Blog

How to Configure X11 Forwarding for WSL2

The Windows Subsystem for Linux (WSL) facilitates running Linux environments directly on Windows. While WSL1 presented a relatively direct path for X11 forwarding to execute Linux GUI applications,the architectural shifts in WSL2 mandate a different methodology.

WSL2 operates within a virtualized environment, possessing its own network interface that is distinct from the Windows host. This fundamental difference means that X11 forwarding configurations effective in WSL1 are typically insufficient for WSL2. 
Individuals seeking to launch graphical Linux applications from their WSL2 instance and have them displayed on their Windows desktop must implement specific settings.
This document outlines the underlying reasons for these new requirements and details several methods to successfully establish X11 forwarding with WSL2, addressing various Windows versions and technical preferences.

Understanding the Challenge with WSL2 and X11 Forwarding

The core distinction between WSL1 and WSL2 regarding X11 forwarding is rooted in their networking architectures. WSL2’s utilization of a lightweight virtual machine (VM) with a virtualized network interface introduces complexities that WSL1, functioning as a translation layer, did not encounter.

Key differences impacting X11 forwarding are summarized below:

WSL1 vs. WSL2: Impact on X11 Forwarding

Furthermore, X servers active on Windows may possess access control mechanisms that, by default, obstruct connections originating from the “remote” WSL2 environment unless specifically configured to permit them.

Read: Identifying Processes Using Specific TCP/UDP Ports on Windows

Methods for Enabling X11 Forwarding in WSL2

Several strategies can enable X11 forwarding with WSL2. The most appropriate option depends on your Windows version and specific requirements.

Solution 1: Native GUI Support with WSLg (Recommended for Modern Windows)

For users operating on Windows 11 or Windows 10 (Version 22H2, build 2311 or later), Microsoft offers WSLg (Windows Subsystem for Linux GUI).

WSLg provides out-of-the-box support for running Linux GUI applications, eliminating the need for manual installation of an X server on Windows or intricate DISPLAY variable configuration.

Prerequisites:

  • Windows 11, or Windows 10 Version 22H2 (build 2311) or higher. Your build number can be verified via the “System Information” application.
  • WSL2 instance (WSL1 is not compatible with WSLg).
  • (Recommended) Updated graphics drivers for your vGPU (Intel, AMD, NVIDIA).

Steps:

  1. Ensure your Windows system is fully updated.
  2. Update WSL to the latest version. Open PowerShell as an administrator and execute: 
    wsl --update
  3. Restart the WSL subsystem to apply changes: 
    wsl --shutdown

    Subsequently, launching a WSL2 distribution will start the updated version.

  4. Crucially, remove any manual DISPLAY environment variable settings from your WSL2 shell configuration files (e.g., ~/.bashrc, ~/.zshrc) if previously added for other X11 forwarding methods.

Why it works: WSLg integrates a Wayland server, an X server (XWayland), and a PulseAudio server directly into the WSL2 environment. It automatically manages display and audio forwarding, streamlining the process. Consequently, GUI applications launched from WSL2 generally function without additional configuration.

X11 Forwarding Solutions Comparison

Read: How to Access Serial Ports (COM & ttyS) in Windows Subsystem for Linux (WSL1 & WSL2)

Solution 2: Manual Configuration for X11 Forwarding

If WSLg is unavailable or not preferred, manual configuration becomes necessary. This process involves setting environment variables within WSL2, configuring an X server application on the Windows host, and adjusting the Windows Firewall.

2.1. Essential Environment Variables in WSL2

Two primary environment variables must be established in your WSL2 Linux environment. These are typically set within your shell’s startup file (e.g., ~/.bashrc for Bash):

  • DISPLAY: This variable informs Linux GUI applications about the network location of the X server.
  • LIBGL_ALWAYS_INDIRECT: This variable often aids OpenGL rendering compatibility.

A common and reliable method to set these variables dynamically is:


# Add to ~/.bashrc or equivalent
export DISPLAY=$(ip route list default | awk '{print $3}'):0
export LIBGL_ALWAYS_INDIRECT=1

The command ip route list default | awk '{print $3}' programmatically identifies the IP address of the default gateway for the WSL2 instance. From WSL2’s perspective, this gateway IP is the address of the Windows host. Appending :0 specifies the primary display (screen 0) on that host.

