Using WireGuard on Windows as non-admin - proper solution?

Jason A. Donenfeld Jason at
Wed Nov 25 22:42:04 CET 2020

On Wed, Nov 25, 2020 at 7:04 PM Clint Dovholuk
<clint.dovholuk at> wrote:
> Out of curiosity - why not just use " S-1-5-4" Interactive - " A group that
> includes all users that have logged on interactively. Membership is
> controlled by the operating system."
> If the user logged on - let the turn the tunnel on/off?

I guess that's the same argument as, "why doesn't Microsoft let users
twiddle around with adapter settings and IP addresses if they're
interactive?" Apparently there was some imperative for having control
over this be more fine grained, so they provide the NCO group. Turning
on and off WireGuard tunnels seems akin to disabling and enabling
network adapters, in general, so linking the two seems coherent.

More concretely, some folks are deploying WireGuard in a much more
restricted setting, in which the end user has no control over when it
goes up or down; that's all decided by some remote service out of the
interactive user's purview. For some high sensitivity applications,
not letting interactive users disable WireGuard is desirable. For
other applications, it's the opposite. The NCO group seems to fit the
level of granularity we're after.

More information about the WireGuard mailing list