Using WireGuard on Windows as non-admin - proper solution?

Patrik Holmqvist patrik.holmqvist at
Fri Nov 20 12:49:27 CET 2020

Hi Jason and thanks for the reply!

I will describe our current workflow below:
* The WireGuard client is installed on the computer with our deployment solution
* The user logs in with SSO in our web-front [0] where they can generate one or more configs (for example one for their Windows computer and one for their phone)
* They download the config from the web-front
* Start WireGuard and import the configuration file
* Activates the tunnel when needed

Not sure if your suggested solution would allow for this? Maybe there could be different levels of permissions depending on the value you configure the registry key to or something.


/Best regards

-----Original Message-----
From: Jason A. Donenfeld <Jason at> 
Sent: den 19 november 2020 17:56
To: Patrik Holmqvist <patrik.holmqvist at>
Cc: vh217 at; WireGuard mailing list <wireguard at>
Subject: Re: Using WireGuard on Windows as non-admin - proper solution?

Hi Patrik,

Thanks for the patch. I think we'll probably take a route similar to that, with S-1-5-32-556, but will gate it behind a registry knob and and will allow only for starting/stopping/viewingstatus of tunnels, but not editing or extracting private keys.

Would that be passable for you?


More information about the WireGuard mailing list