Using WireGuard on Windows as non-admin - proper solution?

vh217 at vh217 at
Thu Nov 12 16:18:42 CET 2020


I've been wondering about using WireGuard on Windows as a non-admin user.

I have seen Jason's reply in this regard [1] and I understand the 
rationale. This however effectively means that WireGuard can't be 
directly used on company-issued machines where users who need to connect 
to company servers are usually not given administrator rights.

So I would like to open up two discussion points:
1) Is this use case something WireGuard was even meant for? I.e. should 
we even try to bend wg to be able to do this kind of stuff?
2) If the answer is yes, what would be the least hacky/workaround-ey way 
to do it?

I found a couple solutions on the Internet to this problem [2], [3] but 
both of them seem to be kind of complicated for setting up with dozens 
of clients.

In my mind there are two ways about the solution:
1) Somehow allow the user to be able to perform this one administrative 
2) Since wg is essentially quiet when not being used, leave the wg 
tunnel on at all times. (aka "fire [up] and forget")

The 1) is more or less covered in the solutions in [2] and [3] so that 
doesn't seem like a way if we want something easy.
That leaves us with 2) which seems to work fine, although we've run into 
an issue with overlapping routes, i.e. if the remote company LAN is 
something like and wg server and the wg adds a 
route " via" then when the client is physically 
present in the company their LAN stops working. This could probably be 
easily fixed by setting up route metric as a PostUp, though my 
Windows-route-fu is weak in this one.

Any input on this would be greatly appreciated, since the info on the 
Internet seems to be rather scattered around.

Also, if anyone has an idea on how to modify the route metric in the 
PostUp, I think that might be an elegant solution to this.




More information about the WireGuard mailing list