huzi.pk logohuzi.pk

WSL2: Git Over SSH Hangs While VPN is Active – SSH Config and ProxyUseFdpass Tricks

tech

WSL2: Git Over SSH Hangs While VPN is Active – SSH Config and ProxyUseFdpass Tricks

Listen, I know why you're here. You connected to your corporate VPN, tried to do a simple git pull or git clone over SSH, and everything just... froze. The terminal cursor blinks mockingly. Minutes pass. Nothing happens. You're stuck in that special kind of tech limbo where you're not sure if you should wait longer or just give up.

I've been there, friend. Let me save you the hours of frustration.

The Quick Fix (What You Need Right Now)

Here's the solution that actually works:

  1. Edit your SSH config file:
nano ~/.ssh/config
  1. Add this configuration for GitHub/GitLab/Bitbucket:
Host github.com
    HostName github.com
    User git
    ProxyCommand nc -X 5 -x your-proxy:port %h %p
    # OR if no proxy needed:
    IPQoS throughput

Host *
    IPQoS 0x00
  1. The ProxyUseFdpass fix (if you're on Windows 11):
Host *
    ProxyUseFdpass no
  1. Test immediately:
ssh -T git@github.com

If you see "Hi [username]! You've successfully authenticated" — you're golden. But stay with me, because understanding why this happens will save you future headaches.

Why Does VPN Break Git SSH in WSL2?

Picture this: your data is a letter trying to reach its destination. Without VPN, it travels a direct route. With VPN, it goes through a secure tunnel. Sounds simple, right? But WSL2 sits in a peculiar place — it's Linux running inside a Windows virtual machine, and when you activate a VPN on Windows, the networking layers get... complicated.

Here's what's actually happening:

The Network Sandwich Problem

Your SSH connection travels through multiple layers:

  1. Your WSL2 Linux environment
  2. The WSL2 virtual network adapter
  3. Your Windows host network stack
  4. Your VPN tunnel
  5. Finally, out to the internet

Each layer has its own rules about packet handling, routing, and Quality of Service (QoS) settings. When they disagree, your SSH connection hangs like a car stuck in bureaucratic red tape.

The IPQoS Issue

SSH by default tries to mark packets with Quality of Service flags to prioritize certain traffic. Noble intention. But VPNs — especially corporate ones — often strip or reject these QoS markings for security reasons. Your SSH client sends a packet, the VPN says "what's this fancy flag?", drops it, and your connection waits forever for a response that will never come.

The technical details: SSH sets the IP Type of Service (ToS) field to "lowdelay" for interactive sessions and "throughput" for bulk transfers. Corporate VPNs running on Cisco AnyConnect, Pulse Secure, or GlobalProtect often have deep packet inspection that either strips these ToS values or drops packets with "unrecognized" QoS markings entirely. The result: your SSH handshake never completes.

The ProxyUseFdpass Windows 11 Bug

Windows 11 introduced a change in how it handles file descriptor passing in SSH connections through WSL2. The ProxyUseFdpass feature, which is supposed to improve performance, actually causes SSH to hang when VPN is active. It's one of those "improvements" that makes things worse — like adding a spoiler to a bicycle.

The root cause: When ProxyUseFdpass is enabled (which is the default on some Windows 11 SSH builds), SSH tries to pass file descriptors between the proxy command and the main SSH process. The VPN's network stack doesn't support this correctly, creating a deadlock where both sides are waiting for each other.

The MTU Mismatch Problem (Bonus)

VPN tunnels add overhead to every packet (encryption headers, tunnel encapsulation). If the Maximum Transmission Unit (MTU) of the VPN interface is smaller than what WSL2 is sending, packets get fragmented or silently dropped. SSH is particularly sensitive to this because even a single dropped packet can stall the entire connection.

The Complete Solution: Step-by-Step Deep Dive

Let me walk you through this properly, the way someone should have explained it to me when I first hit this wall at 2 AM during a deployment.

Step 1: Understanding Your SSH Config File

The SSH config file lives at ~/.ssh/config in your WSL2 home directory. This file is like a rulebook that tells SSH how to behave with different servers. If it doesn't exist, we'll create it.

