From: zrm <zrm@trustiosity.com>
To: wireguard@lists.zx2c4.com
Subject: Re: Wireguard for Windows - local administrator necessary?
Date: Thu, 12 Dec 2019 14:11:56 -0500 [thread overview]
Message-ID: <b341c46c-5be8-4f6c-401f-beea6d13c8ba@trustiosity.com> (raw)
In-Reply-To: <99D61A626FDA8A4B90A270669121BE10C9B3E6A8@PLANJAVA.amebis.doma>
On 11/27/19 06:27, Simon Rozman wrote:
> Hi Chris!
>
> This is WireGuard design. Reconfiguring network - which (dis)connecting
> VPN is – is administrative task.
>
> If your organization issues laptops to their employees, the corporate
> VPN should be up at all times. You don't want them to disconnect from
> VPN and use those laptops on compromised networks, do you?
>
> I did have an issue when roaming laptops to and from corporate WiFi, as
> the endpoint IP changes – restarting the tunnel helped, but adding a
> scheduled task to reset endpoint IP every 2 minutes using wg.exe command
> line works like a charm here. If that's the reason you would want your
> users to manipulate WireGuard tunnels?
>
> Best regards,
>
> Simon
It makes sense that users shouldn't be able to manipulate WireGuard
tunnels by default, but shouldn't it be possible to change the default
through something less drastic than giving the user full administrator
access?
For example, the registry in modern Windows is permissioned with ACLs.
It could be made the case that modifying a WireGuard tunnel on Windows
is done by writing to a particular registry location and then poking the
service to prompt it to look there for new configuration. Then the
administrator could explicitly give a user or group permission to modify
that registry location if they should be able to modify WireGuard
configuration. Or the same thing could also be done with a filesystem
location.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2019-12-12 19:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-26 2:35 Chris Bennett
2019-11-27 11:27 ` Simon Rozman
2019-12-12 19:11 ` zrm [this message]
2019-12-12 20:26 ` Jason A. Donenfeld
2019-11-27 12:29 ` Jason A. Donenfeld
2019-12-03 21:07 ` [wireguard] " CHRIZTOFFER HANSEN
2019-12-04 0:35 ` Reuben Martin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b341c46c-5be8-4f6c-401f-beea6d13c8ba@trustiosity.com \
--to=zrm@trustiosity.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).