WSL WSL mirrored networking + VS Code WSL extension

As discussed on GitHub and offline, creating an issue to track VS Code user feedback that users are experiencing issues with WSL mirrored networking.

Here's the issue: https://github.com/microsoft/vscode-remote-release/issues/9222. Here is an example of traces/logs: https://github.com/microsoft/vscode-remote-release/issues/9222#issuecomment-1922440696.

cc @craigloewen-msft

Feb 20 '24 15:02 bamurtaugh

Hi I'm an AI powered bot that finds similar issues based off the issue title.

Please view the issues below to see if they solve your problem, and if the issue describes your problem please consider closing this one and thumbs upping the other issue to help us prioritize it. Thank you!

Open similar issues:

Networking mirrored can't work on WSL2 (#10632), similarity score: 0.73
Cannot enable Mirrored network on WSL (#11154), similarity score: 0.72

Closed similar issues:

Questions: implementation of WSL 2 networking (#4346), similarity score: 0.70

Note: You can give me feedback by thumbs upping or thumbs downing this comment.

Feb 20 '24 15:02 github-actions[bot]

WslLogs-2024-07-16_13-02-22.zip

@aeschli the wsl netwroking log file is 126 MB. Github has a max allowance of 25 MB. Where should I drop the log

Jul 16 '24 17:07 diagonjope

@keith-horton Do you want the wsl networking file?

More context can be found here: https://stackoverflow.com/questions/78733419/can-not-connect-vscode-to-wsl2-running-ubuntu-22-04 https://github.com/microsoft/vscode/issues/221727

Jul 16 '24 19:07 aeschli

Can you please share your VSCode configuration / docker configuration / docker-desktop configuration?

We have tested with a few VSCode configurations and haven't repro'd issues.

If the log is too large, can you share through onedrive / google drive?

It's not clear why the trace would be that huge though :)

I would recommend:

start the trace
wsl --shutdown
launch VS
repro the problem
stop the trace

Jul 18 '24 18:07 keith-horton

Greetings @keith-horton !

Here you go:

WslNetworkingLogs-networkingMode_mirrored_disabled_2024-07-18_16-00-23.zip

WslNetworkingLogs-networkingMode_mirrored_enabled_2024-07-18_15-58-08.zip

Docker_settings.json

VSCode_settings.json

Let me know if you need anything else from me.

Cheers,

++José

Jul 18 '24 20:07 diagonjope

thanks for sending the logs

unfortunately the tcpdump packet capture was not collected (the tcpdump.log file in the zip is empty)

could you please check if you have tcpdump installed in your linux distribution. if not, can you please install tcpdump and collect the logs again?

in the stackoverflow link, you shared VSCode terminal output and renderer.log file in the VSCode logs - can you please share those again for the latest repro? they showed some network connections timing out, that information will be helpful to narrow down the logs

thanks

Jul 19 '24 18:07 CatalinFetoiu

Hi @CatalinFetoiu ,

Here you go:

It seems there are several traces showing incorrect udp checksum in the tcpdump.log NetworkingMode_mirrored_enabled zip.

Cheers, ++José

Jul 19 '24 20:07 diagonjope

Just chipping in for people looking as to why VSCode fails to connect when WSL is configured with networkingMode=mirrored. I was looking at the docs in Microsoft's website[^1] and noticed there is a note about running some commands to allow the firewall to accept inbound connections from WSL:

Run the following command in PowerShell window with admin privileges to Configure Hyper-V firewall settings to allow inbound connections: Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow or New-NetFirewallHyperVRule -Name "MyWebServer" -DisplayName "My Web Server" -Direction Inbound -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -Protocol TCP -LocalPorts 80.

The documentation doesn't go into detail as to what exactly Set-NetFirewallHyperVVMSetting/New-NetFirewallHyperVRule do, but my guess is the first command disables the firewall for any connections coming from WSL, while the second one does the same but only for TCP connections on port 80.

I ran the first command and, after restarting the WSL distro, VSCode was able to connect to it again 🙂

[1]: https://learn.microsoft.com/en-us/windows/wsl/networking#mirrored-mode-networking

Sep 21 '24 01:09 netux

Hi there.

Yep, your understanding is very close.

Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow

This sets the default to Allow any inbound connection -- but if there are Block rules for inbound connections, those will still apply.

Sep 23 '24 21:09 keith-horton

The environment is as follows:

Version: Windows 11 Professional
Build: 23H2
Installation Date: November 6, 2024
Operating System Version: 22631.4317
Experience: Windows Feature Experience Pack 1000.22700.1041.0

PS C:\Users\root> wsl -v
WSL Version: 2.3.26.0
Kernel Version: 5.15.167.4-1
WSLg Version: 1.0.65
MSRDC Version: 1.2.5620
Direct3D Version: 1.611.1-81528511
DXCore Version: 10.0.26100.1-240331-1435.ge-release
Windows Version: 10.0.22631.4317

PS C:\Users\root> wsl -l -v
  NAME            STATE           VERSION
* Ubuntu-22.04    Stopped         2



[wsl2]
memory = 24GB
networkingMode=mirrored
dnsTunneling=true
firewall=true
autoProxy=true
[experimental]
hostAddressLoopback=true

I have already executed Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow.