Open your WSL2 terminal and run:

ls -la ~/.ssh/

If you see a config file, great. If not, don't worry — we're creating one. Also check that your SSH keys exist:

ls -la ~/.ssh/id_*

You should see files like id_rsa / id_rsa.pub or id_ed25519 / id_ed25519.pub. If you don't have SSH keys set up, generate them first:

ssh-keygen -t ed25519 -C "your_email@company.com"

Step 2: Creating a Robust SSH Configuration

Let's build this systematically. Open the config file:

nano ~/.ssh/config

Here's a comprehensive configuration that handles the most common scenarios:

# Fix for VPN-related SSH hangs
Host *
    IPQoS 0x00
    ProxyUseFdpass no
    ServerAliveInterval 60
    ServerAliveCountMax 3
    ConnectTimeout 30

# GitHub configuration
Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_ed25519
    IPQoS throughput
    TCPKeepAlive yes

# GitLab configuration
Host gitlab.com
    HostName gitlab.com
    User git
    IdentityFile ~/.ssh/id_ed25519
    IPQoS throughput
    TCPKeepAlive yes

# Bitbucket configuration
Host bitbucket.org
    HostName bitbucket.org
    User git
    IdentityFile ~/.ssh/id_ed25519
    IPQoS throughput
    TCPKeepAlive yes

# Self-hosted GitLab (corporate)
Host git.mycompany.internal
    HostName git.mycompany.internal
    User git
    IdentityFile ~/.ssh/id_ed25519
    IPQoS throughput
    TCPKeepAlive yes
    ProxyCommand nc -X connect -x proxy.company.com:8080 %h %p

Let me break down what each setting does:

  • IPQoS 0x00: Disables Quality of Service packet marking entirely. It's like removing the "priority mail" sticker that keeps getting rejected by the VPN.
  • ProxyUseFdpass no: Disables the file descriptor passing feature that causes hangs on Windows 11.
  • ServerAliveInterval 60: Sends a keepalive packet every 60 seconds to prevent connection timeout.
  • ServerAliveCountMax 3: Allows 3 failed keepalive attempts before closing the connection.
  • ConnectTimeout 30: Gives up after 30 seconds if no connection is established (prevents indefinite hangs).
  • TCPKeepAlive yes: Enables TCP-level keepalive packets as an additional safety net.
  • IdentityFile: Points to your SSH private key (adjust the path if yours is different).

Save the file (Ctrl+O, Enter, Ctrl+X in nano).

Step 3: Setting Proper Permissions

SSH is paranoid about security (rightfully so). If your config file has loose permissions, SSH will refuse to use it:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/config
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub

This makes the config and keys readable and writable only by you — no one else.

Step 4: Testing Your Configuration

Don't just assume it works. Test it with verbose output to see exactly what's happening:

ssh -T git@github.com

For GitLab:

ssh -T git@gitlab.com

For Bitbucket:

ssh -T git@bitbucket.org

You should see an authentication success message. If you get a timeout, we need to dig deeper.

Advanced Troubleshooting: When Basic Fixes Don't Work

Sometimes the problem runs deeper. Here are the advanced techniques I've learned through trial, error, and many cups of chai.

Using ProxyCommand with Corporate Proxies

If your corporate network requires an HTTP/SOCKS proxy, you'll need to route SSH through it:

For HTTP CONNECT proxies:

Host github.com
    ProxyCommand nc -X connect -x proxy.company.com:8080 %h %p

For SOCKS5 proxies:

Host github.com
    ProxyCommand nc -X 5 -x proxy.company.com:1080 %h %p

Replace proxy.company.com:8080 with your actual proxy address. You can usually find this in your browser's proxy settings or by asking IT.

