Linux under WSL2 can be leaking

30 9月 2020  SECURITY WINDOWS

We have found that you could be leaking your Internet traffic when running Linux under WSL2 (Windows Subsystem for Linux 2).

Our investigation has shown that these leaks also occur on other VPN software, and even though we do not have a solution to present for now, we feel the need to address the problem. As you read this we are working on a solution to this problem.

Recently, we got a report that said there were leaks from Linux under WSL2. Our investigations concluded that traffic from the Linux guest bypasses all normal layers of WFP (the firewall on the Windows host) and goes directly out onto the network. As such, all the blocking the app does in the firewall is ignored.

Network traffic from the Linux guest always goes out the default route of the host machine without being inspected by the normal layers of WFP. This means that if there is a VPN tunnel up and running, the Linux guest’s traffic will be sent via the VPN  with no leaks! However, if there is no active VPN tunnel, as is the case when the app is disconnected, connecting, reconnecting, or blocking (after an error occurred) then the Linux guest’s traffic will leak out on the regular network, even if “Always require VPN” is enabled.

How it leaks

WSL2 uses Hyper-V virtual networking and therein lies the problem. The Hyper-V Virtual Ethernet Adapter passes traffic to and from guests without letting the host’s firewall inspect the packets in the same way normal packets are inspected. The forwarded (NATed) packets are seen in the lower layers of WFP (OSI layer 2) as Ethernet frames only. This type of leak can happen to any guest running under Windows Sandbox or Docker as well if they are configured to use Hyper-V for networking.

Other VPN software

We have tested a few other VPN clients from competitors and found that all of them leak in the same way. Therefore, this is not a problem with Mullvad VPN specifically, but rather an industry-wide issue that no-one, or very few, have addressed yet. The way Microsoft has implemented virtual networking for Linux guests makes it very difficult to properly secure them.

Beware

We are currently investigating if and how we can block unwanted traffic on the Hyper-V virtual switches. We will present more information about the issue when we have any. In the meantime, know that if you use Linux under WSL2, or any other guests/containers under Hyper-V networking, the guest’s traffic might leak during the connect and reconnect phases as well as all states where there is no tunnel up and running.

The history of the issue

This was first reported to us by a tip on August 12, 2020. In the first iteration, this was handled by our Support Team only  but they were not able to reproduce the leak due to an unfortunate combination of software being installed on the testing machines at the time. So, the issue was never forwarded to developers. Then, it was reported to us again on September 17, 2020, by the same tipster, and passed on to developers right away who were able to verify that this was an issue we should take seriously. We are now working on a solution.

To be continued,
Mullvad VPN