Windows 上用端口转发与防火墙放行,让 WSL 通过宿主机 IP 连接你本机代理
-限nat(如果切换到 Mirrored 网络模式(需要重启 WSL,可能改变子网行为)请不要看此文章)
当前代理(127.0.0.1:33210/33211)
仅限 WinHTTP 和环境变量(不动代理软件与系统 Internet 设置,避免影响其它程序);端口转发采用最简命令,默认为 0.0.0.0 监听,另提供更安全的"仅监听 WSL 虚拟网卡 IP"的方案。
命令
- 运行前说明
- 请用"以管理员身份运行"的 PowerShell。
- 若要撤销操作,每一步均提供对应的回滚命令。
- 第 1 步:检查与清理多余代理配置(可选但推荐)
```powershell
# 1) 查看 WinHTTP 代理(如有非空,可能干扰)
netsh winhttp show proxy
# 清理 WinHTTP 代理
netsh winhttp reset proxy
# 2) 清理用户/系统环境变量中的代理(避免全局干扰)
$names = "HTTP_PROXY","HTTPS_PROXY","ALL_PROXY","http_proxy","https_proxy","all_proxy"
foreach ($n in $names) { [Environment]::SetEnvironmentVariable($n,$null,"User") }
foreach ($n in $names) { try { [Environment]::SetEnvironmentVariable($n,$null,"Machine") } catch {} }
# 3) 查看现有端口转发(如果之前做过,先清理)
netsh interface portproxy show all第 2 步:删除旧的端口转发与重复防火墙规则(若第一次配置,可跳过删除)
powershell
# 删除可能遗留的端口转发(常见两种 listenaddress)
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=33210
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=33211
netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=33210
netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=33211
# 删除旧防火墙规则(若不存在会提示未找到)
netsh advfirewall firewall delete rule name="WSL HTTP Proxy 33210"
netsh advfirewall firewall delete rule name="WSL SOCKS Proxy 33211"第 3 步:创建端口转发(基础方案:对所有接口监听,最通用)
powershell
# 将 33210/33211 的入站转发到本机代理 127.0.0.1:33210/33211
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=33210 connectaddress=127.0.0.1 connectport=33210
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=33211 connectaddress=127.0.0.1 connectport=33211
# 验证映射是否就绪
netsh interface portproxy show all第 3 步(更安全可选):仅监听 WSL 虚拟网卡 IP(减少对外暴露面)
powershell
在这里插入代码片# 获取 WSL 虚拟网卡 IP(通常与 WSL 内 resolv.conf 的 nameserver 一致)
$wslHostIp = (Get-NetIPAddress -InterfaceAlias "vEthernet (WSL)" -AddressFamily IPv4).IPAddress
netsh interface portproxy add v4tov4 listenaddress=$wslHostIp listenport=33210 connectaddress=127.0.0.1 connectport=33210
netsh interface portproxy add v4tov4 listenaddress=$wslHostIp listenport=33211 connectaddress=127.0.0.1 connectport=33211
netsh interface portproxy show all
# 回滚(如需改回 0.0.0.0 或重新设置)
netsh interface portproxy delete v4tov4 listenaddress=$wslHostIp listenport=33210
netsh interface portproxy delete v4tov4 listenaddress=$wslHostIp listenport=33211第 4 步:放行防火墙并验证端口
powershell
# 防火墙放行端口(TCP)
netsh advfirewall firewall add rule name="WSL HTTP Proxy 33210" dir=in action=allow protocol=TCP localport=33210
netsh advfirewall firewall add rule name="WSL SOCKS Proxy 33211" dir=in action=allow protocol=TCP localport=33211
# 验证端口转发联通性(本机内)
Test-NetConnection -ComputerName 127.0.0.1 -Port 33210 -InformationLevel Detailed
Test-NetConnection -ComputerName 127.0.0.1 -Port 33211 -InformationLevel Detailed
# 如遇"IP Helper"服务未启动:启动它
sc query iphlpsvc
net start iphlpsvc第 5 步:WSL 内设置代理与测试(不要使用 127.0.0.1,改用宿主机 IP)
powershell
# 在 WSL 内获取宿主机 IP(nameserver 即宿主机)
cat /etc/resolv.conf
# 记下 nameserver 后面的 IP,例如 172.22.64.1
#export HTTP_PROXY=http://<宿主机IP>:33210
# 设置代理环境变量(示例)
export HTTP_PROXY=http://172.22.64.1:33210
export HTTPS_PROXY=http://172.22.64.1:33210
export ALL_PROXY=socks5://172.22.64.1:33211
# 测试连通
curl -I https://www.google.com
wget -qO- https://www.google.com | head -n 1
git ls-remote https://github.com/git/git.git
sudo apt update回滚与清理(如需停用)
powershell
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=33210
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=33211
# 若使用了 vEthernet (WSL) 的监听地址,按实际 IP 删除:
# netsh interface portproxy delete v4tov4 listenaddress=<WSLHostIP> listenport=33210
# netsh interface portproxy delete v4tov4 listenaddress=<WSLHostIP> listenport=33211
netsh advfirewall firewall delete rule name="WSL HTTP Proxy 33210"
netsh advfirewall firewall delete rule name="WSL SOCKS Proxy 33211"
netsh winhttp reset proxy
foreach ($n in "HTTP_PROXY","HTTPS_PROXY","ALL_PROXY","http_proxy","https_proxy","all_proxy") { [Environment]::SetEnvironmentVariable($n,$null,"User") }
foreach ($n in "HTTP_PROXY","HTTPS_PROXY","ALL_PROXY","http_proxy","https_proxy","all_proxy") { try { [Environment]::SetEnvironmentVariable($n,$null,"Machine") } catch {} }总结
目的:在代理软件无法修改监听地址的情况下,让 WSL(NAT)通过宿主机 IP 使用 Windows 的 localhost 代理。
-
适用场景:企业内网/个人设备,本机代理限制为 127.0.0.1,WSL 需要走同一代理。
-
限制:
- 端口对 0.0.0.0 监听会对整机暴露;建议用"vEthernet (WSL)"的宿主机 IP 监听以收敛暴露面。
- 仅支持 TCP 转发;UDP 流量不转发。
- WSL 子网或宿主机 vEthernet (WSL) IP 可能变化,重启后需重新确认 IP。
思维导图(Markdown 列表)
-
目标:WSL 在 NAT 模式下走 Windows 本地代理
- 清理:WinHTTP/环境变量代理干扰
- 端口转发:33210/33211 → 127.0.0.1:33210/33211
- 防火墙:入站放行 TCP 33210/33211
- WSL 配置:使用宿主机 IP 而非 127.0.0.1
- 验证:curl/git/apt 出网成功
- 安全优化:监听 vEthernet (WSL) 专用 IP
- 回滚:删除 portproxy 与防火墙规则
测试/示例
-
Windows 验证
netsh interface portproxy show all Test-NetConnection -ComputerName 127.0.0.1 -Port 33210 -InformationLevel Detailed Test-NetConnection -ComputerName 127.0.0.1 -Port 33211 -InformationLevel Detailed -
WSL 验证(忽略 ping)
curl -I https://www.google.com git ls-remote https://github.com/git/git.git sudo apt update