cannot add network services: listen tcp 127.0.0.1:2222: bind: An attempt was made to access a socket in a way forbidden by its access permissions.

[graffight]

As per the title; I'm getting a weird error when running wsl-vpnkit on a fresh deployment of Ubuntu-22.04 and wsl-vpnkit v0.4.1
I apologise in advance for the wall of text; i'm trying to be concise in explaining what i'm seeing and what i've tried so far...

I've moved the wsl-gvproxy.exe out to /mnt/c/Users/myuser/wsl-gvproxy.exe to avoid Exec errors, and am mainly trying to use the script located within my own deployment (in /opt/wsl-vpnkit), running via Systemd on boot.

All that aside; trying to run it without systemd results in the same error.

before running, i've also run:

• sudo ip tuntap del wsltap mode tap
• ```sudo kill `ps -ef | grep gv | awk '{print$2}'````
• (powershell) kill -Name wsl-gvproxy

$ sudo VMEXEC_PATH=/opt/wsl-vpnkit/wsl-vm GVPROXY_PATH=/mnt/c/Users/myuser/wsl-gvproxy.exe DEBUG=1 /opt/wsl-vpnkit/wsl-vpnkit 2>&1 | tee output.log
+ VPNKIT_GATEWAY_IP=192.168.127.1
+ VPNKIT_HOST_IP=192.168.127.254
+ VPNKIT_LOCAL_IP=192.168.127.2
+ TAP_MAC_ADDR=5a:94:ef:e4:0c:ee
+ VMEXEC_PATH=/opt/wsl-vpnkit/wsl-vm
+ GVPROXY_PATH=/mnt/c/Users/myuser/wsl-gvproxy.exe
+ TAP_NAME=wsltap
+ CHECK_HOST=google.com
+ CHECK_DNS=8.8.4.4
+ DEBUG=1
+ set +x
+ WSL2_TAP_NAME=eth0
+ WSL2_GATEWAY_IP=172.27.0.1
+ [ 1 -eq 0 ]
+ command -v iptables-legacy
+ alias iptables=iptables-legacy
+ id -u
+ [ 0 -ne 0 ]
+ [ ! -f /opt/wsl-vpnkit/wsl-vm ]
+ [ ! -f /mnt/c/Users/myuser/wsl-gvproxy.exe ]
+ cat /mnt/wsl/resolv.conf
+ grep automatically generated by WSL
+ [ 0 -eq 1 ]
+ /mnt/c/Users/myuser/wsl-gvproxy.exe -help
+ [ 0 -eq 1 ]
+ trap close exit
+ trap exit int term
+ cleanup
+ iptables_set D
+ wsl2tap_up
+ ip link set dev wsltap down
+ ip tuntap del wsltap mode tap
+ ip route add default via 172.27.0.1 dev eth0
+ wsl2tap_down
+ ip route del default
+ ip tuntap add wsltap mode tap
+ ip link set dev wsltap address 5a:94:ef:e4:0c:ee
+ ip link set dev wsltap up
+ ip addr add 192.168.127.2/255.255.255.0 dev wsltap
+ ip route add default via 192.168.127.1 dev wsltap
+ run
+ echo starting vm and gvproxy...
starting vm and gvproxy...
+ sleep 1
+ /opt/wsl-vpnkit/wsl-vm -url=stdio:/mnt/c/Users/myuser/wsl-gvproxy.exe?listen-stdio=accept&debug=1 -iface=wsltap -stop-if-exist= -preexisting=1 -debug=1
time="2023-08-08T16:31:02+01:00" level=info msg="waiting for packets..."
time="2023-08-08T16:31:02+01:00" level=info msg="PACKET: 90 bytes, truncated\n- Layer 1 (14 bytes) = Ethernet\t{Contents=[..14..] Payload=[..76..] SrcMAC=5a:94:ef:e4:0c:ee DstMAC=33:33:00:00:00:16 EthernetType=IPv6 Length=0}\n- Layer 2 (40 bytes) = IPv6\t{Contents=[..40..] Payload=[..28..] Version=6 TrafficClass=0 FlowLabel=0 Length=36 NextHeader=IPv6HopByHop HopLimit=1 SrcIP=:: DstIP=ff02::16 HopByHop={ Contents=[..8..] Payload=[..28..] NextHeader=ICMPv6 HeaderLength=0 ActualLength=8 Options=[{OptionType=5 OptionLength=2 ActualLength=4 OptionData=[0, 0] OptionAlignment=[0 0]}, {OptionType=1 OptionLength=0 ActualLength=2 OptionData=[] OptionAlignment=[0 0]}]}}\n- Layer 3 (08 bytes) = IPv6HopByHop\t{Contents=[..8..] Payload=[..28..] NextHeader=ICMPv6 HeaderLength=0 ActualLength=8 Options=[{OptionType=5 OptionLength=2 ActualLength=4 OptionData=[0, 0] OptionAlignment=[0 0]}, {OptionType=1 OptionLength=0 ActualLength=2 OptionData=[] OptionAlignment=[0 0]}]}\n- Layer 4 (04 bytes) = ICMPv6\t{Contents=[143, 0, 97, 184] Payload=[..24..] TypeCode=143(0) Checksum=25016 TypeBytes=[]}\n- Layer 5 (00 bytes) = MLDv2MulticastListenerReport\tNumber of Mcast Addr Records: 1 (actual 1), Multicast Address Records: [{RecordType:CHANGE_TO_EXCLUDE_MODE AuxDataLen:0 N:0 MulticastAddress:ff02::1:ffe4:cee SourceAddresses:[] AuxiliaryData:[]}]\n"
time="2023-08-08T16:31:02+01:00" level=error msg="cannot add network services: listen tcp 127.0.0.1:2222: bind: An attempt was made to access a socket in a way forbidden by its access permissions."
time="2023-08-08T16:31:02+01:00" level=error msg="cannot read size from socket: EOF"
+ echo started vm and gvproxy
started vm and gvproxy
+ iptables_set A
+ iptables-legacy -t nat -A PREROUTING -d 172.27.0.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.127.1:53
+ iptables-legacy -t nat -A PREROUTING -d 172.27.0.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.127.1:53
+ iptables-legacy -t nat -A PREROUTING -d 172.27.0.1/32 -j DNAT --to-destination 192.168.127.254
+ iptables-legacy -t nat -A OUTPUT -d 172.27.0.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.127.1:53
+ iptables-legacy -t nat -A OUTPUT -d 172.27.0.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.127.1:53
+ iptables-legacy -t nat -A OUTPUT -d 172.27.0.1/32 -j DNAT --to-destination 192.168.127.254
+ iptables-legacy -t nat -A POSTROUTING -o wsltap -j MASQUERADE
+ check
+ check_ping 4 WSL 2 gateway / Windows host 172.27.0.1
+ ping -4 -c 1 172.27.0.1
time="2023-08-08T16:31:03+01:00" level=info msg="waiting for packets..."
time="2023-08-08T16:31:03+01:00" level=error msg="cannot add network services: listen tcp 127.0.0.1:2222: bind: An attempt was made to access a socket in a way forbidden by its access permissions."
time="2023-08-08T16:31:04+01:00" level=error msg="cannot read size from socket: EOF"
time="2023-08-08T16:31:05+01:00" level=info msg="waiting for packets..."
time="2023-08-08T16:31:05+01:00" level=error msg="cannot add network services: listen tcp 127.0.0.1:2222: bind: An attempt was made to access a socket in a way forbidden by its access permissions."
time="2023-08-08T16:31:05+01:00" level=error msg="cannot read size from socket: EOF"
<repeats>

