Some Linux Users Under WSL2 Can Leak Data

One of the concerns of Internet users is that their traffic is filtered on the network. There are many reasons why this could happen. Sometimes it can be due to a misuse of Internet tools, other times due to existing vulnerabilities or mistakes that we make. In this article we echo a security investigation that reports on how some Linux users under WSL2 may be filtering their traffic.

Linux under WSL2 could filter internet traffic

A group of Mullvad VPN security researchers has discovered that users running Linux under WSL2 could be filtering network traffic. We already know that there are many who choose this operating system as an alternative to Windows. There are many distributions and varieties that adapt to each case.

Some Linux Users Under WSL2 Can Leak Data

These researchers have also shown that these leaks also occur in other VPN software . Of course, at the moment they do not have a solution to present. However, they assure that they are working to solve it.

They state that they have received a report that there were Linux leaks under WSL2 . Their research showed that Linux guest traffic bypasses all normal layers of WFP (the Windows host firewall) and goes directly to the network. Therefore it ignores all the blocking that the application performs in the firewall.

Note that Linux guest network traffic always goes out the host machine’s default path without being inspected by the normal WFP layers. This means that if there is a VPN tunnel in operation, the Linux guest traffic will be sent through the VPN without leaking. However, if there is no active VPN tunnel, as is the case when the application disconnects, reconnects, reconnects, or hangs (when an error has occurred), the Linux guest traffic would leak into the normal network, even if “Always requires VPN” is enabled.

Why leakage occurs

WSL2 uses Hyper-V virtual networks and that is where the problem lies. The Hyper-V virtual Ethernet adapter passes traffic to and from guests without allowing the host firewall to inspect packets in the same way that normal packets are inspected.

Forwarded packets (NAT) are seen in the lower layers of WFP (OSI Layer 2) as Ethernet frames only. This type of leak can also happen to any guest running Windows Sandbox or Docker if it is configured to use Hyper-V for networking.

They also claim that they have tried other VPN software and the same thing happens. The problem is in the way that Microsoft has implemented virtual networks for Linux guests makes it very difficult to protect them properly.

You can read the full report of Mullvad VPN . We also leave you a tutorial on VPN for mobiles.