Development discussion of WireGuard
 help / color / mirror / Atom feed
From: Viktor H <vh217@werehub.org>
To: wireguard@lists.zx2c4.com
Subject: Re: Using WireGuard on Windows as non-admin - proper solution?
Date: Tue, 17 Nov 2020 11:18:28 +0100	[thread overview]
Message-ID: <80326e63-7e41-bc86-65ed-152b6784dfe5@werehub.org> (raw)
In-Reply-To: <CAHmME9p6FoUsFou0LkeUZt4Ba1K4ycuA6f8X4c6Kt8-jzkAH7A@mail.gmail.com>

Hello,

Jason, thanks for a quick reply and a PoC. I have tested it and it seems 
to work fine.
(small note: non-admin user can't Activate the tunnel via systray 
context menu, they have to open up GUI and click "Activate"; 
deactivation via systray context menu works)

As for the concept itself, I feel I am not qualified to judge the 
security implication of this solution since my knowledge of Windows 
security and network internals are next to none.

I have also tested increasing metric on the wg interface above the 
metric of local link with the same IP subnet [1] and that also seemed to 
work, therefore enabling the option for "always-on" setup.
I have however experienced that there might be a problem in the case of 
pushed DNS server since it might hinder normal (non-VPN-related) usage 
of the Internet, e.g. in the case the pushed DNS server does not resolve 
IPv6 addresses but the client does have IPv6 connectivity.

It seems that the "Network Configuration Operator" as Patrik Kolmqvist 
suggested might be one of the routes to do it properly. OpenVPN afaik 
uses its own group "OpenVPN Administrators" for this kind of thing [2] 
though again, I am not experienced enough to be able to consider 
security of this approach.

Finally thanks for pointing out the ACL setting for the service option, 
that seems to be similar or equal to the solution on Reddit I posted 
earlier, so I'll look into it further.

Thanks everyone.

Viktor

[1] 
https://docs.microsoft.com/en-us/powershell/module/nettcpip/set-netipinterface?view=win10-ps
[2] https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI-New#gui-group

On 13.11.2020 3:16, Jason A. Donenfeld wrote:
> Hi Viktor,
>
> I am actually interested in solving this. I took an initial stab at it
> here, but I'm not super comfortable with the implementation or the
> security implications:
> https://git.zx2c4.com/wireguard-windows/commit/?h=jd/unprivd-knob
>
> Aside from doing this from within our existing UI, the general
> solution using the service-based building blocks is to simply allow
> users to start and stop services that begin with "WireGuardTunnel$".
> So the flow is something like:
>
> 1. wireguard /installtunnelservice  path\to\sometunnel.conf.
> 2. Change the ACLs on WireGuardTunnel$sometunnel to fit your user.
> 3. Have the user use `net start` and `net stop`, or similar, to
> control whether the service is up or down.
>
> That's not super pretty, but it should work, and it is automatable.
> Meanwhile, I'll keep thinking about various ways to do this in a more
> "first-party" way.
>
> Jason


  parent reply	other threads:[~2020-11-17 10:19 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-12 15:18 vh217
2020-11-13  2:16 ` Jason A. Donenfeld
2020-11-13 12:03   ` Der PCFreak
2020-11-15 15:28   ` Patrik Holmqvist
2020-11-19 16:56     ` Jason A. Donenfeld
2020-11-20 11:49       ` Patrik Holmqvist
2020-11-20 12:52         ` Jason A. Donenfeld
2020-11-20 13:10           ` Patrick Fogarty
2020-11-20 13:14           ` Patrik Holmqvist
2020-11-17 10:18   ` Viktor H [this message]
2020-11-26  7:09   ` Chris Bennett
2020-11-21 10:05 ` Jason A. Donenfeld
2020-11-22 12:55   ` Jason A. Donenfeld
2020-11-23 14:57     ` Fatih USTA
2020-11-24 23:42   ` Riccardo Paolo Bestetti
2020-11-25  1:08     ` Jason A. Donenfeld
2020-11-25  7:49       ` Riccardo Paolo Bestetti
2020-11-25 10:30         ` Jason A. Donenfeld
2020-11-25 11:45           ` Jason A. Donenfeld
2020-11-25 14:08             ` Riccardo Paolo Bestetti
     [not found]               ` <8bf9e364f87bd0018dabca03dcc8c19b@mail.gmail.com>
2020-11-25 20:10                 ` Riccardo Paolo Bestetti
2020-11-25 21:42                 ` Jason A. Donenfeld
2020-11-26  8:53                   ` Adrian Larsen
2020-11-28 14:28                     ` Jason A. Donenfeld
2020-11-29  9:30                       ` Adrian Larsen
2020-11-29 10:52                         ` Jason A. Donenfeld
2020-11-29 12:09                           ` Phillip McMahon
2020-11-29 12:50                             ` Jason A. Donenfeld
2020-11-29 13:40                               ` Phillip McMahon
2020-11-29 17:52                                 ` Jason A. Donenfeld
2020-11-29 19:44                                   ` Phillip McMahon
2020-11-29 20:59                                     ` Jason A. Donenfeld
2020-11-30 18:34                                       ` Riccardo Paolo Bestetti
2022-04-22 20:21                                       ` zer0flash
2020-11-30 12:47                                   ` Probable Heresy ;-) Peter Whisker
2020-12-02 13:40                                     ` Jason A. Donenfeld
2021-01-03 11:08                                       ` Christopher Ng
2020-11-25 12:40     ` AW: Using WireGuard on Windows as non-admin - proper solution? Joachim Lindenberg
2020-11-25 13:08       ` Jason A. Donenfeld

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=80326e63-7e41-bc86-65ed-152b6784dfe5@werehub.org \
    --to=vh217@werehub.org \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).