Skip to content

Wsl2 support for generated configs #14678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Wsl2 support for generated configs #14678

wants to merge 2 commits into from

Conversation

Sammers21
Copy link

By default generated configs does not allow WSL2 to access network with wireguard enabled. So here is the quick fix for it: microsoft/WSL#7895 (comment)

I guess DNS server must be changed too to 1.1.1.1, does not work without it for me.

@Sammers21 Sammers21 requested a review from jackivanov as a code owner January 1, 2024 03:28
@CLAassistant
Copy link

CLAassistant commented Jan 1, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@dguido
Copy link
Member

dguido commented Aug 3, 2025

Technical Review

Thank you for this PR addressing WSL2 compatibility. I've analyzed the changes and their implications:

What This Change Does

The PR modifies the WireGuard AllowedIPs configuration from:

  • 0.0.0.0/0,::/0 (route all traffic through VPN)
  • To: ::/128, 0.0.0.0/1, 128.0.0.0/1 (split routing)

Breaking down the changes:

  1. IPv6: Changes from ::/0 (all IPv6 traffic) to ::/128 (only the :: address itself)
  2. IPv4: Splits 0.0.0.0/0 into two halves: 0.0.0.0/1 (0.0.0.0-127.255.255.255) and 128.0.0.0/1 (128.0.0.0-255.255.255.255)

Why This Helps WSL2

WSL2 has known networking quirks due to its virtualized network stack. This split routing approach is a documented workaround in the WireGuard community that helps avoid conflicts with WSL2's internal networking.

Concerns

  1. IPv6 Impact: This change effectively disables IPv6 VPN routing for all users. Only the :: address itself will be routed through the VPN, meaning IPv6 traffic will leak outside the VPN tunnel.

  2. Global Change: This affects all WireGuard configurations generated by Algo, not just those intended for WSL2 users.

  3. DNS Configuration: You mentioned needing to change DNS to 1.1.1.1, but this change isn't included in the PR.

Recommendation

While this fix helps WSL2 users, applying it globally would break IPv6 VPN functionality for everyone else. Instead, consider:

  1. Making this configuration optional during setup (e.g., "Will you use WireGuard on WSL2?")
  2. Generating WSL2-specific configuration files alongside standard ones
  3. Adding documentation about the IPv6 limitation
  4. Addressing the DNS configuration if it's also needed for WSL2

This way, WSL2 users get the fix they need without impacting other users' VPN functionality.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jackivanov jackivanov Awaiting requested review from jackivanov jackivanov is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Sammers21 @CLAassistant @dguido