Using WireGuard on Windows as non-admin - proper solution?

Der PCFreak mailinglists at
Fri Nov 13 13:03:34 CET 2020


a long time ago (wow 7 years now) OpenVPN was facing the same problem 
and I had to come up with a solution at this time which I wrote down here:

especially the part "New and working solution for Windows 7 (and above)" 
- Sorry, the images are gone since Dropbox killed public folders but I 
still have them
somewhere lying arround.

I used Scheduled Tasks at logon of any user that automatically created 
another !privileged! scheduled task for the nonprivileged user and 
started OpenVPN.
It was a bit of a hack but it worked until first SecurePoint, then 
Sophos and finally came up with a client that communicated 
with a service and
did no longer need administrative privileges to bring up a connection.

I think you could reproduce the same with Wireguard using my old scripts 
posted above etc.

Not very nice but as always, time will tell.



On 13.11.2020 03:16, Jason A. Donenfeld wrote:
> Hi Viktor,
> I am actually interested in solving this. I took an initial stab at it
> here, but I'm not super comfortable with the implementation or the
> security implications:
> Aside from doing this from within our existing UI, the general
> solution using the service-based building blocks is to simply allow
> users to start and stop services that begin with "WireGuardTunnel$".
> So the flow is something like:
> 1. wireguard /installtunnelservice  path\to\sometunnel.conf.
> 2. Change the ACLs on WireGuardTunnel$sometunnel to fit your user.
> 3. Have the user use `net start` and `net stop`, or similar, to
> control whether the service is up or down.
> That's not super pretty, but it should work, and it is automatable.
> Meanwhile, I'll keep thinking about various ways to do this in a more
> "first-party" way.
> Jason

More information about the WireGuard mailing list