On Tue, 2021-04-06 at 18:17 -0600, Jason A. Donenfeld wrote:
> It's pretty typical behavior on Windows for IP addresses to be
> exclusive per interface. WireGuard for Windows does something similar:
> https://git.zx2c4.com/wireguard-windows/tree/tunnel/addressconfig.go#n22

Thanks. That seems to run cleanupAddressesOnDisconnectedInterfaces()
only if the original SetIPAddressesForFamily() call return
ERROR_OBJECT_ALREADY_EXISTS, while I was fairly sure that in my case
the CreateUnicastIpAddressEntry() call was succeeding. I'll go and
experiment with it some more.

> With regards to permissions, you must be Local System, which is
> already the case if you're running inside a service. If you'd like to
> run as a mere Administrator process, you can steal a token with a
> technique like https://git.zx2c4.com/wireguard-tools/tree/src/ipc-uapi-windows.h#n14
> or https://git.zx2c4.com/wireguard-windows/tree/elevate/doas.go#n30

Great, thanks!

Is there a list of precisely which operations require such privileges?
Is it only *creating* an adapter? Or only if doing so requires the
kernel driver to be loaded for the first time?