Setting LIBGL_ALWAYS_INDIRECT=1 compels OpenGL applications to utilize indirect rendering, which is generally more compatible with X servers running on a separate Windows host system.

Alternative DISPLAY Setups (use with caution):

  • Parsing /etc/resolv.conf: 
    export DISPLAY=$(awk '/nameserver / {print $2; exit}' /etc/resolv.conf 2>/dev/null):0

    This method can be unreliable if /etc/resolv.conf is customized, contains multiple nameserver entries, or if WSL’s automatic generation of this file is disabled.

  • Using the hostname command (requires DNS to resolve WSL2’s hostname to the host IP): 
    
HOST_IP=$(host `hostname` | grep -oP '(\s)\d+(\.\d+){3}' | tail -1 | awk '{ print $NF }' | tr -d '\r')
export DISPLAY=$HOST_IP:0.0
  • Extracting IP via ipconfig.exe (parsing Windows command output can be fragile): 
    
# Example, structure of ipconfig output can vary
export DISPLAY=$(powershell.exe -c ipconfig | grep -A4 WSL | tail -1 | awk '{ print $NF }' | tr -d '\r'):0

A note on LIBGL_ALWAYS_INDIRECT: While 1 is standard, certain applications, especially 3D simulation software like ROS/Gazebo, might perform better or require export LIBGL_ALWAYS_INDIRECT=0.

Read: How to Fix NTFS Mount Issues: ‘Wrong fs type, bad superblock’ in Ubuntu 24.04

2.2. Configuring the X Server on Windows

An X server application must be installed and operational on your Windows host. Popular choices include VcXSrv and Xming. During the X server’s launch or configuration phase (e.g., using VcXSrv’s XLaunch utility), consider the following:

  • Disable Access Control: This is a critical step. Search for an option like “Disable access control” and ensure it is enabled (checked). For VcXSrv, this can also be achieved by launching it with the -ac command-line argument: 
    vcxsrv.exe -ac
  • Native OpenGL (VcXSrv): Some users find that unchecking “Native opengl” in VcXSrv’s settings improves compatibility, particularly when LIBGL_ALWAYS_INDIRECT=1 is active in WSL2.

Disabling access control allows any client on the network, including your WSL2 instance, to connect to the X server. While convenient, it’s important to consider the security implications of this setting in environments with untrusted network participants.

2.3. Adjusting Windows Firewall

The Windows Firewall will typically block unsolicited incoming connections from WSL2 to your X server. An inbound rule must be created to permit this traffic.

  1. Launch “Windows Defender Firewall with Advanced Security”.
  2. Navigate to “Inbound Rules” in the left pane, then click “New Rule…” in the right pane.
  3. Rule Type: Select “Port” and proceed.
  4. Protocol and Ports: Choose “TCP”. For “Specific local ports”, enter 6000. (Port 6000 is the standard X11 port. If your X server is configured to use a different port or range, specify that instead). Proceed.
  5. Action: Select “Allow the connection” and proceed.
  6. Profile: Determine which network profiles (Domain, Private, Public) this rule applies to. “Private” is generally appropriate for home networks. Proceed.
  7. Name: Assign a descriptive name, such as “WSL2 X11 Access”, and an optional description. Click “Finish”.

Enhancing Firewall Security by Scoping the Rule:
To restrict access more tightly, configure the rule to accept connections only from WSL2’s specific IP address range. Follow these steps:

  1. In “Inbound Rules”, locate and right-click your newly created rule, then choose “Properties”.
  2. Switch to the “Scope” tab.
  3. Under the “Remote IP address” section, select “These IP addresses” and click “Add…”.
  4. Input the CIDR notation for your WSL2 virtual network. Common general ranges include 172.16.0.0/12. More specific ranges (e.g., 172.23.0.0/16, 192.168.x.x/y) can be determined by examining the output of ip addr within WSL2 for the eth0 interface or the WSL network adapter settings in Windows.
  5. Confirm and apply these changes.
It’s occasionally reported that, in addition to the port-based rule, explicitly allowing the X server executable (e.g., VcXSrv.exe) through the Windows Defender Firewall (via “Allow an app or feature through Windows Defender Firewall”) for both “Private” and “Public” networks can resolve connectivity issues.

