Using WireGuard on Windows as non-admin - proper solution?
Der PCFreak
mailinglists at pcfreak.de
Fri Nov 13 13:03:34 CET 2020
Hi,
a long time ago (wow 7 years now) OpenVPN was facing the same problem
and I had to come up with a solution at this time which I wrote down here:
https://community.openvpn.net/openvpn/wiki/Nonprivileged?__cf_chl_jschl_tk__=39af44f70f734e1518810bfa4f763b5614b5d0cd-1605268198-0-AdWjPrQmfW_DxRRmKq1ebg6_bp-ISgZpLzFFC-FpzH9anyH3NEa1vtRcZAv7sQ_qLE-1pXhvVutaGK0e_jcPKwRb51xZAJrDAX58ap_o39EO-mLClM-PiYlPBmvxS68mJASvxyInfI5IuXaPFl4Rm2VSYNWjiKCIxo-qP2GCZ5h74Z-qxkoGNg96mFsUabWVqrbCaw0GGPahl6iWDZdSETK3_UD_akuSpTVY58AauKyaaT3cGq-A9r-QsLYkJ9Q9fY_gvt03AgobKFi4_E4GMn9Imsc5VYNesNb6JwHJgvTtFP9C_dzN4OD3BZV_egUMVQ
especially the part "New and working solution for Windows 7 (and above)"
- Sorry, the images are gone since Dropbox killed public folders but I
still have them
somewhere lying arround.
I used Scheduled Tasks at logon of any user that automatically created
another !privileged! scheduled task for the nonprivileged user and
started OpenVPN.
It was a bit of a hack but it worked until first SecurePoint, then
Sophos and finally OpenVPN.net came up with a client that communicated
with a service and
did no longer need administrative privileges to bring up a connection.
I think you could reproduce the same with Wireguard using my old scripts
posted above etc.
Not very nice but as always, time will tell.
Regards
Peter
On 13.11.2020 03:16, Jason A. Donenfeld wrote:
> Hi Viktor,
>
> I am actually interested in solving this. I took an initial stab at it
> here, but I'm not super comfortable with the implementation or the
> security implications:
> https://git.zx2c4.com/wireguard-windows/commit/?h=jd/unprivd-knob
>
> Aside from doing this from within our existing UI, the general
> solution using the service-based building blocks is to simply allow
> users to start and stop services that begin with "WireGuardTunnel$".
> So the flow is something like:
>
> 1. wireguard /installtunnelservice path\to\sometunnel.conf.
> 2. Change the ACLs on WireGuardTunnel$sometunnel to fit your user.
> 3. Have the user use `net start` and `net stop`, or similar, to
> control whether the service is up or down.
>
> That's not super pretty, but it should work, and it is automatable.
> Meanwhile, I'll keep thinking about various ways to do this in a more
> "first-party" way.
>
> Jason
More information about the WireGuard
mailing list