Warp support for WSL2

I’ve recently been trying out the zero-trust and warp products and I found it really easy to use and setup. I was able to completely close off all open ports for my servers and use cloudflared to tunnel them to Cloudflare.

I wanted to set up ssh access to a linux server on a private address using Cloudflare zero trust. I was able to do this successfully by adding the linux server as a private network to a Cloudflare zero trust tunnel and installing the warp client on my Windows 10 machine. Everything works really well, but I soon discovered that when trying to ssh into the machine’s local address from WSL2 (my preferred way of working these things), it completely bypasses the warp client installed in Windows.

I noticed there were a few posts about this as well, but the discussions were all closed. Is support for WSL2 for the Windows client something the team is working for? I’d definitely find this useful as I do most of my work in WSL.

I also tried to install Cloudflare-warp directly in WSL as a workaround, however, running warp-cli register returns an error saying that the daemon is not started. Unfortunately daemons and systemctl don’t work in WSL2, so I couldn’t proceed further.

I just wanted to add that I’m in the same boat. It was a bit of an uphill slog to get Warp and the Zero Trust functionality configured properly and kind of disappointing that as soon as I did, my WSL2 breaks. :frowning:

Well, I think for “plain” WARP, the issue is simply to run warp-svc. Normally, this is run as a service. And my impression is that some combination of Windows 11 and Ubuntu 22.04 will support services in WSL. But I found that if I just ran warp-svc manually as root, I could then run warp-cli register and warp-cli connect.

That isn’t a perfect fix, but hopefully it helps somebody move in the right direction. I was hoping to be able to build enough momentum to be able to run warp-cli teams-enroll ... as well. But, sadly, that doesn’t work and the only diagnostic error message I get is just ApiError…not super useful. But, as I said, perhaps just getting to warp-cli connect will be useful for some people.

Cloudflare team, guys: we need WSL support. For teams. Really.

1 Like

without WSL2 I am forced to use WSL1 which is buggy and slow. The same no ARM client.

There’s some issues with the authentication workflow with the command line client, WSL2 and AzureAD authentication.

IIRC the client is supposed to register a protocol handler on the computer. Once authentication is done, browser is directed to this specific URL. This does not work as with typical WSL2 workflow the browser used for authentication would open on the host machine.

Snowflake has solved this, but they are using a bit different approach. When you are doing the authentication, Snowflake library starts a webserver on localhost, on certain port. Once authentication is done, the browser is redirected to this localhost server. Since the host machine can forward the connections to the WSL2 virtual machine, this provides a smooth experience.

I think the “root issue” has something to do with how the warp-client on Windows is doing its networking stuff.

If you are for example running OpenVPN, the connection opened on Windows side also works for the WSL2. Maybe OpenVPN is doing things in a more old-fashioned way. You get virtual adapters and routing table entries with OpenVPN.

Windows uses WinDivert: Windows Packet Divert as far as I’m aware which sits in the Windows user-land so WSL doesn’t care about it & just goes on to the network adapter of the host as-is.

1 Like

It works fine with WSL1.

I have installed this: GitHub - sakai135/wsl-vpnkit: Provide network connectivity to WSL 2 when blocked by VPN and this works for me.

1 Like

Thanks @busyspage. I installed wsl-vpnkit and it works around the problem. However, there are a few flaws:

  • If we start a wsl2 distro first and then enable the zero trust client, the wsl2 distro will not work correctly. It will need to be restarted in order for the vpn to work correctly.
  • When deploying zero trust in an organization and provisioning machines for users, it’s not feasible to use wsl-vpnkit. The reason being that wsl-vpnkit requires entries being added to .profile, .bashrc or .zshr. These files are used for developers to customize their shells, so they can simply remove the entry to bypass zero trust and it does not make sense to lock everyone to the same shell profile (if that is even possible).

I think it’s a good way to work around the problem if you’re a single developer/user using wsl2 to connect to private networks over zero trust, but to be really useful in the field, the Cloudflare zero trust client really needs to support WSL2 and guest VMs natively.

thanks so much, this is great and works first try. Would be nice for Cloudflare to sponsor a project to integrate it into their own client since it’s clearly an improvement.