Actual plans for Windows client: PostUp/PreDown possible?

Simon Rozman simon at
Wed Nov 11 14:23:54 CET 2020


Stefan, your feedback is greatly appreciated.

> While I like your suggested "always-on" solution for fixed desktop PCs I
> don't like the "work-around" for client laptops. A Task Scheduler which
> is trying every 3 minute to set a wiregurad tunnel when you are sitting
> in a train using a mobile connecting is nothing I'd like to see.

The "wg set peer endpoint" is very lightweight and makes no network requests. Nor it burns CPU/battery. It merely resets an IP address (4 bytes for IPv4, 16 for IPv6) inside the WireGuard tunnel peer list. Would have been even nicer if Task Scheduler could have a trigger "network connection changed". 

> I think
> there are also other scenarios where you just want to "click Connect
> button" on demand. E.g. when your company has multiple locations and you
> don't want (or cannot) use multiple VPN connections a the same time you
> will always have the "somewhat broken"
> network drives in the windows explorer too, since they weren't
> disconnected within a PreDown script.

Each WireGuard tunnel supports multiple peers (i.e. multiple company endpoints). is office A, is office B, etc. Just list them all in your tunnel config and your laptop should reach all those networks.

Maybe "tunnel" is not the best word to describe it. Imagine it as a "network", or a "mesh".

> Another problem (which I skipped so far) is related in point 4. of your
> suggestion and as I see this a also discussed within another thread here
> on the mailinglist. While a simple network drive can of cause be setp to
> a fixed IP adress to drive z: using fixed adresse is IMHO not a good
> solution.
> Like Yves Goergen pointed out in the thread "Add local DNS forwarder to
> Windows client" I'd like an option to add the remote DNS server to the
> serach list so that that I don't have to keep IP adresses in mind. But I
> think this discussion should be shifted to the other thread.

You may. But once you do add DNS line to your tunnel config, your client will exclusively use that DNS. All local and others are blocked. If your company DNS server does the forwarding too, this shouldn't be a problem. The down side is, you cannot access local LAN resources by name. But that is discussed in another thread, indeed.


More information about the WireGuard mailing list