From: Simon Rozman <simon@rozman.si>
To: Stefan Puch <s.puch@web.de>,
"wireguard@lists.zx2c4.com" <wireguard@lists.zx2c4.com>
Subject: Re: Actual plans for Windows client: PostUp/PreDown possible?
Date: Wed, 11 Nov 2020 05:45:28 +0000 [thread overview]
Message-ID: <B14F0F93-B5E5-4224-A49B-F53E7A4B105B@rozman.si> (raw)
In-Reply-To: <b2a38e9f-9e79-b821-b80c-4cff284f8f6b@web.de>
Hi!
WireGuard for Windows and OpenVPN are fundamentally different. Consider WireGuard on Windows as an "always-on" VPN. Once configured by admin, it is just always there, and users don't need to explicitly connect or disconnect. Trust me, this is something your users will grow to love - no searching for a GUI to click Connect button when all you want is to quickly view a business document on Z:.
Think differently.
These are my recommendations for your use-case:
1. Configure the WireGuard tunnel at the company endpoint. Use specific port rather than random.
2. Configure WireGuard tunnel on client computers and leave it active at all times.
3. Instruct users to connect \\10.0.0.1\data as the network drive Z: and choose Reconnect on logon to make it persistent. (I am pushing a logon-script to do it in my deployment.) Why users? Because, seldomly users disconnect the network drive by accident, and it pays off they know how to reconnect it.
4. Don't add DNS line to the WireGuard tunnel config. Otherwise, WireGuard blocks all other DNS servers and users will not be able to access their home LAN by hostnames.
5. On client laptops that roam in and out of the network where your company endpoint resides, the tunnel company endpoint will auto-switch from public IP to local IP. Then you put your laptop to sleep and go home. When resuming at home, the WireGuard tunnel will still try to contact the company endpoint by local IP and the tunnel traffic will stall.
To mitigate this, I make a task in Task Scheduler to run "wg.exe set <your tunnel name> peer <company endpoint pubkey> endpoint <company endpoint public IP>:<company endpoint port>" command every 3 minutes.
This resets the tunnel endpoint to its public IP. The tunnel traffic is restored after leaving company network in no later than 3 minutes. The client endpoint roaming is handled by WireGuard.
As this scheduled task is the same for all clients, once configured and tested, it can be exported and imported on other computers (I deploy it using Group Policy).
And that's about it. Your users will always have their Z: drive there. No need for PostUp/PreDown.
Best regards,
Simon
-----Original Message-----
From: WireGuard <wireguard-bounces@lists.zx2c4.com> on behalf of Stefan Puch <s.puch@web.de>
Date: Tuesday, 10 November 2020 at 14.08
To: "wireguard@lists.zx2c4.com" <wireguard@lists.zx2c4.com>
Subject: Actual plans for Windows client: PostUp/PreDown possible?
Hello!
I’d like to raise the question regarding an option for PostUp/PreDown with the
Windows client again, which was (to my research) first discussed here on the
mailing list at the beginning of December 2019 by Rémi and Jason A.
I thought about switching our OpenVPN setup to the modern Wireguard and started
reading if all my requirements could be fulfilled. So far I have some users with
no administrative privileges on their Windows computer when they want to connect
to a remote server in order to access some shared space (Samba filesystem).
Currently the users are using OpenVPN, which has a background service running
with admin rights (Windows service). Thus the users can simply use a shortcut on
the desktop to the OpenVPN-GUI including an appropriate config-file to connect
to the remote server. After the tunnel is established OpenVPN uses the
(optional) solution to place a batch file within the userspace
(%USERPROFILE%\OpenVPN\config) as CONFIG-NAME_up.bat / CONFIG-NAME_down.bat
where some stuff can be placed to mount a Samba filesystem after the connecting
and tunnel are established (net use z: \\10.0.0.1\data) and to unmount before
the tunnel is disconnected.
I’ve seen the concerns from Jason A. about spreading malware and the hint that
“Linux command line users can generally be trusted to check the config files
they're writing into /etc/wireguard”. From my point of view the same holds with
the solution provided from OpenVPN to use the batch files, which are optional,
can be checked by the user and have to be explicitly defined for each VPN profile.
Looking into the Windows specific todo list on the Wireguard homepage I didn’t
find any comments if this will be considered for later versions of the windows
client, if there will or won’t be a solution like this.
Maybe I have missed something, so my question would be, if someone can tell me
something about the current status or a possible implementation?
Kind regards
Stefan
next prev parent reply other threads:[~2020-11-11 5:46 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-04 23:14 Stefan Puch
2020-11-11 5:45 ` Simon Rozman [this message]
2020-11-11 9:50 ` Stefan Puch
2020-11-11 13:23 ` Simon Rozman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=B14F0F93-B5E5-4224-A49B-F53E7A4B105B@rozman.si \
--to=simon@rozman.si \
--cc=s.puch@web.de \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).