In Februari 2020 I wrote a Dutch blog post explaining how to manage KVM virtual machines in Windows 10 over ssh. Because the Windows version of virt-manager doesn’t support qemu+ssh, you need WSL 2 and an X Server (VcXsrv) in Windows to connect to.
If you need to connect virt-manager to a KVM host over ssh in Windows, then Windows 11 and WSL 2 made things a whole lot easier for you. Even if you need to connect virt-manager through an ssh tunnel and arbitrary port because your network is reachable only through a bastion host with ssh key authentication. Here is how.
Libvirt does not offer QEMU with ssh (qemu+ssh://) connection type support in the Windows virt-manager version. But luckily we now have WSL 2 in Windows 11.
Note: If you’re new to this, check out my guide on Managing KVM VMs with virt-manager on Windows.
Windows 11 and WSL 2 made this a whole lot easier with WSLg. On Microsoft Developer Blogs, Steve Pronovost wrote a pretty in-depth post outlining the WSLg Architecture. Basically, WSLg enables you to run Linux GUI apps on the Windows Subsystem for Linux.
Requirements to use virt-manager (qemu+ssh) in Windows 11
There are a few requirements you need to have. They’re pretty obvious:
- Windows 11
- WSLg
- Virt-manager installed in WSL (
sudo apt install virt-manager) - ssh key authentication set up
Retrieve SSH public key from Active Directory for SSH authentication
What made my tasks extra difficult is that the KVM host is only reachable by IPv6, which isn’t supported in WSL 2. Schematic, the traffic flow is like this:
flowchart TD
subgraph WIN["Windows 11 host"]
direction TB
subgraph WSL["WSL 2 (Linux distro)"]
direction TB
VMGR["virt-manager (GUI)"]
SSHC["ssh client (local port forward)"]
LP["localhost:8822 (in WSL)"]
VMGR --> LP --> SSHC
end
end
subgraph NET["Network"]
direction TB
BAST["Bastion host (IPv4 reachable)"]
KVM["KVM host kvm-3 (IPv6 only)"]
LIBV["libvirtd / qemu-system"]
KVM --> LIBV
end
%% Two-stage tunnel (annotated)
SSHC -->|Stage 1: SSH over IPv4| BAST
BAST -->|Stage 2: inside tunnel to kvm-3:22 over IPv6| KVM
%% Commands / explanations as separate nodes (plugin-friendly)
CMD1["Stage 1 tunnel endpoint: WSL opens SSH to bastion (IPv4)"]
CMD2["Stage 2 hop: bastion reaches kvm-3 over IPv6 and forwards port 22"]
CMD3["virt-manager uses qemu+ssh via localhost:8822 to reach libvirt on kvm-3"]
SSHC -. "explains" .-> CMD1
BAST -. "explains" .-> CMD2
VMGR -. "explains" .-> CMD3
EX1["ssh -L 8822:kvm-3:22 bastion -N"]
EX2["qemu+ssh via localhost:8822 (system)"]
CMD1 -. "example" .-> EX1
CMD3 -. "example" .-> EX2From WSL 2 in Windows 11, I need to connect to my bastion host over IPv4, and from there I need to connect to the KVM host over IPv6. Since WSL 2 doesn’t support IPv6, I create a ssh tunnel to the bastion host.
Did you know? You can tunnel RDP over SSH with PuTTY
In WSL, execute:
ssh -L 8822:kvm-3:22 bastion.example.com -l username -NOnce the tunnel is established, I can use that to connect virt-manager through to kvm-3 using localhost and the arbitrary port 8822:
virt-manager -c 'qemu+ssh://username@localhost:8822/system'If all goes well, virt-manager connects and opens its screen (I munged the info in the following screenshot a bit):
As you can see, this exercise is a lot easier than it was in Windows 10 using WSL 2 virt-manager, and VcXsrv in Windows. Of course, you can skip the ssh tunneling part if your KVM host is directly reachable.
Update:
Psst, did you know that WSL 2 has IPv6 support now?! 🙂
Read why we can use your help and support ❤️
Summary
- Windows 11 and WSL 2 simplify connecting to KVM virtual machines using virt-manager over ssh.
- You need WSLg, Windows 11, and virt-manager installed in WSL for this setup.
- SSH key authentication is required, and you may need to create an ssh tunnel for access through a bastion host.
- Even with IPv6 issues in WSL 2, using an ssh tunnel enables easy access to your KVM host.
- WSL 2 now supports IPv6, making connections more straightforward.