Using WireGuard on Windows as non-admin - proper solution?

Adrian Larsen alarsen at maidenheadbridge.com
Thu Nov 26 09:53:16 CET 2020


One thing that is commonly implemented in other clients doing tunnels is 
the detection of "ON / OFF Corporate network".

Without any user intervention, the vpn client is capable to detect (on 
every network change) where the user is located and to active the client 
or not.

Values to detect are a combination of:

(usually you can do AND / OR of this values)

  1- Adapter domain (i.e. contoso.com) . This comes from DHCP values 
received.

2 - DNS servers IPs

3 - Hostname vs IP. (This is to create a local DNS A record on your 
internal DNS server that is resolvable only when you are ON corporate 
network and not outside)

The detection of this values are platform agnostic. You can use it on 
any client: Linux, Windows, Mac, etc; to detect when turn ON / OFF the 
vpn client automatically without user intervention.

Best regards

Adrian


On 25/11/2020 21:42, Jason A. Donenfeld wrote:
> On Wed, Nov 25, 2020 at 7:04 PM Clint Dovholuk
> <clint.dovholuk at netfoundry.io> wrote:
>> Out of curiosity - why not just use " S-1-5-4" Interactive - " A group that
>> includes all users that have logged on interactively. Membership is
>> controlled by the operating system."
>>
>> If the user logged on - let the turn the tunnel on/off?
> I guess that's the same argument as, "why doesn't Microsoft let users
> twiddle around with adapter settings and IP addresses if they're
> interactive?" Apparently there was some imperative for having control
> over this be more fine grained, so they provide the NCO group. Turning
> on and off WireGuard tunnels seems akin to disabling and enabling
> network adapters, in general, so linking the two seems coherent.
>
> More concretely, some folks are deploying WireGuard in a much more
> restricted setting, in which the end user has no control over when it
> goes up or down; that's all decided by some remote service out of the
> interactive user's purview. For some high sensitivity applications,
> not letting interactive users disable WireGuard is desirable. For
> other applications, it's the opposite. The NCO group seems to fit the
> level of granularity we're after.


More information about the WireGuard mailing list