Development discussion of WireGuard
 help / color / mirror / Atom feed
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Henning Ryll <henning.ryll@web.de>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: wireguard on multi user windows ?
Date: Mon, 30 Nov 2020 12:31:40 +0100	[thread overview]
Message-ID: <CAHmME9r1mDGsH0FYu+PcZE0Uuipqs7_eaz6Yr7XxQZRnuddDMg@mail.gmail.com> (raw)
In-Reply-To: <trinity-8b39e676-4010-4d53-9bc2-9ca84bcf3a85-1606583048495@3c-app-webde-bap18>

Hi Henning,

That's an interesting inquiry. I guess the thing to point out is that
generally speaking, the networking stack is per-system, rather than
per-user. That means that while you're using your OpenVPN profile with
your account, some process still running by somebody else in your
family could be transferring data over it! Linux has network
namespaces to assist with properly separating, and I _think_ that
possibly the UWP VPN api on Windows might support this? But I'm not
sure. It's possible to match packets using WFP with
FWPM_CONDITION_ALE_USER_ID, but I haven't yet worked out how to apply
this to routing rules (and doing a VPN in a filter driver rather than
an adapter driver isn't very appealing).

In other words, neither OpenVPN nor WireGuard actually support your
use case. OpenVPN characteristically just opens up a potential
security hole, so you think it's doing what you want, but it really
isn't.

So the short story is that for the time being, I'm not sure how to do
per-user VPN on Windows with what we've got (adapter-level redirection
using the routing table), but I also haven't looked very hard, so it's
not a total impossibility either.

Jason

  parent reply	other threads:[~2020-11-30 11:32 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-28 17:04 Henning Ryll
2020-11-30 11:13 ` Simon Rozman
2020-11-30 11:31 ` Jason A. Donenfeld [this message]
2020-11-30 11:59 Henning Ryll

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHmME9r1mDGsH0FYu+PcZE0Uuipqs7_eaz6Yr7XxQZRnuddDMg@mail.gmail.com \
    --to=jason@zx2c4.com \
    --cc=henning.ryll@web.de \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).