Don't have nc (netcat)? Install it:

sudo apt update && sudo apt install netcat-openbsd

The corkscrew Alternative

For HTTP proxies, corkscrew is sometimes more reliable than netcat, especially with authenticating proxies:

sudo apt install corkscrew

Then in your SSH config:

Host github.com
    ProxyCommand corkscrew proxy.company.com 8080 %h %p

With proxy authentication: Create a file ~/.ssh/proxy-auth with your credentials:

username:password

Then:

Host github.com
    ProxyCommand corkscrew proxy.company.com 8080 %h %p ~/.ssh/proxy-auth

Debugging with Verbose SSH Output

When nothing makes sense, verbose mode reveals the truth:

ssh -vvv git@github.com

The triple -v gives you maximum verbosity. Look for these specific patterns:

Verbose Output What It Means Fix
"Connection timed out" Routing issue — VPN is blocking the connection Check proxy settings or VPN routing
"Connection reset by peer" Firewall actively blocking SSH Try port 443: Host ssh.github.com / Port 443
Stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY" QoS/VPN dropping key exchange packets Add IPQoS 0x00
Stuck at "SSH2_MSG_SERVICE_ACCEPT" Proxy authentication required Configure proxy auth with corkscrew
"Permission denied (publickey)" SSH key not registered Add your public key to GitHub/GitLab

GitHub over Port 443 (Bypasses Some Firewall Rules)

If your corporate firewall blocks port 22 (the standard SSH port) but allows HTTPS (port 443):

Host github.com
    Hostname ssh.github.com
    Port 443
    User git
    IPQoS throughput

This routes your SSH connection through GitHub's HTTPS endpoint, which often bypasses corporate firewall restrictions.

Windows Firewall and WSL2

Sometimes Windows Firewall blocks WSL2's outbound SSH. Check:

  1. Open Windows Security
  2. Go to Firewall & Network Protection
  3. Click "Allow an app through firewall"
  4. Look for "WSL" or your specific Linux distribution
  5. Ensure both Private and Public are checked

You can also add a rule from PowerShell (run as admin):

New-NetFirewallRule -DisplayName "WSL2 SSH" -Direction Outbound -Action Allow -Protocol TCP -RemotePort 22

The Nuclear Option: Changing MTU

Maximum Transmission Unit (MTU) mismatches can cause mysterious hangs. VPNs reduce the effective MTU, but WSL2 doesn't always know about this:

# Check current MTU
ip link show eth0

# Reduce MTU to avoid fragmentation
sudo ip link set dev eth0 mtu 1400

This reduces packet size to avoid fragmentation issues. Test if it helps, then make it permanent by adding to /etc/wsl.conf:

[network]
generateResolvConf = false

[boot]
command = ip link set dev eth0 mtu 1400

Finding the right MTU value:

# Start with 1500 and reduce until packets go through
ping -M do -s 1472 github.com
# If this fails, try:
ping -M do -s 1400 github.com
# If 1400 works, set MTU to 1400 + 28 = 1428 (IP + ICMP header overhead)
sudo ip link set dev eth0 mtu 1428

Understanding VPN Types and Their Impact

Not all VPNs are created equal. The solution that works depends on what type you're dealing with.

VPN Type How It Handles SSH Difficulty Level Recommended Fix
Split-Tunnel Only corporate traffic goes through VPN Easy SSH config tweaks (IPQoS 0x00)
Full-Tunnel Everything goes through VPN Medium IPQoS + ProxyUseFdpass + possible MTU fix
WireGuard / Modern Generally well-behaved Easy Usually just IPQoS 0x00
Cisco AnyConnect Aggressively manages networking Hard Full suite: IPQoS + proxy + MTU
Pulse Secure Deep packet inspection Hard Same as AnyConnect
GlobalProtect Moderate interference Medium IPQoS + ProxyUseFdpass

Git-Specific Configurations

Beyond SSH config, Git itself has settings that can help with VPN-related issues:

# Increase Git's network timeout (useful for slow VPN connections)
git config --global http.postBuffer 524288000

# Use SSH instead of HTTPS for all GitHub repos
git config --global url."git@github.com:".insteadOf "https://github.com/"

# Enable keepalive in Git's SSH
git config --global core.sshCommand "ssh -o ServerAliveInterval=60 -o IPQoS=throughput"

# Increase Git's HTTP low-speed timeout
git config --global http.lowSpeedLimit 1000
git config --global http.lowSpeedTime 300

# Disable SSL verification (ONLY for self-hosted corporate Git servers)
# git config --global http.sslVerify false  # Use with extreme caution!

