Actual plans for Windows client: PostUp/PreDown possible?

Simon Rozman simon at rozman.si
Wed Nov 11 06:45:28 CET 2020


Hi!

WireGuard for Windows and OpenVPN are fundamentally different. Consider WireGuard on Windows as an "always-on" VPN. Once configured by admin, it is just always there, and users don't need to explicitly connect or disconnect. Trust me, this is something your users will grow to love - no searching for a GUI to click Connect button when all you want is to quickly view a business document on Z:.

Think differently.

These are my recommendations for your use-case:

1. Configure the WireGuard tunnel at the company endpoint. Use specific port rather than random.

2. Configure WireGuard tunnel on client computers and leave it active at all times.

3. Instruct users to connect \\10.0.0.1\data as the network drive Z: and choose Reconnect on logon to make it persistent. (I am pushing a logon-script to do it in my deployment.) Why users? Because, seldomly users disconnect the network drive by accident, and it pays off they know how to reconnect it.

4. Don't add DNS line to the WireGuard tunnel config. Otherwise, WireGuard blocks all other DNS servers and users will not be able to access their home LAN by hostnames.

5. On client laptops that roam in and out of the network where your company endpoint resides, the tunnel company endpoint will auto-switch from public IP to local IP. Then you put your laptop to sleep and go home. When resuming at home, the WireGuard tunnel will still try to contact the company endpoint by local IP and the tunnel traffic will stall.

To mitigate this, I make a task in Task Scheduler to run "wg.exe set <your tunnel name> peer <company endpoint pubkey> endpoint <company endpoint public IP>:<company endpoint port>" command every 3 minutes.

This resets the tunnel endpoint to its public IP. The tunnel traffic is restored after leaving company network in no later than 3 minutes. The client endpoint roaming is handled by WireGuard.

As this scheduled task is the same for all clients, once configured and tested, it can be exported and imported on other computers (I deploy it using Group Policy).


And that's about it. Your users will always have their Z: drive there. No need for PostUp/PreDown.

Best regards,
Simon


-----Original Message-----
From: WireGuard <wireguard-bounces at lists.zx2c4.com> on behalf of Stefan Puch <s.puch at web.de>
Date: Tuesday, 10 November 2020 at 14.08
To: "wireguard at lists.zx2c4.com" <wireguard at lists.zx2c4.com>
Subject: Actual plans for Windows client: PostUp/PreDown possible?

    Hello!

    I’d like to raise the question regarding an option for PostUp/PreDown with the
    Windows client again, which was (to my research) first discussed here on the
    mailing list at the beginning of December 2019 by Rémi and Jason A.

    I thought about switching our OpenVPN setup to the modern Wireguard and started
    reading if all my requirements could be fulfilled. So far I have some users with
    no administrative privileges on their Windows computer when they want to connect
    to a remote server in order to access some shared space (Samba filesystem).
    Currently the users are using OpenVPN, which has a background service running
    with admin rights (Windows service). Thus the users can simply use a shortcut on
    the desktop to the OpenVPN-GUI including an appropriate config-file to connect
    to the remote server. After the tunnel is established OpenVPN uses the
    (optional) solution to place a batch file within the userspace
    (%USERPROFILE%\OpenVPN\config) as CONFIG-NAME_up.bat / CONFIG-NAME_down.bat
    where some stuff can be placed to mount a Samba filesystem after the connecting
    and tunnel are established (net use z: \\10.0.0.1\data) and to unmount before
    the tunnel is disconnected.

    I’ve seen the concerns from Jason A. about spreading malware and the hint that
    “Linux command line users can generally be trusted to check the config files
    they're writing into /etc/wireguard”. From my point of view the same holds with
    the solution provided from OpenVPN to use the batch files, which are optional,
    can be checked by the user and have to be explicitly defined for each VPN profile.

    Looking into the Windows specific todo list on the Wireguard homepage I didn’t
    find any comments if this will be considered for later versions of the windows
    client, if there will or won’t be a solution like this.

    Maybe I have missed something, so my question would be, if someone can tell me
    something about the current status or a possible implementation?

    Kind regards
    Stefan



More information about the WireGuard mailing list