Wireguard for Windows - local administrator necessary?

zrm zrm at trustiosity.com
Thu Dec 12 20:11:56 CET 2019

On 11/27/19 06:27, Simon Rozman wrote:
> Hi Chris!
> This is WireGuard design. Reconfiguring network - which (dis)connecting 
> VPN is – is administrative task.
> If your organization issues laptops to their employees, the corporate 
> VPN should be up at all times. You don't want them to disconnect from 
> VPN and use those laptops on compromised networks, do you?
> I did have an issue when roaming laptops to and from corporate WiFi, as 
> the endpoint IP changes – restarting the tunnel helped, but adding a 
> scheduled task to reset endpoint IP every 2 minutes using wg.exe command 
> line works like a charm here. If that's the reason you would want your 
> users to manipulate WireGuard tunnels?
> Best regards,
> Simon

It makes sense that users shouldn't be able to manipulate WireGuard 
tunnels by default, but shouldn't it be possible to change the default 
through something less drastic than giving the user full administrator 

For example, the registry in modern Windows is permissioned with ACLs. 
It could be made the case that modifying a WireGuard tunnel on Windows 
is done by writing to a particular registry location and then poking the 
service to prompt it to look there for new configuration. Then the 
administrator could explicitly give a user or group permission to modify 
that registry location if they should be able to modify WireGuard 
configuration. Or the same thing could also be done with a filesystem 

More information about the WireGuard mailing list