I don't see anywhere in the code that refers to port 2222, but also nor do I see any processes running on port 2222 on Windows or WSL2.
netsh interface ipv4 show excludedportrange protocol=tcp does show that 2222 is in an ExcludedPortRange, but I don't see the relevance.

I am not connected to any VPN when running these tests, and have rebooted etc too. I don't see any useful info/errors in Event Viewer either.

Any ideas where to look next? Or where this port 2222 connection comes from or can be configured to use a different port?

WSL ifconfig:

$ ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:5e:63:f8:d1  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.27.15.4  netmask 255.255.240.0  broadcast 172.27.15.255
        inet6 fe80::215:5dff:fee7:25c  prefixlen 64  scopeid 0x20<link>
        ether 00:15:5d:e7:02:5c  txqueuelen 1000  (Ethernet)
        RX packets 2097  bytes 630586 (630.5 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 160  bytes 11453 (11.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Windows ipconfig (WSL item):

Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::15d1:75f8:dc0a:8c7d%56
   IPv4 Address. . . . . . . . . . . : 172.27.0.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

WSL Routes:

$ ip route show
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.27.0.0/20 dev eth0 proto kernel scope link src 172.27.15.4

My Local LAN network is 192.168.0.0/16 -- could this create a conflict with the wsl-vpnkit gateway/host/local IPs in any way?

[JdumaresqSE]

I've got the same error today. Any update on this ?

[graffight]

I've got the same error today. Any update on this ?

Not really a good answer, but I've temporarily opted to use dnsmasq for dns (to route work domains to work DNS servers, and the rest to normal resolvers), and then mangle the interface metric/priority; so then this works around the need for wsl-vpnkit for now; but I'd still much rather use wsl-vpnkit as a "proper" solution.

[takezop]

Same problem here...

[bartoszgodycki98]

Same issue. Everything was working fine but after Windows 10 update (KB5030211 and KB5030180) it stopped working with the same error message as above:

Edit: I've rolled back to v. 0.3.8 from current (0.4.1) and the problem is fixed.

[CallisteH]

No news on this ?

[selu]

I had the same issue, because a VM uses port 2222 in my PC. Looks like gvproxy.exe tries to listen on port 2222 by default, but it can be overridden by parameter -ssh-port. To make it work I changed /app/wsl-vpnkit script's line 47:
-url="stdio:$GVPROXY_PATH?listen-stdio=accept&debug=$DEBUG" \
to
-url="stdio:$GVPROXY_PATH?listen-stdio=accept&ssh-port=22220&debug=$DEBUG" \
Of couse, you can use any other free port number.

[4wuyan]

Don't know why it works, but this fixes mine:

In an admin Powershell/ Command Prompt:

net stop hns
net start hns

Hope it can help others.

Inspired by https://stackoverflow.com/a/67442253