Solution 3: X11 Forwarding via SSH

This technique leverages SSH’s secure X11 forwarding mechanism. It establishes a secure channel and generally bypasses the need for direct X server firewall port opening or global disabling of X server access control.

Prerequisites:

  • An X server (e.g., VcXSrv, Xming) installed and running on Windows. It can be launched with default settings (access control enabled). Set its display number (e.g., to 0).
  • An SSH server (openssh-server) installed and operational within your WSL2 distribution. 
    
sudo apt update
sudo apt install openssh-server
# Ensure X11Forwarding is set to yes in /etc/ssh/sshd_config (usually default)
# sudo systemctl enable ssh --now  # For systemd-enabled distros
sudo service ssh start           # For non-systemd init
  • An SSH client on Windows supporting X11 forwarding (e.g., PuTTY, the built-in OpenSSH client in Windows Command Prompt/PowerShell, or Git Bash’s SSH).

Connection Steps:

  1. From your Windows SSH client, initiate a connection to your WSL2 instance with X11 forwarding enabled (-X or -Y flag). WSL2 typically forwards port 22 from the Windows host (localhost) to the SSH server in the WSL2 VM. 
    
# Using OpenSSH from Windows Command Prompt or PowerShell:
ssh -X #YourWSLUsername#@localhost
# Or, for trusted X11 forwarding (less secure, but may help with some apps):
# ssh -Y #YourWSLUsername#@localhost

    (Replace #YourWSLUsername# with your actual username in the WSL2 environment.)

  2. Upon successful connection, the SSH session automatically configures the necessary DISPLAY variable within WSL2. GUI applications launched in this SSH session will have their display forwarded.

Creating Windows shortcuts (example using Git Bash SSH):


"C:\Program Files\Git\git-bash.exe" -c "DISPLAY=127.0.0.1:0 ssh -Y -f #YourWSLUsername#@localhost 'bash -l -c #YourGUIApplication# >/dev/null 2>&1'"

(Replace #YourWSLUsername# and #YourGUIApplication#. The initial DISPLAY=127.0.0.1:0 is for the Git Bash environment itself, while the SSH connection manages X11 forwarding into WSL2.)

Why it works: The SSH client on Windows establishes a local listener for X11. When a GUI application runs in WSL2 via this SSH session, its X11 traffic is securely tunneled over SSH to the client.

The client then directs this traffic to the Windows X server. This method relies on SSH for both security and display management.

DISPLAY Variable Setting Methods Comparison

Read: How to fix Bluetooth connection problems on Ubuntu 22.04

Solution 4: Advanced – Tunneling X11 via `socat` and a WSL1 Instance

This more intricate solution is suitable for scenarios where direct IP-based connections are challenging. It utilizes a WSL1 instance as an intermediary for network traffic.

Prerequisites:

  • An X server active on Windows (e.g., VcXSrv), listening on its standard TCP port (e.g., 6000).
  • A functional WSL1 distribution with socat installed.
  • socat also installed in your primary WSL2 distribution.

Configuration:

  1. Within your WSL2 distribution, establish a Unix domain socket. Use socat to forward connections from this socket, through the WSL1 instance, to the X server on Windows. Execute this command in the background in WSL2: 
    
mkdir -p /tmp/.X11-unix/
# Replace #WSL1_DISTRO_NAME# with the actual name of your WSL1 distribution (e.g., Ubuntu-18.04-LTS)
socat UNIX-LISTEN:/tmp/.X11-unix/X0,fork EXEC:"/mnt/c/Windows/System32/wsl.exe -d #WSL1_DISTRO_NAME# socat - TCP\:localhost\:6000" &
  2. Configure the DISPLAY variable in your WSL2 environment to utilize this Unix socket: 
    export DISPLAY=:0

    (This defaults to using /tmp/.X11-unix/X0. If your socket path differs, adjust accordingly.)

