Home / Cheatsheets / Setups / WSL2 VPN Working

WSL2 + VPN: Working on Windows

Get WSl2 to work with VPN to get a shell or pivot.

I ran into a common problem where WSL2 couldn't connect to the internet while my Windows VPN was active and having troubles with /etc/hosts and pivoting. After testing and configuration, I found a reliable way to make WSL2 work through my VPN connection, being in able to use WSL2 alongside Windows.

If anything did not work for you send me a message so I can investigate and correct if needed. In short

  • Run openvpn from Windows
  • Default settings (no changes in .wslconfig)
  • Setup port forwards in windows
  • Setup firewall rules in windows
  • Change hosts file windows to access local websites.
  • Pivoting with ligolo forward port to wsl.

Installation

To install Kali WSL2 you can download it from Microsoft Store. https://apps.microsoft.com/detail/9PKR34TNCV07?hl=neutral&gl=NL&ocid=pdpshare

# Update
sudo apt update -y && sudo apt upgrade -y

# Install all tools
sudo apt install kali-linux-everything

Default settings

I do not use any network related settings in the .wslconfig. I use default settings, I dont use mirrored or bridged mode in the .wsl config. Run openvpn connection from Windows, not from insideWSL.

Setting up reverse connections and shells

Below will work to get a connection into WSL but you can also setup a netcat listener in Powershell and it will work on any port, no forwarding

Setup a port forward from Windows to the WSL2 instance with ip Windows and WSL2 share. 

# Port forward
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=5555 connectaddress=172.25.237.190 connectport=5555

Create a Windows Firewall rule to allow incoming connections on port 5555 in this case. 

# Firewall rule
New-NetFirewallRule -DisplayName "HTB Reverse Shell 5555" -Direction Inbound -LocalPort 5555 -Protocol TCP -Action Allow

Automated script use as .\port-forward.ps1 -Port 5555

# port-forward.ps1
param([int]$Port)

# Get WSL IP from eth0 interface
$TargetIP = (wsl ip addr show eth0 | Select-String "inet " | Select-Object -First 1 | ForEach-Object { ($_.Line -split '\s+')[2] -split '/' | Select-Object -First 1 }).Trim()

if (-not $TargetIP) {
    Write-Host "[!] Could not detect WSL IP" -ForegroundColor Red
    exit 1
}

Write-Host "[+] WSL IP: $TargetIP | Port: $Port" -ForegroundColor Cyan

netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=$Port connectaddress=$TargetIP connectport=$Port
New-NetFirewallRule -DisplayName "Port $Port" -Direction Inbound -LocalPort $Port -Protocol TCP -Action Allow | Out-Null

Write-Host "[+] Done!" -ForegroundColor Green

To verify the port forward and firewall:

# Check firewall
Get-NetFirewallRule -DisplayName "Port 5555"

# Check port forward
netsh interface portproxy show all

If you want to remove any port or rules

# Remove a port
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=11601

# View all
netsh interface portproxy show all

Hosts File

To open web applications locally edit your /etc/hosts file in windows using: https://hostsfileeditor.com/ or manually C:\Windows\System32\drivers\etc\hosts

Pivoting

For pivoting i ran Ligolo on my WSL instance with a port forward to 11601 giving me access to the internal subnet. Then follow normal procedure for setting up Ligolo.