Skip to content

Firewall Configuration

Windows Firewall

Required regardless of networking mode. Allows inbound SSH traffic.

New-NetFirewallRule -DisplayName "WSL2 SSH via Tailscale" -Direction Inbound -Protocol TCP -LocalPort 22,9000-9999 -Action Allow -RemoteAddress 100.64.0.0/10

Opens SSH (22) and a dev port range (9000-9999) for web servers, APIs, etc. The 100.64.0.0/10 range covers all Tailscale CGNAT addresses -- only tailnet machines can reach these ports.

Allow SSH from anywhere (less secure)

New-NetFirewallRule -DisplayName "WSL2 SSH" `
    -Direction Inbound -Protocol TCP -LocalPort 22 -Action Allow

Verify

Get-NetFirewallRule -DisplayName "WSL2*" | Format-Table Name,Enabled,Direction,Action

Hyper-V Firewall (Mirrored Mode Only)

When using networkingMode=mirrored, the regular Windows Firewall alone does not control traffic to WSL2. The Hyper-V firewall adds an additional layer.

Check current policy

Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore `
    -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}'

Allow SSH specifically

New-NetFirewallHyperVRule -Name "WSL-SSH-Inbound" `
    -Direction Inbound `
    -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' `
    -Protocol TCP -LocalPorts 22 -Action Allow

Allow all inbound (broad -- only for trusted networks)

Set-NetFirewallHyperVVMSetting `
    -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' `
    -DefaultInboundAction Allow

The GUID {40E0AC32-46A5-438A-A0B2-2B479E8F2E90} is the WSL VMCreatorId. It's the same for all WSL2 installations.

WSL2 Internal Firewall (iptables/ufw)

By default, WSL2 has no iptables rules blocking inbound traffic. You generally do not need to configure this. If you want defense-in-depth:

sudo apt install -y ufw
sudo ufw allow 22/tcp
sudo ufw enable

Tailscale's Security Benefit

With Tailscale, SSH is only reachable over the WireGuard tunnel. Even if you use RemoteAddress 0.0.0.0/0 in Windows Firewall, the Tailscale interface is not exposed to the public internet. The only traffic that arrives on the Tailscale IP is authenticated tailnet traffic.

However, restricting to 100.64.0.0/10 is still good practice -- it prevents accidental exposure if Tailscale is ever disabled or misconfigured.