the investigation going? Any chance this is fixable? Is WSL2 fundamentally incompatible with Windows networking? There are dozens of cross-referencing issues, this is a real problem for so many people.

I believe that indicating the network as Private could resolve the issue, at least partially, if that's a possibility at all. The VM switch adapter connection profile is not exposed through WMI, so changing its profile the "normal" way, with Set-NetConnectionProfile, is impossible. Other Internal VM switches are visible, only not the WSL's one.

> Get-NetConnectionProfile -InterfaceAlias 'vEthernet (WSL)'
Get-NetConnectionProfile: No MSFT_NetConnectionProfile objects found with property 'InterfaceAlias' equal to 'vEthernet (WSL)'.  Verify the value of the property and retry.

> Get-NetConnectionProfile | ft InterfaceAlias,NetworkCategory,IPv4Connectivity

InterfaceAlias   NetworkCategory IPv4Connectivity
---------------- --------------- ----------------
Wi-Fi                    Private         Internet
vEthernet (buba)         Private     LocalNetwork

The second row is a Hyper-V internal switch, visible in Control Panel/Networking, but the WSL one isn't. It's interesting that both are visible in the long output of Get-VMSwitch | fl *, also returned through WMI(!); I compared them, no differences. The network interface is not visible in Device Manager either, although the Hyper-V switch is, as "Hyper-V Virtual Ethernet Adapter #2". I don't understand what is really going on.

@kgonia
Copy link

kgonia commented Aug 8, 2023

This one help me to to debug with PyCharm using enviroment in WSL 2

#4585 (comment)

@z11k
Copy link

z11k commented Oct 15, 2023

Related to #4150

This is the script I use, run via Task Scheduler on login, sourced from #4150 :

$remoteip = wsl.exe /bin/bash -c "ip addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'"
$found = $remoteip -match '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}';

if( !$found ){
  echo "The Script Exited, the ip address of WSL 2 cannot be found";
  exit;
}

#[Ports]

#All the ports you want to forward separated by comma
$ports=@(80,8080,443,10000,3000,5000);


#[Static ip]
#You can change the addr to your ip config to listen to a specific address
$addr='0.0.0.0';
$ports_a = $ports -join ",";


#Remove Firewall Exception Rules
iex "Remove-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock' ";

#adding Exception Rules for inbound and outbound Rules
iex "New-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock' -Direction Outbound -LocalPort $ports_a -Action Allow -Protocol TCP";
iex "New-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock' -Direction Inbound -RemoteAddress $remoteip -Action Allow -Protocol TCP";

for( $i = 0; $i -lt $ports.length; $i++ ){
  $port = $ports[$i];
  iex "netsh interface portproxy delete v4tov4 listenport=$port listenaddress=$addr";
  iex "netsh interface portproxy add v4tov4 listenport=$port listenaddress=$addr connectport=$port connectaddress=$remoteip";
}

finally something what works also for me. yes it was need of rules for firewall... i will borrow it.. thx

@KeisukeeLee
Copy link

My solution:
run_in_background.vbs:

Set WshShell = CreateObject("WScript.Shell") 
WshShell.Run "cmd /c <YOUR_ABSOLUTE_PATH>\disable-wsl-public-profile.bat",0

disable-wsl-public-profile.bat:

wsl exit && powershell -Command "Set-NetFirewallProfile -Profile Public -DisabledInterfaceAliases 'vEthernet (WSL)'"

image
image
image

@ryumada
Copy link

ryumada commented Dec 24, 2023

My solution is to completely reinstall my WSL by: 1

  • removing any Windows Subsystem for Linux Update
  • then, disabling and enabling these two features (reboot after disabling the features):
    • Windows Subsystem for Linux
    • Virtual Machine Platform

By doing this, I assume that the WSL network interface has reconfigured.

Footnotes

  1. NotTheDr01ds, “Answer to ‘Completely reinstall WSL,’” Super User. Accessed: Dec. 24, 2023. [Online]. Available: https://superuser.com/a/1619435

@sboden
Copy link

sboden commented Feb 4, 2024

So the script from #4139 (comment) does not work on my Windows 10 Laptop. The IP address it finds in the first few lines also doesn't seem to be the IP address from WSL in an "ipconfig /all".

The commands from #4139 (comment) do work, but they cause a warning in "Windows Security" (the "Restore settings" button) which the security people don't seem to like very much.

Are there any other solutions to make xdebug work from WSL2 to a Windows PhpStorm without causing Windows Security warnings.

@danon
Copy link

danon commented Apr 20, 2024

What worked for me:

New-NetFirewallRule -DisplayName "WSL2 Allow xDebug" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 9000,9003

@OneBlue
Copy link
Collaborator

OneBlue commented May 14, 2024

Hi ! Please try the latest networking features that we've added in WSL. Those should greatly improve connectivity.

If the issue still remains, please reopen this issue.

@OneBlue OneBlue closed this as completed May 14, 2024
@LifeJustDLC
Copy link

Because Windows randomly turns on the firewall without your acknowledge, enforce a cron job to disable it might be the only compromised solution.

# run as admin in "windows powershell"
$option = New-ScheduledJobOption -RunElevated -RequireNetwork
$atLogin = New-JobTrigger -AtLogOn -User *
$atInterval = New-JobTrigger -Once -RepeatIndefinitely -RepetitionInterval "00:10:00" -At "0am"
Register-ScheduledJob -Name "F wsl firewall" -ScheduledJobOption $option -Trigger $atLogin, $atInterval -ScriptBlock {
    Set-NetFirewallProfile -Profile Public -DisabledInterfaceAliases "vEthernet (WSL)";
}

(I know basically nothing about windows powershell, so please let me know if I'm wrong.)
Also don't forget to enable inbound rules on the "Windows" host side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-investigation likely actionable and/or needs more investigation network wsl2 Issue/feature applies to WSL 2
Projects
None yet
Development

No branches or pull requests