Using WireGuard on Windows as non-admin - proper solution?

Jason A. Donenfeld Jason at zx2c4.com
Sat Nov 28 15:28:01 CET 2020


On Thu, Nov 26, 2020 at 9:53 AM Adrian Larsen
<alarsen at maidenheadbridge.com> wrote:
>
> One thing that is commonly implemented in other clients doing tunnels is
> the detection of "ON / OFF Corporate network".
>
> Without any user intervention, the vpn client is capable to detect (on
> every network change) where the user is located and to active the client
> or not.
>
> Values to detect are a combination of:
>
> (usually you can do AND / OR of this values)
>
>   1- Adapter domain (i.e. contoso.com) . This comes from DHCP values
> received.
>
> 2 - DNS servers IPs
>
> 3 - Hostname vs IP. (This is to create a local DNS A record on your
> internal DNS server that is resolvable only when you are ON corporate
> network and not outside)
>
> The detection of this values are platform agnostic. You can use it on
> any client: Linux, Windows, Mac, etc; to detect when turn ON / OFF the
> vpn client automatically without user intervention.

That sounds like it introduces a security vulnerability, in which you
send the magic unauthenticated packets, and voila, WireGuard
deactivates and you're sending data in the clear.


More information about the WireGuard mailing list