Development discussion of WireGuard
 help / color / mirror / Atom feed
* wireguard on multi user windows ?
@ 2020-11-28 17:04 Henning Ryll
  2020-11-30 11:13 ` Simon Rozman
  2020-11-30 11:31 ` Jason A. Donenfeld
  0 siblings, 2 replies; 4+ messages in thread
From: Henning Ryll @ 2020-11-28 17:04 UTC (permalink / raw)
  To: wireguard

Hello,

I'm looking for a (more or less) secure solution of installing and running wireguard.

In our family we have only one notebook running win10/64.
Since this is the only device with internet access it has to be reliable as possible. So we are running 4 accounts.
admin, father, mother, son. Of course only the admin has admin rights. But all users have operator rights because the notebook is taken to different locations i.e. at school, to friends, during holiday.

I'm running OpenVPN to do my homework with this notebook too. And because my openvpn.p12 file is protected by a password my family can not use it because the did not know my password. Even if they have physical access to it.

But with wireguard there is no such protection. And with the new wireguard for windows the key files have been moved.
And as far as i undertstud everybody in the operator group can start the wireguard tunnel.
But my chief will be very very unhappy if this will occur ....

How to install wireguard on a multiuser system. And only the owner of a keyfile can run his tunnel?
Other users may be able to run other tunnels.
Or is wireguard still unuseable for me and I have to stay at OpenVPN?

Henning

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: wireguard on multi user windows ?
  2020-11-28 17:04 wireguard on multi user windows ? Henning Ryll
@ 2020-11-30 11:13 ` Simon Rozman
  2020-11-30 11:31 ` Jason A. Donenfeld
  1 sibling, 0 replies; 4+ messages in thread
From: Simon Rozman @ 2020-11-30 11:13 UTC (permalink / raw)
  To: Henning Ryll, wireguard

Hi,

If your chief finds out, your company laptop is being used by your kid and wife, taken to kid's school and what not, *then*, your chief will get very very very unhappy. :)

Imagine your kid having a trojan horse running on his desktop, just locks the desktop, you borrow back the computer to do some company work. When you connect to your company, the trojan horse gets all the network access to your company resources your VPN connection allows.

The WireGuard tunnel profiles are bound to computer, not individual users with a reason: on Windows, VPN connects the entire computer to a network. Not just a particular user.

Sorry, WireGuard is and will remain "unusable" for such ill and unsafe practices like yours.

Regards, Simon

-----Original Message-----
From: WireGuard <wireguard-bounces@lists.zx2c4.com> on behalf of Henning Ryll <henning.ryll@web.de>
Date: Sunday, 29 November 2020 at 22.03
To: "wireguard@lists.zx2c4.com" <wireguard@lists.zx2c4.com>
Subject: wireguard on multi user windows ?

    Hello,

    I'm looking for a (more or less) secure solution of installing and running wireguard.

    In our family we have only one notebook running win10/64.
    Since this is the only device with internet access it has to be reliable as possible. So we are running 4 accounts.
    admin, father, mother, son. Of course only the admin has admin rights. But all users have operator rights because the notebook is taken to different locations i.e. at school, to friends, during holiday.

    I'm running OpenVPN to do my homework with this notebook too. And because my openvpn.p12 file is protected by a password my family can not use it because the did not know my password. Even if they have physical access to it.

    But with wireguard there is no such protection. And with the new wireguard for windows the key files have been moved.
    And as far as i undertstud everybody in the operator group can start the wireguard tunnel.
    But my chief will be very very unhappy if this will occur ....

    How to install wireguard on a multiuser system. And only the owner of a keyfile can run his tunnel?
    Other users may be able to run other tunnels.
    Or is wireguard still unuseable for me and I have to stay at OpenVPN?

    Henning


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: wireguard on multi user windows ?
  2020-11-28 17:04 wireguard on multi user windows ? Henning Ryll
  2020-11-30 11:13 ` Simon Rozman
@ 2020-11-30 11:31 ` Jason A. Donenfeld
  1 sibling, 0 replies; 4+ messages in thread
From: Jason A. Donenfeld @ 2020-11-30 11:31 UTC (permalink / raw)
  To: Henning Ryll; +Cc: WireGuard mailing list

Hi Henning,

That's an interesting inquiry. I guess the thing to point out is that
generally speaking, the networking stack is per-system, rather than
per-user. That means that while you're using your OpenVPN profile with
your account, some process still running by somebody else in your
family could be transferring data over it! Linux has network
namespaces to assist with properly separating, and I _think_ that
possibly the UWP VPN api on Windows might support this? But I'm not
sure. It's possible to match packets using WFP with
FWPM_CONDITION_ALE_USER_ID, but I haven't yet worked out how to apply
this to routing rules (and doing a VPN in a filter driver rather than
an adapter driver isn't very appealing).

In other words, neither OpenVPN nor WireGuard actually support your
use case. OpenVPN characteristically just opens up a potential
security hole, so you think it's doing what you want, but it really
isn't.

So the short story is that for the time being, I'm not sure how to do
per-user VPN on Windows with what we've got (adapter-level redirection
using the routing table), but I also haven't looked very hard, so it's
not a total impossibility either.

Jason

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: wireguard on multi user windows ?
@ 2020-11-30 11:59 Henning Ryll
  0 siblings, 0 replies; 4+ messages in thread
From: Henning Ryll @ 2020-11-30 11:59 UTC (permalink / raw)
  To: wireguard

Hello,

@Simon
please read careful and don't interpret ...
I never wrote that I'm using a company laptop. There are only desktop machines in my company.
 
And I know half a dozen people with the same problem.
They own small company's with only 2 to 5 employees. They are willing to allow homework, at least during covid-19.
But they did not have the money to buy additional hardware, or even a complete VPN solution.

So I see wireguard will be no solution for them in near future.

And OpenVPN is even no real solution, like Jason described...
But for the moment is's better then nothing. I can only hope that other users are not running any background services after a reboot.

Regards
Henning

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-11-30 12:00 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-28 17:04 wireguard on multi user windows ? Henning Ryll
2020-11-30 11:13 ` Simon Rozman
2020-11-30 11:31 ` Jason A. Donenfeld
2020-11-30 11:59 Henning Ryll

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/wireguard

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 wireguard wireguard/ http://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git