Cannot connect to WSL with mirrored networking.

When configuring networkingMode=mirrored, Visual Studio Code keeps showing "Connecting..."

Nov 25 '24 15:11 BugNotFoundX

Hi

Also tried out to execute the firewall command from above. Still VSCode needs long time to load up a repository inside the wsl 2 instance. Only when removing networking=mirrored from the .wslconfig, then it works again. But would really like to use the mirrored mode.

Also tried with firewall=false in the .wslconfig, but didnt helped.

C:\Users\rbcb>wsl --version
WSL version: 2.3.26.0
Kernel version: 5.15.167.4-1
WSLg version: 1.0.65
MSRDC version: 1.2.5620
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.26100.1-240331-1435.ge-release
Windows version: 10.0.22631.4602

Does somone else has still this problem or has a workaround for it ?

Jan 08 '25 12:01 rbcb-bedag

Hi @rbcb-bedag ,

I can confirm that I am still having the same problems as you are. If I commenting out the networking=mirrored from the .wslconfig file I can access the VS Code server, but then I can't access Internet sites from the Ubuntu session. I have the following configuration:

PowerShell 7.4.6 PS C:\Users\josep> Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow PS C:\Users\josep> wsl --version WSL version: 2.3.26.0 Kernel version: 5.15.167.4-1 WSLg version: 1.0.65 MSRDC version: 1.2.5620 Direct3D version: 1.611.1-81528511 DXCore version: 10.0.26100.1-240331-1435.ge-release Windows version: 10.0.26100.2605

Jan 08 '25 16:01 diagonjope

@netux Can you maybe share which version of wsl you use and how your .wslconfig file looks like ? thx !

Jan 08 '25 22:01 rbcb-bedag

@netux Can you maybe share which version of wsl you use and how your .wslconfig file looks like ? thx !

@rbcb-bedag Sure! Seems like I disabled dnsTunneling at some point. Not sure if that's relevant:

# On Windows
$ wsl --version
WSL version: 2.3.26.0
Kernel version: 5.15.167.4-1
WSLg version: 1.0.65
MSRDC version: 1.2.5620
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.26100.1-240331-1435.ge-release
Windows version: 10.0.22631.4602

$ cat (windows user dir)\.wslconfig
[wsl2]
memory=24GB
processors=8

networkingMode=mirrored
; dnsTunneling=true

# On WSL Distro
$ cat ~/.wslconfig
[wls2]
# Leave 4GB for other stuff on the machine...
#memory=28GB

$ cat /etc/wsl.conf
[user]
default=netux

[automount]
options = "metadata"

Jan 09 '25 02:01 netux

I can also confirm that I tried running the firewall update commands [1] but can't access WSL2 via VSCode WSL extension.

My .wslconfig file only contains:

[wsl2]
networkingMode=mirrored

WSL Version:

> wsl --version
WSL version: 2.3.26.0
Kernel version: 5.15.167.4-1
WSLg version: 1.0.65
MSRDC version: 1.2.5620
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.26100.1-240331-1435.ge-release
Windows version: 10.0.22631.4602

WSL extension info:

Identifier
ms-vscode-remote.remote-wsl
Version
0.88.5
Last Updated
2025-01-09, 02:11:22

[1] https://learn.microsoft.com/en-us/windows/wsl/networking#mirrored-mode-networking

Jan 09 '25 07:01 JacobBumgarner

Hi

Im also experiencing this problem with mirrored mode. Turning it off makes vscode work normal, but then my developing setup doesnt work anymore as i would like (thats another story...)

@bamurtaugh @craigloewen-msft Can you give us some suggestion what we can try out for fixing this problem with VSCode or how the community can help you ?

Thx

Jan 11 '25 21:01 onedaxter

Found a workaround with networkingMode=mirrored Installed and started a ssh-server on wsl, and using remote SSH/explorer extension in VS code to connect to 127.0.0.1

sudo apt install openssh-server  
sudo service ssh start

Mar 28 '25 12:03 oyle80

Oh, if the container is trying to contact the host, you need to set hostAddressLoopback=true in your .wslconfig. https://learn.microsoft.com/en-us/windows/wsl/wsl-config#experimental-configuration-settings --> see Experimental Settings.

Is that what's happening?

If traffic is going from host->container that's not loopback, it will need a Hyper-V Firewall rule to allow that inbound traffic.

Mar 28 '25 16:03 keith-horton

Greetings!

I continue to have problems using VS Code when "networkingMode=mirrored" is enabled (see my previous postings above). When running in NAT mode ("networkingMode=mirrored" disabled), I can't use network related commands on the WSL2 side, but VS Code works fine with the WSL2 server. So, it's one or the other.

I decided to install Wireshark on my Windows host to capture packets exchanged between the front-end and the server using 127.0.0.1. I noticed that when running in NAT mode, the connection between the VS Code front-end and the VS Code server running in WSL normally succeeds in the second attempt, and after that I can see multiple WinSocket exchanges between them. However, when "networkingMode=mirrored" is enabled, the VS Code front-end makes about 6 attempts to connect to the server and then stops. The logs seem to confirm this.