The .gitconfig SSH Override

You can set a custom SSH command that includes all the fixes:

git config --global core.sshCommand "ssh -o IPQoS=0x00 -o ProxyUseFdpass=no -o ServerAliveInterval=60 -o ConnectTimeout=30"

This ensures Git always uses the right SSH options, even if your ~/.ssh/config isn't being read properly.

WSL2 Networking Mode: Mirrored vs NAT (2025+)

If you're running a recent version of WSL2 (2.0+), Microsoft introduced a new networking mode that can solve many VPN-related issues:

Edit C:\Users\YourUsername\.wslconfig:

[wsl2]
networkingMode=mirrored
dnsTunneling=true
autoProxy=true

After making changes:

wsl --shutdown

What networkingMode=mirrored does: Instead of WSL2 having its own virtual network adapter (NAT mode), it mirrors the Windows host's network interfaces. This means:

  • VPN connections on Windows are automatically visible in WSL2
  • No more IP address mismatch between Windows and WSL2
  • Corporate proxy settings are inherited automatically
  • DNS configuration is shared between Windows and WSL2

This single setting can eliminate the need for most of the manual fixes described above.

A Real Story from the Trenches

Last winter, I was collaborating with a team in Karachi on a time-sensitive project. I'd connected to the client's VPN, and suddenly every Git operation hung. Pull, push, clone — nothing worked. Deadlines looming, pressure mounting.

I spent three hours trying different solutions. Reinstalled Git. Reinstalled WSL2. Regenerated SSH keys. Nothing worked. Then I found a small mention of ProxyUseFdpass in an obscure GitHub issue. Added that one line to my SSH config.

Instant fix.

That's when I learned: sometimes the solution isn't about working harder, it's about knowing the right incantation. Consider this article your spellbook.

Quick Reference: SSH Config Cheat Sheet

Copy this into your ~/.ssh/config and customize:

# ===== VPN SURVIVAL CONFIG =====
Host *
    IPQoS 0x00
    ProxyUseFdpass no
    ServerAliveInterval 60
    ServerAliveCountMax 3
    ConnectTimeout 30

# GitHub
Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_ed25519
    IPQoS throughput
    TCPKeepAlive yes

# GitLab
Host gitlab.com
    HostName gitlab.com
    User git
    IdentityFile ~/.ssh/id_ed25519
    IPQoS throughput

# Corporate Git (with proxy)
Host git.company.internal
    HostName git.company.internal
    User git
    IdentityFile ~/.ssh/id_ed25519
    IPQoS throughput
    # Uncomment and set your proxy:
    # ProxyCommand nc -X connect -x proxy:8080 %h %p

🇵🇸 Stand With Palestine

Never let the world forget the people of Palestine. They are not statistics on a screen or footnotes in a forgotten report — they are families, children, mothers, and elders who have endured decades of occupation, displacement, and violence. They have the right to live peacefully on their own land, to raise their children without fear, to harvest their olive groves, and to pray in their mosques without tanks rolling through their streets. They will be free.

The illegal Zionist entity — a fake state built on stolen land and ethnic cleansing — continues to commit unspeakable atrocities and war crimes against the Palestinian people. Their leaders, from the top down, have presided over the bombing of hospitals, the targeting of journalists, the starvation of civilians, and the systematic erasure of an entire people. These are not isolated incidents — they are the policy of a regime that has never known legitimacy.

Do not be deceived by Western media that sanitizes genocide with sterile language and calls bombs "defense" and resistance "terrorism." Independent sources from Iran, the broader Global South, and courageous journalists on the ground tell a very different story — one of deliberate destruction, apartheid walls, and collective punishment. The truth is being buried under Western propaganda, but the world is waking up. Palestine is not alone, and Palestine will never be silenced.

May Allah help them and grant them justice. May He protect every child under the rubble, every family in a refugee camp, and every soul that refuses to bow to oppression. Free Palestine — from the river to the sea.

🇸🇩 Prayer for Sudan

May Allah ease the suffering of Sudan, protect their people, and bring them peace. The people of Sudan have endured conflict, displacement, and famine — may their patience be rewarded and their land healed.

Written by Huzi from huzi.pk