From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.zx2c4.com (lists.zx2c4.com [165.227.139.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 64BCFC433FE for ; Sun, 24 Apr 2022 20:12:22 +0000 (UTC) Received: by lists.zx2c4.com (OpenSMTPD) with ESMTP id 07aaf595; Sun, 24 Apr 2022 20:09:56 +0000 (UTC) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.131]) by lists.zx2c4.com (OpenSMTPD) with ESMTPS id 44d1cf6f (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Fri, 22 Apr 2022 20:26:55 +0000 (UTC) Received: from [192.168.10.75] ([95.91.235.163]) by mrelayeu.kundenserver.de (mreue011 [213.165.67.97]) with ESMTPSA (Nemesis) id 1MAwoL-1nb9Ea05XN-00BPD6; Fri, 22 Apr 2022 22:21:49 +0200 Message-ID: <4b222049-3ea1-356b-d50c-6b6533fb9eb1@anterias.io> Date: Fri, 22 Apr 2022 22:21:45 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 To: "Jason A. Donenfeld" , Phillip McMahon Cc: Adrian Larsen , Clint Dovholuk , Riccardo Paolo Bestetti , WireGuard mailing list References: <8bf9e364f87bd0018dabca03dcc8c19b@mail.gmail.com> <3b4f9ec2-2f50-25c9-0e27-7ca0d2f16943@maidenheadbridge.com> In-Reply-To: From: "zer0flash@anterias.io" Subject: Re: Using WireGuard on Windows as non-admin - proper solution? Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K1:E79aZ65HP8Gnb9Ya99vpba2ia24kMxXxbLdQnklwmgqs7mUZ8zo zHqOR4UWrVQNV21l45bRi/iteh2+vJoRoT51rhufOwhYF/UHWjIk6ZTRTKnCeNeXrDYia8L n9EKIsQ8/ftunMTO8/OY13qtYV52qIbz1a1iQFXcksqdrBiYGmW1ZOxuPgABwHBr7AusIJM E+hUDgwHtfxxr4B3JBtLA== X-UI-Out-Filterresults: notjunk:1;V03:K0:edBgEZecyHs=:YOQO8Ok4Ty0HcOax6ftVa9 OgJ+zBHnEZx/W79ThaW9zP+gxqB1SKbQbZQ3PnzotowtZqXP9TJwJV7fgGbEwFODlOtE/6nuv nINb2ZLit7GuRTf01azFVKI0l+Uo70ok3mTyr7OhR0CDVOWOyfu+bcks1KqRTgQgQ20Z1P+WY mShB4SyeN4FBx7jmnyH2IqugyFg5FDEy+Jte6WVFBQukD+0vjg/V6OpVouEGxtc9ArZcf49tK Y2ZWSpmk27ipuMMcdbqiD5RUNQQGpb++LlVRQBBuC1n6lOF7AhfRI9dIHsGphlXJRrrbwQCHo HQvYyVkSSnkK7McBZPg6F5XXukDEvWvVDSzlX2Qcut5V2GC1PXY/oRUIl4DJKi1+Ltn9PR5cz ZKM4m7LyIzSm3mOLjqIeYbzNzCNupD7YCPkhqkLg1q5DITC5ZeEeZCJK4qXJSb04i3qJXxP9x F14dbjDFH3tJrzEKby9J/NQ6zvyCGfttrZNw11MI0vLtybK+3aJeXtuGiGtXPsv0mCU4h4XNL HXUqZL2knSnHYjc6/ttfm9EW/5dnB4WqUSetxym+E4kLpBfbXgJRFf/Vu4v9/NsbmQr/0fJSL C2C/07vyXb+8WwZwCJQzMCWpWQFaeNRUJXZW7cWBieRfSPxLTDBTgdc2WFtAAmWu3JTLD/VwG 1leFqUUrLIYKcYKdQFDhY9QC8SctmpIji+RjTV+qfzu002JrjV/CoWioruJ9ija0yMXV+C/3t EkIvfyDoFTdSd/6m X-Mailman-Approved-At: Sun, 24 Apr 2022 20:09:51 +0000 X-BeenThere: wireguard@lists.zx2c4.com X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: wireguard-bounces@lists.zx2c4.com Sender: "WireGuard" Hi, On Sun, Nov 29, 2020 at 9:59 PM Jason A. Donenfeld wrote: > On Sun, Nov 29, 2020 at 8:44 PM Phillip McMahon > wrote: >> Won't drag this already long and confusing thread out. Not challenging >> the current implementation, just the notion that any other suggestion >> is a dead end and the topic is closed. > > Alright. Well, if you do think of good reasons why NCO is not a good > match for unpriv'd WireGuard control, please let me know. The whole > basis of going that route is the apparent intuition that these two > types of things, network modification and tunnel up/down, are one and > the same. But if you have in mind a way where the analogy breaks down, > that'd be very interesting to learn and would potentially be grounds > for changing course. We provision a lot of road warrior laptops, where users are not admins. They can of course use 5g, wifi or lan as required and have to be able to switch on/off the vpn tunnel. If working from our office for example, they do not need the vpn due to an existing site-to-site vpn connection. So they need to turn it off by themselves. That's why the feature makes a lot of sense in my humble opinition. However, any member of the local "Network Configuration Operators" group is not only able to to activate the WireGuard tunnel but also - disable any firewall rules - add new any firewall rules - disable the whole firewall by changing the default to allow all incoming - change ip address / dns settings on any interface I think that adding an otherwise unprivileged user to the NCO group just for activating a preconfigured vpn tunnel might pose security issues in other areas. > > Jason > Regards -- Fabian