Using WireGuard on Windows as non-admin - proper solution?
Riccardo Paolo Bestetti
pbl at bestov.io
Wed Nov 25 08:49:17 CET 2020
On Wed Nov 25, 2020 at 2:08 AM CET, Jason A. Donenfeld wrote:
> Hi Riccardo,
>
> Interesting consideration. I didn't know that.
I didn't know that either until I tried to deploy WireGuard on a laptop
yesterday! It seems not to be documented anywhere.
The group has been around since Windows XP afaik, however I have no idea
whether the associated licesing chicanery has also been around that long.
>
> Can you not add that group manually need be?
I'm not an expert on Windows, but a quick lookup on the net suggests you
cannot create a local group with a specific SID.
Since the group is looked up by SID - which is the correct way -:
operatorGroupSid, _ := windows.CreateWellKnownSid(
windows.WinBuiltinNetworkConfigurationOperatorsSid)
I don't think this can be fixed in any (non-meddle-with-internals) way.
>
> Are there relevant use cases for "home" users using this feature?
Probably not home users, but user using the Home edition of the OS -
definitely yes.
I do some sysadmin work for small to medium sized companies, and it
happens quite often to come across "throwaway" low-cost roadwarrior
machines running Home edition.
Lately, due to the pandemic, I've had to set up a few machines with
WireGuard in a hurry (read: without due preparation and testing). 0.3
has been great news, as before that I was forced to add user accounts to
the Administrators group to allow users to connect. But I quickly
learned that this does not apply to machines running Home edition.
I understand that adding further knobs should be very carefully
considered. But I think that either this one needs to be added, or the
mechanism should be changed. For example, instead of having a on/off
registry entry, we could have an entry indicating the SID of the group
which has access to the limited UI, and its presence would indicate that
the feature should be enabled.
Riccardo
More information about the WireGuard
mailing list