NAT Mode

Mirrored Mode

I am attaching several logs pertaining to the exercise above.

These are the contents of my .wslconfig file: [wsl2]
memory=4GB swap=0GB #networkingMode=mirrored #hostAddressLoopback=true dnsTunneling=true firewall=false autoProxy=true [network] #generateHosts=true #generateResolvConf=true #localhostForwarding=true

PS C:\Users\josep> wsl --version WSL version: 2.4.13.0 Kernel version: 5.15.167.4-1 WSLg version: 1.0.65 MSRDC version: 1.2.5716 Direct3D version: 1.611.1-81528511 DXCore version: 10.0.26100.1-240331-1435.ge-release Windows version: 10.0.26100.3476

Any thoughts?

++José

exthost.log renderer.log wsl-daemon-20250402T010358.log

Apr 02 '25 02:04 diagonjope

Ok, maybe this was just me being stupid, but I had the same issue, but it turned out that UFW was blocking the VSCode sockets. This opened the Windows host for me: sudo ufw allow from $(ip route | grep default | awk '{print $3}') to any port 30000:60000 proto tcp

May 09 '25 12:05 jacobdenobel

@diagonjope : can you please share a trace https://github.com/microsoft/WSL/blob/master/diagnostics/collect-networking-logs.ps1?

It looks like you have turned off Hyper-V Firewall from that configuration - so that eliminates one possible reason.

May 09 '25 20:05 keith-horton

Hi there.

Yep, your understanding is very close.

Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow

This sets the default to Allow any inbound connection -- but if there are Block rules for inbound connections, those will still apply.

@keith-horton Please share also Set-NetFirewallHyperVVMSetting allow for inbound connection

May 11 '25 11:05 zhivko

you can create a hyperv firewall rule to allow specific types of connections: https://learn.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallhypervrule?view=windowsserver2025-ps

note that the VMCreatorId for WSL is documented here: https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall

May 12 '25 23:05 keith-horton

Can confirm that this is still an ongoing issue. Running wsl --version:

WSL version: 2.5.9.0
Kernel version: 6.6.87.2-1
WSLg version: 1.0.66
MSRDC version: 1.2.6074
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.26100.1-240331-1435.ge-release
Windows version: 10.0.26100.4351

.wslconfig:

[wsl2]
memory=32GB
swap=0
networkingMode=mirrored

[experimental]
hostAddressLoopback=true

Jun 21 '25 11:06 Noir-Lime

Hello, colleagues and I face the same problem when using

[wsl2]
networkingMode=mirrored
dnsTunneling=true

in .wslconfig. Removing the content results in VS Code being able to connect with WSL again but then the connection to Internet or Intranet over the corporate VPN won't work anymore.

>wsl --version
WSL-Version: 2.5.9.0
Kernelversion: 6.6.87.2-1
WSLg-Version: 1.0.66
MSRDC-Version: 1.2.6074
Direct3D-Version: 1.611.1-81528511
DXCore-Version: 10.0.26100.1-240331-1435.ge-release
Windows-Version: 10.0.22631.5472

Jul 01 '25 13:07 brownbrowny

Hello, the same problem with me.

My .wslconfig is

[wsl2]
memory=20GB
swap=8GB
networkingMode=mirrored

with the config, vscode cann't connect to wsl2, showing "正在打开远程（opening remote）"

And as soon as I delete networkingMode=mirrored and restart wsl2, vscode can connect to wsl2 again. I also tried the mentioned powershell command for firewall but it didn't help.

Below is the dev tool's log, I don't know if they can be useful for debugging.

And here is my wsl version information

PS C:\Windows\system32> wsl --version
WSL 版本: 2.5.9.0
内核版本: 6.6.87.2-1
WSLg 版本: 1.0.66
MSRDC 版本: 1.2.6074
Direct3D 版本: 1.611.1-81528511
DXCore 版本: 10.0.26100.1-240331-1435.ge-release
Windows: 10.0.22631.5472

Jul 03 '25 10:07 juruo123

I got solved by setting "AllowHostPolicyMerger" to false. The host policy merger was defaulted to block inbound traffic as follows.

By disabling it, this is what you should get:

Try the following in powershell with administrator privilages:

Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -AllowHostPolicyMerge False

After that, if DefaultInboundAction is still set to "Block", you can set it to "Allow" by the the following:

Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow

Jul 04 '25 14:07 KoftaMagnifico

Thanks @KoftaMagnifico , this resolved my issue. Instead of "defaultAction Allow", I only allowed from 127.0.0.1

(I am not entirely sure how HyperV works, but it seems more secure) New-NetFirewallRule -DisplayName "Allow VS Code WSL" -Direction Inbound -Action Allow -Protocol TCP -LocalAddress 127.0.0.1 -LocalPort 1024-65535

Sep 26 '25 09:09 onno204

I too am having the issue and none of the hyperv firewall settings are having an effect afaict.

Dec 10 '25 17:12 jamescarterbell