Actual plans for Windows client: PostUp/PreDown possible?

Wed Nov 11 10:50:39 CET 2020

Hi, thanks for stepping in.

While I like your suggested "always-on" solution for fixed desktop PCs I don't
like the "work-around" for client laptops. A Task Scheduler which is trying
every 3 minute to set a wiregurad tunnel when you are sitting in a train using a
mobile connecting is nothing I'd like to see. I think there are also other
scenarios where you just want to "click Connect button" on demand. E.g. when
your company has multiple locations and you don't want (or cannot) use multiple
VPN connections a the same time you will always have the "somewhat broken"
network drives in the windows explorer too, since they weren't disconnected
within a PreDown script.

Another problem (which I skipped so far) is related in point 4. of your
suggestion and as I see this a also discussed within another thread here on the
mailinglist. While a simple network drive can of cause be setp to a fixed IP
adress to drive z: using fixed adresse is IMHO not a good solution.
Like Yves Goergen pointed out in the thread "Add local DNS forwarder to Windows
client" I'd like an option to add the remote DNS server to the serach list so
that that I don't have to keep IP adresses in mind. But I think this discussion
should be shifted to the other thread.

Kind regards
Stefan

Am 11.11.2020 um 06:45 schrieb Simon Rozman:
> Hi!
>
> WireGuard for Windows and OpenVPN are fundamentally different. Consider WireGuard on Windows as an "always-on" VPN. Once configured by admin, it is just always there, and users don't need to explicitly connect or disconnect. Trust me, this is something your users will grow to love - no searching for a GUI to click Connect button when all you want is to quickly view a business document on Z:.
>
> Think differently.
>
> These are my recommendations for your use-case:
>
> 1. Configure the WireGuard tunnel at the company endpoint. Use specific port rather than random.
>
> 2. Configure WireGuard tunnel on client computers and leave it active at all times.
>
> 3. Instruct users to connect \\10.0.0.1\data as the network drive Z: and choose Reconnect on logon to make it persistent. (I am pushing a logon-script to do it in my deployment.) Why users? Because, seldomly users disconnect the network drive by accident, and it pays off they know how to reconnect it.
>
> 4. Don't add DNS line to the WireGuard tunnel config. Otherwise, WireGuard blocks all other DNS servers and users will not be able to access their home LAN by hostnames.
>
> 5. On client laptops that roam in and out of the network where your company endpoint resides, the tunnel company endpoint will auto-switch from public IP to local IP. Then you put your laptop to sleep and go home. When resuming at home, the WireGuard tunnel will still try to contact the company endpoint by local IP and the tunnel traffic will stall.
>
> To mitigate this, I make a task in Task Scheduler to run "wg.exe set <your tunnel name> peer <company endpoint pubkey> endpoint <company endpoint public IP>:<company endpoint port>" command every 3 minutes.
>
> This resets the tunnel endpoint to its public IP. The tunnel traffic is restored after leaving company network in no later than 3 minutes. The client endpoint roaming is handled by WireGuard.
>
> As this scheduled task is the same for all clients, once configured and tested, it can be exported and imported on other computers (I deploy it using Group Policy).
>
>
> And that's about it. Your users will always have their Z: drive there. No need for PostUp/PreDown.
>
> Best regards,
> Simon