This configuration creates a local X11 socket (/tmp/.X11-unix/X0) inside WSL2. GUI applications connect to this local socket. The primary socat instance in WSL2 captures this traffic and invokes wsl.exe to run another socat command within the specified WSL1 distribution.

The WSL1 socat, benefiting from WSL1’s simpler networking model where localhost can refer to the Windows host, then forwards the X11 traffic to the X server listening on localhost:6000 (Windows host).

Verifying Your X11 Forwarding Setup

After implementing one of the above solutions, confirm its effectiveness by following these steps:

  1. Ensure your X server application (VcXSrv, Xming, etc.) is running on Windows (unless using WSLg).
  2. Open your WSL2 terminal. The necessary environment variables (DISPLAY, etc.) should now be active, whether set by .bashrc, WSLg, or an SSH session.
  3. If not already present, install basic X11 utility applications: 
    
sudo apt update
sudo apt install x11-apps -y
  4. Attempt to launch a simple X application, for example: 
    xcalc

    Or the classic:

    xeyes

If the application’s graphical window successfully appears on your Windows desktop, X11 forwarding is operational. Errors such as “Cannot open display” or “Error: Can’t open display” typically indicate a problem with the DISPLAY variable, X server access control settings, firewall configurations, or the X server itself not running.

Common Issues and Considerations

  • Firewall Persistence: Windows Firewall rules are crucial. Verify that TCP port 6000 (or your X server’s designated port) is permitted for inbound connections, ideally scoped to WSL2’s IP range for enhanced security.
  • X Server Access: If not employing WSLg or SSH X11 forwarding, your X server must typically have its access control disabled (e.g., VcXSrv with -ac).
  • DISPLAY Variable Accuracy: Confirm the DISPLAY variable in WSL2 (echo $DISPLAY) correctly targets your Windows host’s IP address and display number (e.g., 172.20.112.1:0).
  • Dynamic IP Addresses: The IP address of the WSL2 network interface on the Windows host can change between sessions or reboots. Dynamic methods for setting DISPLAY (like using ip route list default) are strongly recommended over static IP addresses.

Troubleshooting X11 Forwarding in WSL2

  • Multiple X Servers/Displays: In complex setups with multiple X servers or displays, ensure the display number component of the DISPLAY variable (e.g., :0, :1) is accurate.
  • vGPU Drivers for WSLg: For optimal WSLg performance and compatibility, especially with graphically intensive applications, ensure you have the latest vGPU drivers installed from Intel, AMD, or NVIDIA.
  • LIBGL_ALWAYS_INDIRECT Behavior: If graphical applications exhibit rendering artifacts or performance issues, experimenting by toggling LIBGL_ALWAYS_INDIRECT between 1 and 0 in your WSL2 environment might yield improvements.
  • WSL Instance Restart: Following significant configuration changes (e.g., modifications to ~/.bashrc, network settings, or WSL updates), a full restart of the WSL subsystem can be beneficial: 
    
# Execute in PowerShell or Command Prompt
wsl --shutdown

    Afterward, relaunch your WSL2 terminal to ensure all changes take effect.

  • X Server Logs: Check the logs of your X server application on Windows (VcXSrv, Xming) for any error messages related to connection attempts from WSL2.

Conclusion

The transition to a virtualized network architecture in WSL2 necessitates a revised strategy for X11 forwarding when compared to WSL1. While this introduces initial setup complexities, robust solutions are readily achievable.

By correctly configuring essential environment variables like DISPLAY, adjusting Windows Firewall settings, and properly setting up the X server application on Windows—or by leveraging the integrated capabilities of WSLg in contemporary Windows versions—seamless operation of Linux GUI applications within a WSL2 environment is highly attainable.

 

 

Akil Sharma

Akil is a dedicated Cybersecurity Analyst with a strong focus on both offensive and defensive security techniques across Linux and Windows platforms. He delves into topics like vulnerability assessment, penetration testing methodologies, malware analysis, incident response, and implementing security frameworks. Akil is committed to educating readers on the latest threats and sharing actionable strategies for hardening systems and protecting data.