Using WireGuard on Windows as non-admin - proper solution?

Adrian Larsen alarsen at maidenheadbridge.com
Sun Nov 29 10:30:57 CET 2020


Yes, it is; and is widely common practice.

With Wireguard probably the best is to create a Peer only reachable when 
"ON corporate" network to test the condition and to take action after.



On 28/11/2020 14:28, Jason A. Donenfeld wrote:
> On Thu, Nov 26, 2020 at 9:53 AM Adrian Larsen
> <alarsen at maidenheadbridge.com> wrote:
>> One thing that is commonly implemented in other clients doing tunnels is
>> the detection of "ON / OFF Corporate network".
>>
>> Without any user intervention, the vpn client is capable to detect (on
>> every network change) where the user is located and to active the client
>> or not.
>>
>> Values to detect are a combination of:
>>
>> (usually you can do AND / OR of this values)
>>
>>    1- Adapter domain (i.e. contoso.com) . This comes from DHCP values
>> received.
>>
>> 2 - DNS servers IPs
>>
>> 3 - Hostname vs IP. (This is to create a local DNS A record on your
>> internal DNS server that is resolvable only when you are ON corporate
>> network and not outside)
>>
>> The detection of this values are platform agnostic. You can use it on
>> any client: Linux, Windows, Mac, etc; to detect when turn ON / OFF the
>> vpn client automatically without user intervention.
> That sounds like it introduces a security vulnerability, in which you
> send the magic unauthenticated packets, and voila, WireGuard
> deactivates and you're sending data in the clear.


More information about the WireGuard mailing list