Can't ssh into wsl with networking mode mirrored

[nisarg-ujjainkar]

Windows Version

Microsoft Windows [Version 10.0.22621.2361]

WSL Version

2.0.0

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

5.15.123

Distro Version

Ubuntu 22.04

Other Software

No response

Repro Steps

1. set networkMode to mirrored.
2. change sshd listening port to 2222
3. try to ssh from a different machine (assume that you are going through the windows machine as a proxy).

Expected Behavior

I would expect the ssh connection to just work.

Actual Behavior

ssh complains that it cannot resolve the hostname.

Diagnostic Logs

No response

[joehays]

I ran in to the same problem today. I kept the default ssh port set to 22.

WSL version: 2.0.4.0
Kernel version: 5.15.123.1-1
WSLg version: 1.0.58
MSRDC version: 1.2.4485
Direct3D version: 1.608.2-61064218
DXCore version: 10.0.25880.1000-230602-1350.main
Windows version: 10.0.22631.2361

also,

Edition	Windows 11 Home
Version	23H2
Installed on	‎8/‎21/‎2023
OS build	22631.2361
Experience	Windows Feature Experience Pack 1000.22674.1000.0

here are my uncommented params in /etc/ssh/sshd_config

Port 22
MaxSessions 2
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no

also,

Jarvis:~$ sudo systemctl status sshd
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; e>
     Active: active (running) since Sat 2023-10-07 22:4>
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 324 ExecStartPre=/usr/sbin/sshd -t (code=e>
   Main PID: 352 (sshd)
      Tasks: 1 (limit: 36095)
     Memory: 4.5M
        CPU: 21ms
     CGroup: /system.slice/ssh.service
             └─352 sshd: /usr/sbin/sshd -D [listener] 0>

and,

Jarvis:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.6 LTS
Release:        20.04
Codename:       focal

and finally, my C:\Users\<user>\.wslconfig contains the following,

[wsl2]
memory=30G
[experimental]
autoMemoryReclaim=gradual
sparseVhd=true
networkingMode=mirrored
dnsTunneling=true
firewall=true
autoProxy=true

[CatalinFetoiu]

@nisarg-ujjainkar @joehays thanks for reporting the issue

when mirrored mode is on, firewall is also on by default. and Hyper-V firewall is blocking inbound traffic by default

Can you try adding a Hyper-V firewall rule to allow inbound traffic to WSL to the SSH port?

You can run the command below in an admin powershell window

New-NetFirewallHyperVRule -DisplayName "allow WSL ssh" -Direction Inbound -LocalPorts 22 -Action Allow

[joehays]

@CatalinFetoiu
That did it! Thank you.

So, I learned something very important. The Hyper-V firewall is independent/separate from the Windows firewall. I had disabled the Windows firewall with my initial testing but it did not make a difference.

For posterity sake... this seems like a good starting point for those of us new to Hyper-V to learn from:

https://learn.microsoft.com/en-us/powershell/module/netsecurity/?view=windowsserver2022-ps

[CatalinFetoiu]

@joehays great to hear to problem was fixed

one note regarding Hyper-V firewall - if you add a rule in the Windows firewall to allow inbound SSH traffic, the rule will be automatically migrated to Hyper-V firewall

I am closing the issue

[nisarg-ujjainkar]

@CatalinFetoiu thanks. That fixed it. However, I am a bit curious about how I can directly ssh into the wsl instance if both Windows and WSL are listening to the same port (this is why I had changed the port to 2222)?

[CatalinFetoiu]

@nisarg-ujjainkar in mirrored mode, by default Windows and WSL can't listen to the same port at the same time.

if you need Linux to open the same port as Windows in mirrored mode, you can use the "ignoredPorts" option in the wslconfig file (you can find more details at https://learn.microsoft.com/en-us/windows/wsl/wsl-config)

However if you specify a port in the "ignoredPorts" setting, the Linux port can be accessed only from within Linux.

For your usecase this won't work as you need the SSH port to be accessed from outside Linux. In this case you need to change the SSH port, as you already did.

[yunsii]

@CatalinFetoiu I had disabled Windows sshd service, and start sshd service in WSL. I can access by ssh localhost, but ssh 192.168.0.98 can't, got message: ssh: connect to host 192.168.0.98 port 22: Connection timed out

Even after firewall rule added by netsh advfirewall firewall add rule name=”WSL SSH” dir=in action=allow protocol=TCP localport=22, It is still not work.

My C:\Users\<user>\.wslconfig is the same as @joehays Anything wrong here?

[CatalinFetoiu]

@yunsii ssh localhost means communicating between Windows and Linux using 127.0.0.1. this works by default

ssh 192.168.0.98 means communicating between Windows and Linux using a local IP assigned to Windows. for this to work, you need to set hostAddressLoopback=true in your .wslconfig file, then restart WSL and retry the scenario.

you can see more details at https://learn.microsoft.com/en-us/windows/wsl/wsl-config

the firewall rule you added is not needed for this to work

[yunsii]

@CatalinFetoiu I didn't notice this option hostAddressLoopback. Thanks a lot, it save my life.

[Kutius]

@CatalinFetoiu Excuse me. I have encountered an issue and I'm not sure if it's related to this issue: After setting up mirroring in WSL, I use Node to listen on port 3000 for an HTTP service. My local machine's IP address is 192.168.6.228. However, when I try to access 192.168.6.228:3000 from another device in the LAN (my phone), I am unable to connect. I'm unsure if this is a bug or an intentional design.

