How to access WSL2 webserver remotely through ZeroTier

If you occasionally work with WSL2 web development and wanted to try out the website over the internet but without the direct exposure to the internet, this could be the the solution for you.

To give some background, I was working with a webserver that basically do stuffs. I wanted to test it with few close friends, but I didn’t want my PC to be exposed directly to the internet. VPN looks a bit tough to setup, ZeroTier then came to mind and my friend was able to test my web through the internet.

General note that it’s tested on personal PC, though I don’t forbid you to use it in a more enterprise-y setting, this tutorial will absolutely have no guarantee to be secure and exploit-proof. Suggestion for bettering this tutorial are welcome.

There will be several major steps into doing this:

  1. Opening the service with certain IP or 0.0.0.0
  2. Proxying the service to be able to listen outside the network of the WSL2
  3. Expose the port through firewall (expose to local network, obviously)
  4. Connect your PC that has WSL2 and the client candidate to the same ZeroTier network ID

Opening the service in WSL with designated IP or 0.0.0.0

When I tested this, I use 0.0.0.0 listener. But you should be able to use designated IP with things to note that any 0.0.0.0 that will come up in this guide should be replaced with your designated IP.

Just run your website as usual, let it run, and then use command ufw allow $PORT to open the WSL’s firewall to be able to listen to outside request to the specific port. I used port 9000 in my case, so I’d use ufw allow 9000.

Also make sure that your webserver is listening to specifically IPv4. Perhaps WSL doesn’t really bother with IPv6 that the forwarding came out a bit broken if you use IPv6.

Proxying the service to be able to listen outside the network of the WSL2

Okay so the server is up, it’s time for you to go back to your Windows.

Open Powershell as Administrator, and then run this command:

netsh interface portproxy add v4tov4 listenport=$PORT listenaddress=0.0.0.0 connectport=$PORT connectaddress=127.0.0.1

Now here’s the thing, I read the documentation and basically this is just a forwarding command from one IP to another IP. That command forwards any listen address to localhost. WSL2 has the behaviour similar to VM; resetting its network IP address each time the instance restarted. So the localhost was intended to be the solution for that issue. You can directly forward it to your WSL’s IP though, and it’ll guarantee the reach of the WSL. I use localhost and it doesn’t respond after PC restart.

It should return blank newline. Then we can move forward to the next step.

Expose the port through firewall

And then this is the part where you allow the port to be accessed from the firewall.

In Windows Settings, go to Windows Defender Firewall.

Windows Defender Firewall

A window will come up and shows you your private and public network. Look at the left sidebar, choose Advanced Settings. A window will come up again and this time it’s Windows Defender Firewall with Advanced Security.

Advanced Settings
Windows Defender Firewall with Advanced Security

Look at the left side, click Inbound Rule, then New Rule...

And then yada yada yada you get the idea. Port, Port number, and leave the rest to default, unless there are specific restriction you want to add. Lastly, name the profile as something that you’d notice at first glance as “ah it’s that WSL thing”.

Connect your PC that has WSL2 and the client candidate to the same ZeroTier network ID

I assume that you already used ZeroTier already (after all why are you here anyway) but I’ll still give short tutorial to install and setup ZeroTier.

  • Make an account to manage ZeroTier Network ID on ZeroTier Central. Then login
  • Create a network. Everything should be already set for you. Set it up as Private if you have the time to approve all the incoming connection and need it to be private. The name should be two random words as default.
  • Remember the Network ID on the network you just made.
  • Now download and install the ZeroTier application on the device that wants to be in the same network. In this case the computer that holds the WSL2 (which is the webserver) and the client.
  • Open the ZeroTier control panel from the taskbar instance, and then use the Network ID that we saved before to join network. Do it on both client and server. Don’t forget to authenticate the client through ZeroTier Central.
  • And now the client should be able to do request from the browser, using the ZeroTier WSL2’s managed IP.

That’s all! I hope you’re helped with this edge case guide.

Reference:

https://www.williamjbowman.com/blog/2020/04/25/running-a-public-server-from-wsl-2/

https://discuss.zerotier.com/t/accessing-wsl2-exposed-ports-via-zerotier-answered/4881

Leave a Reply

Your email address will not be published. Required fields are marked *