From: Adrian Larsen <alarsen@maidenheadbridge.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>,
Clint Dovholuk <clint.dovholuk@netfoundry.io>
Cc: Riccardo Paolo Bestetti <pbl@bestov.io>,
WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Using WireGuard on Windows as non-admin - proper solution?
Date: Thu, 26 Nov 2020 08:53:16 +0000 [thread overview]
Message-ID: <d9dc454a-15fd-a547-8d0f-b7916818c3de@maidenheadbridge.com> (raw)
In-Reply-To: <CAHmME9pdDDjVWmxGdh42tJy2KbxT7ZSj9PEsjEyHRMwZpora+A@mail.gmail.com>
One thing that is commonly implemented in other clients doing tunnels is
the detection of "ON / OFF Corporate network".
Without any user intervention, the vpn client is capable to detect (on
every network change) where the user is located and to active the client
or not.
Values to detect are a combination of:
(usually you can do AND / OR of this values)
1- Adapter domain (i.e. contoso.com) . This comes from DHCP values
received.
2 - DNS servers IPs
3 - Hostname vs IP. (This is to create a local DNS A record on your
internal DNS server that is resolvable only when you are ON corporate
network and not outside)
The detection of this values are platform agnostic. You can use it on
any client: Linux, Windows, Mac, etc; to detect when turn ON / OFF the
vpn client automatically without user intervention.
Best regards
Adrian
On 25/11/2020 21:42, Jason A. Donenfeld wrote:
> On Wed, Nov 25, 2020 at 7:04 PM Clint Dovholuk
> <clint.dovholuk@netfoundry.io> wrote:
>> Out of curiosity - why not just use " S-1-5-4" Interactive - " A group that
>> includes all users that have logged on interactively. Membership is
>> controlled by the operating system."
>>
>> If the user logged on - let the turn the tunnel on/off?
> I guess that's the same argument as, "why doesn't Microsoft let users
> twiddle around with adapter settings and IP addresses if they're
> interactive?" Apparently there was some imperative for having control
> over this be more fine grained, so they provide the NCO group. Turning
> on and off WireGuard tunnels seems akin to disabling and enabling
> network adapters, in general, so linking the two seems coherent.
>
> More concretely, some folks are deploying WireGuard in a much more
> restricted setting, in which the end user has no control over when it
> goes up or down; that's all decided by some remote service out of the
> interactive user's purview. For some high sensitivity applications,
> not letting interactive users disable WireGuard is desirable. For
> other applications, it's the opposite. The NCO group seems to fit the
> level of granularity we're after.
next prev parent reply other threads:[~2020-11-26 9:55 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-12 15:18 vh217
2020-11-13 2:16 ` Jason A. Donenfeld
2020-11-13 12:03 ` Der PCFreak
2020-11-15 15:28 ` Patrik Holmqvist
2020-11-19 16:56 ` Jason A. Donenfeld
2020-11-20 11:49 ` Patrik Holmqvist
2020-11-20 12:52 ` Jason A. Donenfeld
2020-11-20 13:10 ` Patrick Fogarty
2020-11-20 13:14 ` Patrik Holmqvist
2020-11-17 10:18 ` Viktor H
2020-11-26 7:09 ` Chris Bennett
2020-11-21 10:05 ` Jason A. Donenfeld
2020-11-22 12:55 ` Jason A. Donenfeld
2020-11-23 14:57 ` Fatih USTA
2020-11-24 23:42 ` Riccardo Paolo Bestetti
2020-11-25 1:08 ` Jason A. Donenfeld
2020-11-25 7:49 ` Riccardo Paolo Bestetti
2020-11-25 10:30 ` Jason A. Donenfeld
2020-11-25 11:45 ` Jason A. Donenfeld
2020-11-25 14:08 ` Riccardo Paolo Bestetti
[not found] ` <8bf9e364f87bd0018dabca03dcc8c19b@mail.gmail.com>
2020-11-25 20:10 ` Riccardo Paolo Bestetti
2020-11-25 21:42 ` Jason A. Donenfeld
2020-11-26 8:53 ` Adrian Larsen [this message]
2020-11-28 14:28 ` Jason A. Donenfeld
2020-11-29 9:30 ` Adrian Larsen
2020-11-29 10:52 ` Jason A. Donenfeld
2020-11-29 12:09 ` Phillip McMahon
2020-11-29 12:50 ` Jason A. Donenfeld
2020-11-29 13:40 ` Phillip McMahon
2020-11-29 17:52 ` Jason A. Donenfeld
2020-11-29 19:44 ` Phillip McMahon
2020-11-29 20:59 ` Jason A. Donenfeld
2020-11-30 18:34 ` Riccardo Paolo Bestetti
2022-04-22 20:21 ` zer0flash
2020-11-30 12:47 ` Probable Heresy ;-) Peter Whisker
2020-12-02 13:40 ` Jason A. Donenfeld
2021-01-03 11:08 ` Christopher Ng
2020-11-25 12:40 ` AW: Using WireGuard on Windows as non-admin - proper solution? Joachim Lindenberg
2020-11-25 13:08 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d9dc454a-15fd-a547-8d0f-b7916818c3de@maidenheadbridge.com \
--to=alarsen@maidenheadbridge.com \
--cc=Jason@zx2c4.com \
--cc=clint.dovholuk@netfoundry.io \
--cc=pbl@bestov.io \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).