Re: Wireguard for Windows - local administrator necessary?
On 11/27/19 06:27, Simon Rozman wrote: Hi Chris! This is WireGuard design. Reconfiguring network - which (dis)connecting VPN is – is administrative task. If your organization issues laptops to their employees, the corporate VPN should be up at all times. You don't want them to disconnect from VPN and use those laptops on compromised networks, do you? I did have an issue when roaming laptops to and from corporate WiFi, as the endpoint IP changes – restarting the tunnel helped, but adding a scheduled task to reset endpoint IP every 2 minutes using wg.exe command line works like a charm here. If that's the reason you would want your users to manipulate WireGuard tunnels? Best regards, Simon It makes sense that users shouldn't be able to manipulate WireGuard tunnels by default, but shouldn't it be possible to change the default through something less drastic than giving the user full administrator access? For example, the registry in modern Windows is permissioned with ACLs. It could be made the case that modifying a WireGuard tunnel on Windows is done by writing to a particular registry location and then poking the service to prompt it to look there for new configuration. Then the administrator could explicitly give a user or group permission to modify that registry location if they should be able to modify WireGuard configuration. Or the same thing could also be done with a filesystem location. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
RE: Wireguard for Windows - local administrator necessary?
Hi Chris! This is WireGuard design. Reconfiguring network - which (dis)connecting VPN is – is administrative task. If your organization issues laptops to their employees, the corporate VPN should be up at all times. You don't want them to disconnect from VPN and use those laptops on compromised networks, do you? I did have an issue when roaming laptops to and from corporate WiFi, as the endpoint IP changes – restarting the tunnel helped, but adding a scheduled task to reset endpoint IP every 2 minutes using wg.exe command line works like a charm here. If that's the reason you would want your users to manipulate WireGuard tunnels? Best regards, Simon From: WireGuard On Behalf Of Chris Bennett Sent: Thursday, September 26, 2019 4:35 AM To: wireguard@lists.zx2c4.com Subject: Wireguard for Windows - local administrator necessary? Hi there, I've been experimenting with the use of the Windows Wireguard agent for corporate VPN access. It's been working really well! However I've found the logged in user needs local Administrator access to activate and de-activate a tunnel. Is there any way around this? Is it in the roadmap to remove this requirement? Thanks! Chris smime.p7s Description: S/MIME cryptographic signature ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Wireguard for Windows - local administrator necessary?
On Wed, Nov 27, 2019 at 10:07 AM Chris Bennett wrote: > However I've found the logged in user needs local Administrator access to > activate and de-activate a tunnel. Is there any way around this? Is it in > the roadmap to remove this requirement? No intention of reducing the security of the system, no. WireGuard requires administrator access because redirecting an entire machine's network traffic is certainly an administrator's task. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard