[ANNOUNCE] WireGuard for Windows 0.3: ARM support, enterprise features, & more
Jason A. Donenfeld
Jason at zx2c4.com
Mon Nov 23 15:24:57 CET 2020
If you're using WireGuard on Windows, you've undoubtedly noticed the
flurry of updates and changes over the last two weeks, with 0.2 last
week and now 0.3 today. Simon and I have been quite eager to put some of
these recent changes in your hands, and I'm glad we've done so, but I do
apologize if the pace of updates was a bit much for some. We'll try to
calm down soon, maybe, I hope. So, what have we been up to?
1) Documentation on non-obvious parts
I figure I'll mention the most boring part up front: we've documented
lots of things about Windows networking, administrator tips, security,
and more, linked to from the main README:
If you're interested in learning more about the architecture or
deployment particulars of the program, I would strongly encourage
reading these documents in full. And as always, advanced topics or
things you might be fuzzy about can always be freely discussed and
elucidated here on the mailing list.
2) ARM and ARM64 support
A few weeks ago we released Wintun 0.9 , which was a massive release
and real technical accomplishment for us. This paved the way for us to
add ARM and ARM64 to WireGuard for Windows, but required quite a bit of
work, both to our own code and to the Go runtime, which we've improved
substantially. As part of the process, we also moved to using the LLVM,
since binutils/gcc is still lacking proper Windows ARM support. Now
users of Windows on the Microsoft Surface devices or even the Raspberry
Pi can run WireGuard there natively.
3) More robust installer infrastructure
We now support 4 architectures -- x86, amd64, arm, and arm64 -- which
means we have four MSI installers per release. Rather than burden the
user with selecting the right one, or with making sure their Downloads
folder always has the latest one when they get around to installing it,
we've built a tiny 72k installer executable that figures out the best
MSI for the architecture, validates a list of the latest versions from
the download server using Ed25519 code signing (with signatures made on
a YubiHSM ), downloads the right one, and installs it seamlessly. Our
new installer is available at  and MSIs remain directly available to
sysadmins using GPO at . I tweeted a little recording of how fast
this process is last week:
This should also serve as a "trust anchor", if you'd like to have all
downloads authenticated following the initial download of that
installer. On top of that, we've made installs, upgrades, and
uninstallations much more robust, as well as providing detection and
links for KB2921916 for Windows 7 users who require that hotfix.
WireGuard now ships with translations for 17 languages, and we're
accepting translations for even more on .
5) Configuration files moved to %ProgramFiles%\WireGuard\Data\Configurations
We previously kept configuration files in the Local System user's
profile, but this is discouraged by Microsoft to the point of actually
refusing to migrate it when users upgraded between Windows 10 builds,
requiring us to attempt to migrate from Windows.old in an error-prone
manner. This is no more. Following Microsoft SQL Server's example, we're
storing configuration in this new location. As explained in , this
acts as a "hot folder" for automatically encrypting added
configurations. Configuration files in the old location are
automatically moved to the new location.
6) Limited UI for Network Configuration Operator group
This is one of the most requested features. Enabled with a registry flag
(see ), members of the builtin Network Configuration Operator group
now can use the UI in a limited manner, which allows starting and
stopping tunnels, viewing the current stats, but not much else, with all
key material redacted. I tweeted a screenshot of this recently:
Hopefully this will go a long way in allowing enterprise admins to
provision laptops for users who don't generally have administrator
access. We'll see what the reception to this is like, and if the feature
needs further refinement, but hopefully we've struck an acceptable
balance of security and usability.
7) Support for split DNS tunneling
Not really. But we now are doing the "normal" thing with DNS in most
cases, so that Windows can handle multiple DNS servers using its
ordinary configurable policy for this, which should allow, in theory,
for folks to set up split DNS tunneling as needed. This, and other
quirks, is described in detail in our new networking documentation .
8) "PreUp", "PostUp", "PreDown", and "PostDown" script execution
Gated behind a frighteningly named registry flag (see ), the Windows
client finally supports handling these wg-quick(8) directives, which
should be a boon to enterprise admins when combined with item (6) above.
9) Multiple tunnels at the same time
We've always supported this when using the tunnel service without the
manager (see ), but now the UI can do this via the manager too. At
the moment it's gated behind a flag (see ), but we hope to make the
logic for this automatic down the road.
10) Performance and stability improvements
We've fixed innumerable bugs and made improvements to almost every part
of the app, so things in general should run a lot smoother. Of
particular note is support for higher resolution timers on recent builds
of Windows 10.
So, please try this out, and don't hesitate to report feedback here.
Hopefully this latest 0.3 release marks the transition of WireGuard for
Windows from being a scrappy poweruser application to being a serious
piece of enterprise- ready software, without sacrificing our overall
And if you're new to WireGuard on Windows, you can head on over to the
install page to grab the latest:
Finally, it should go without saying, but say it I will: everything
we're doing here is released as open source software, with development
being done in the open on public git repositories, as a community
project. If you've got a thirst for Windows programming and want to get
involved, this program is a fun one to hack on .
More information about the WireGuard