[CatalinFetoiu]

@Kutius can you try the running the following command in an elevated powershell, then try your scenario again? Inbound traffic from the LAN must be allowed by the WSL firewall (Hyper-V firewall)

New-NetFirewallHyperVRule -DisplayName "allow port 3000 inbound" -Direction Inbound -LocalPorts 3000 -Action Allow

[Kutius]

@CatalinFetoiu Ok it work!!! Thanks so much!!
But I would like to know how to edit and delete this rule. I'm sorry I'm new with this.

[CatalinFetoiu]

@Kutius great to hear!

you can look at the documentation at https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallhypervrule?view=windowsserver2022-ps and https://learn.microsoft.com/en-us/powershell/module/netsecurity/remove-netfirewallhypervrule?view=windowsserver2022-ps

also note that if you add a rule to allow inbound port 3000 in the Windows firewall, a corresponding rule will also be created in the Hyper-V firewall.

[Kutius]

@CatalinFetoiu Thank u! And:

add a rule to allow inbound port 3000 in the Windows firewall, a corresponding rule will also be created in the Hyper-V firewall.

Do it mean if I allow all inbound port, Hyper-V would accept any port?

If so, When I start the same node service to listen 3000 in Windows, Other devices in LAN can access it. Should the services in WSL should also be expected to be access as intended?

[CatalinFetoiu]

@Kutius "Do it mean if I allow all inbound port, Hyper-V would accept any port?" if you allow all inbound ports on the Windows firewall, then yes Hyper-V firewall will allow inbound traffic on all those ports

"If so, When I start the same node service to listen 3000 in Windows, Other devices in LAN can access it. Should the services in WSL should also be expected to be access as intended?" if Windows firewall allows inbound traffic to port 3000, then yes Hyper-V firewall will also allow inbound traffic to port 3000

Let me know if this answers your questions

[Kutius]

@CatalinFetoiu I really appreciate your patient assistance!! After conducting some testing, I used port 3001 this time because I had already allowed port 3000.

• I started an HTTP service using Node in Windows, listening on port 3001, and I can successfully access it from my phone on the same LAN by using the {LAN IP:3001}.
• After closing the Node process in Windows, I tried to listen on port 3001 in WSL using the same approach, but I cannot receive a response when trying to access it from my phone on the same LAN using the LAN IP and port 3001.

So I guess maybe this is a bug?

This is my wslconifg:

[experimental]
autoMemoryReclaim=gradual
networkingMode=mirrored
dnsTunneling=true
firewall=true
autoProxy=true
sparseVhd=true

[CatalinFetoiu]

@Kutius can you please open a new issue with those details and tag me there?

[Kutius]

@CatalinFetoiu ok. Thank u very much for the answers for me here :).
I will open a new one later

[rz1027]

I am trying this mode (mirrored), my local ip is 192.168.1.103 and I am connected through an OpenVPN to a remote network so my tun0 ip is 10.10.16.25.
When listening to a callback on the Windows side (ncat.exe -nlvp 9001) it works just fine.
On Linux side with mirrored mode on (seeing the exact same network interfaces) my listener (nc -nlvp 9001) doesnt get the callback.
Which seems a weird case to me.

I tried establishing a hyperV firewall rules to allow traffic through this port, tried disabling both Windows and HyperV firewalls, tried connecting to VPN from inside WSL2 instance. Nothing seems to get me this call back inside WSL2...

[CatalinFetoiu]

@rz1027 thanks for reaching out. can you please open a new issue with those details?

are you trying to connect to your listener from outside your Windows machine?

[rz1027]

Sure!
Right Iam connecting from outside the windows machine

[CatalinFetoiu]

@rz1027 thanks! you can tag me in the new issue once you open it.

do you see the same problem if you disconnect from your OpenVpn connection? We have seen some other issues recently with OpenVpn and mirrored mode

[listenerri]

I am trying this mode (mirrored), my local ip is 192.168.1.103 and I am connected through an OpenVPN to a remote network so my tun0 ip is 10.10.16.25.我正在尝试这种模式（镜像），我的本地 IP 是 192.168.1.103，我通过 OpenVPN 连接到远程网络，所以我的 tun0 IP 是 10.10.16.25。 When listening to a callback on the Windows side (ncat.exe -nlvp 9001) it works just fine.当在 Windows 端监听回调（ncat.exe -nlvp 9001）时，它工作得很好。 On Linux side with mirrored mode on (seeing the exact same network interfaces) my listener (nc -nlvp 9001) doesnt get the callback. 在启用镜像模式的 Linux 端（看到完全相同的网络接口），我的侦听器 (nc -nlvp 9001) 没有收到回调。 Which seems a weird case to me. 这对我来说似乎很奇怪。

I tried establishing a hyperV firewall rules to allow traffic through this port, tried disabling both Windows and HyperV firewalls, tried connecting to VPN from inside WSL2 instance. Nothing seems to get me this call back inside WSL2...我尝试建立 hyperV 防火墙规则以允许流量通过此端口，尝试禁用 Windows 和 HyperV 防火墙，尝试从 WSL2 实例内部连接到 VPN。似乎没有什么能让我在 WSL2 中回电...

In addition to specifying ports, windows Firewall also supports directly specifying exe to pass through the firewall, which means that all ports that exe listens to are allowed to pass through the firewall. I think the ncat.exe you use is like this, but the nc in wsl does not (and cannot) set it like this.