Development discussion of WireGuard
 help / color / mirror / Atom feed
* Wireguard Windows Client questions
@ 2022-04-02 18:50 lenaghanm
  2022-04-22 16:16 ` Simon Rozman
  0 siblings, 1 reply; 2+ messages in thread
From: lenaghanm @ 2022-04-02 18:50 UTC (permalink / raw)
  To: wireguard


Good day, this is my first posting on this list. I have read many of the
past messages in the Archives but cannot find the answers I'm looking for
and hoped I could get help from this list.
I currently have a set up on multiple Windows PC's where the user needs to
access services on multiple remote systems. Depending on the service the
underlying network settings of the system may need to be changed and in some
cases require connecting to a VPN server. Currently there are 2 possible VPN
services (OpenVPN and SoftEtherVPN). I now need to add a 3rd option which is
Wireguard.

The interfaces to the VPN's are completely hidden from the users. They
simply double click on an icon for the service they want to connect to and
my code under the covers takes care of disconnecting any active sessions and
connecting to the new one. I have read the documentation on the
wireguard.exe options to see if I can develop a similar hidden mechanism to
connect and disconnect from a Wireguard peer and have the following
questions.

1. The documentation implies that if I executed the following command from a
command line "wireguard.exe" that it will start the Manager Service and show
the UI. It then states that calling wireguard.exe /installmanagerservice is
suitable for silent installation but what I find is that the Management GUI
is still activated and shown on the desktop. 
Is there anyway to start the service without the GUI window appearing? And
is there anyway to prevent the UI in the system tray from being installed?

2. If for any reason the Wireguard peer is not reachable then the Handshake
does not complete. When using the GUI the tunnel is shows Active but it is
the tunnelservice that is active not the connection. Is there a way to limit
the number of handshake retries before giving up on trying to connect?

3. From time to time the endpoint address of the peer system may have
changed (I do not use a dynamic DNS service) so when trying to connect I hit
the problem described in 2 above. I know what the new endpoint address is
and can set it dynamically using the wg set command and the connection is
then made. I would like to be able to programmatically save this change
without having to manually edit the client config files. I tried using wg
syncconf but get a permissions error because of the properties around the
dpapi config files.
Is there an alternative way to doing this short of deleting the existing
dpapi file and adding a new .conf file and have the manager service encrypt
it but that approach means I need to keep the private key in the clear
somewhere in order to create the new conf file.\

4. There are 2 option listed under wireguard command line options namely
/managerservice and /tunnelservice CONFIG_PATH - can someone tell me what
they are supposed to do every time I try running one of them I get an error
popup that says - The service process could not connect to the service
controller.wireguard

Thanks in advance for any guidance you can give me.

Regards
Mike



^ permalink raw reply	[flat|nested] 2+ messages in thread

* RE: Wireguard Windows Client questions
  2022-04-02 18:50 Wireguard Windows Client questions lenaghanm
@ 2022-04-22 16:16 ` Simon Rozman
  0 siblings, 0 replies; 2+ messages in thread
From: Simon Rozman @ 2022-04-22 16:16 UTC (permalink / raw)
  To: lenaghanm, wireguard

> 1. The documentation implies that if I executed the following command
> from a command line "wireguard.exe" that it will start the Manager
> Service and show the UI. It then states that calling wireguard.exe
> /installmanagerservice is suitable for silent installation but what I
> find is that the Management GUI is still activated and shown on the
> desktop.
> Is there anyway to start the service without the GUI window appearing?
> And is there anyway to prevent the UI in the system tray from being
> installed?

Try wireguard.exe /installtunnelservice mytunnel.conf and wireguard.exe /uninstalltunnelservice mytunnel.conf.

> 2. If for any reason the Wireguard peer is not reachable then the
> Handshake does not complete. When using the GUI the tunnel is shows
> Active but it is the tunnelservice that is active not the connection. Is
> there a way to limit the number of handshake retries before giving up on
> trying to connect?

WireGuard is connection-less. Only after there is a packet for a peer, it'll perform handshake with the peer and sent the packet to it. See it as on-demand connection. Now, if you insist on verifying if the connection is possible over the VPN tunnel, send a ping thru the tunnel and see if the handshake occurs and succeeds.

> 3. From time to time the endpoint address of the peer system may have
> changed (I do not use a dynamic DNS service) so when trying to connect I
> hit the problem described in 2 above. I know what the new endpoint
> address is and can set it dynamically using the wg set command and the
> connection is then made. I would like to be able to programmatically
> save this change without having to manually edit the client config
> files. I tried using wg syncconf but get a permissions error because of
> the properties around the dpapi config files.
> Is there an alternative way to doing this short of deleting the existing
> dpapi file and adding a new .conf file and have the manager service
> encrypt it but that approach means I need to keep the private key in the
> clear somewhere in order to create the new conf file.\

Jason suggested me to add a Scheduled Task to call wg.exe set mytunnel peer pubkey endpoint 1.2.3.4:11111 on a few minute basis. It works like a charm when roaming back and forth between local and remote networks.

It's way more efficient than deactivating the tunnel, updating config and reactivating the tunnel.

> 4. There are 2 option listed under wireguard command line options namely
> /managerservice and /tunnelservice CONFIG_PATH - can someone tell me
> what they are supposed to do every time I try running one of them I get
> an error popup that says - The service process could not connect to the
> service controller.wireguard

Those options are to be used by Windows SCM when wireguard.exe runs as a service.

If you are familiar with programming, you might want to take a look into the embeddable-dll-service folder in the wireguard-windows repo.

Regards,
Simon


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-04-22 16:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-02 18:50 Wireguard Windows Client questions lenaghanm
2022-04-22 16:16 ` Simon Rozman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).