So for the longest time I have worked exclusively on Linux and MacOS. However, the organisation I work for decided to go full Microsoft, and is forcing the entire workforce to work on Windows laptops now. Of course, as a devops engineer, this causes a lot of issues with the tools I am using. For the organisation it allowed them to tighten a lot of security holes, one of which is it now allows them to use ZScaler. They’ve completely shut off access to the network outside of systems that are connected through ZScaler.
Because we have a ton of different dev(ops) teams within the organisation, it’s an almost impossible task to get all of the apps that were being used to Windows, or a Windows alternative. As such the organisation allows us to use WSL, which in turn gives us the option to use certain apps unmanaged by installing them within WSL. An example would be how I installed Chrome through WSL, to be able to use an instance of Chrome where I can use my extensions, such as my password manager and ad blocker.
Now I was wondering: would it be possible to install a VPN server, like OpenVPN, within WSL, connect to it using my old Macbook, and allow me to access the network now only accessible through ZScaler on the Windows laptop that I absolutely despise working on?
Works fine for most things
You have to install the root CA for ZScaler inside the WSL image
You will have issues with docker containers that do not have the ZScaler Root CA and apps reject the connection for untrusted certificate. You’ll have to disable ZScaler for those situations or put the Root CA into the container with host mapping
I have not had performance issue at all, I just store my files inside WSL
You can use \\wsl$ inside explorer to access the files from windows side
Very rarely ZScaler does have some trouble with network priority and you wont be able to connect to anything from inside WSL
A reboot fixes it
Out of curiosity, what tools are you having issues using? I am in the opposite boat. I came from a full windows shop to a new company back in March, and HATE my Macbook. I used Windows Terminal with WSL2/Ubuntu 22 for any linux specific stuff, but anything else (k8s, docker, python) I just ran from a Powershell 7 terminal. My lead preferred to use Virtual Box with an Ubuntu image for any development stuff. I used this all through Zscaler for over two years with no issues.
Zscaler works also for Linux system (works bad as for windows).
In my company we are introducing Zscaler in this period and, except for problem about “man in the middle” for TLS certificates on Linux that we are fixing and documenting little by little… It’s usable.
I guess your company forced to go full Microsoft using Zscaler as an excuse.
I used powershell to disconnect zscaler from the network interface. Was a while back I dont remember the exact command but it worked great for me. I too was moved from linux to windows + WSL, So I understand your pain. I sent an output from 3.5 Sonnet (I dont recommend anyone to oppose their IT restrictions like that. I was just very ballsy at the time)
Hmmmm… Maybe stop trying to circumvent the security controls your organisation implements?
I appreciate the time you took to answer, but I do not fully grasp how this answers my question. Your answer seems to pertain to continue working from within WSL, and while I understand that different people have different preferences, mine tilts heavily towards not using this Windows machine.
I do a lot of development work still which is mostly related to NodeJS and TS related stuff. I also do a lot of pipeline building, which depends on docker-compose to run tests. I use docker compose because the images we are allowed to use for the builders in our pipeline are limited, and the node version that is available on those builders is out of date. So running docker and docker compose on my local machine is a must.
Getting the Ubuntu environment running properly to be accessible from the Windows hosts was a challenge in and of itself with the config files I needed to change in my home directory, within WSL, and for the DNS config. Afterwards I’m able to install K8s, docker, and node, but I notice that the performance took a considerable hit as opposed to working directly on Ubuntu or MacOS (the silicon variant) even. Also apps like IntelliJ’s kit, DBeaver, or even chrome I need to start configuring through WSL with X11 and Wayland to get an unmanaged version of the app I don’t need approval for from the admin (again the admins are ok with it because they do not want to audit every single app from every single team).
All in all the entire experience feels like a big ask from the organisation I work for to basically get my old environment back in a very broken and frankly, handicapped, state by working through the Windows layer. It feels uncomfortable, and sometimes I get issues in my builds that I do not get when running the same code on my Mac for example.
Depends on how much they cripple my environment.
Oh right
Yes you could use a vpn inside WSL to pipe connections, should work fine unless the admins block it with zscaler, which they could potentially do
You could also just run full ubuntu on wsl, performance is identical to running ubuntu natively since it uses a hypervisor
If they cripple your environment then work through your report structure to communicate that you can no longer work.
If it’s just that you can’t adapt to the environment they expect, then find a job that doesn’t do that to you. You’ve chosen the worst, and possibly illegal, option you have available.
You aren’t 10 and people won’t give you a cheeky slap on the wrist for finding a loophole to exploit. They will fire you and possibly pursue charges.
Fair enough. Not illegal, but against company policy yeah. I’ll keep reporting back that it’s not workable I suppose.
Wilfull circumvention of security controls in an organisation constitutes unauthorised access under the computer fraud and abuse act.
It’s unlikely that an organisation would pursue criminal action against an employee.
… Unless the employee shenanigans resulted in an attack vector for ransomware or data exfiltration. Then they absolutely would.
Not necessarily illegal (depends on industry), but it’s definitely a way to fast track yourself getting a pink slip.