Using WireGuard on Windows as non-admin - proper solution?

Phillip McMahon phillip.mcmahon at
Sun Nov 29 20:44:20 CET 2020

Hey Jason,

Won't drag this already long and confusing thread out. Not challenging
the current implementation, just the notion that any other suggestion
is a dead end and the topic is closed.

I will continue to use wg daily and now add in the non-admin elements
to test those out too. Appreciate the progress here and all that hard


On Sun, 29 Nov 2020 at 18:52, Jason A. Donenfeld <Jason at> wrote:
> Hi Phillip,
> On Sun, Nov 29, 2020 at 2:40 PM Phillip McMahon
> <phillip.mcmahon at> wrote:
> > I have been following the wider thread and maybe I misunderstood but
> > believe the solution requires some registry tweaks and membership to
> > the Network Operators Group, along with Windows Home requiring the
> > creation of a group not officially supported on that platform. Correct
> > or not?
> >
> > It was with all the in mind that I wrote the two points.
> I must admit I misunderstood your first message. Sorry for that. I
> understand you now to be questioning two things:
> - That this is gated behind a registry key;
> - That it works by using the network operators group.
> The first point is something I could imagine changing down the line as
> we learn more about the NCO group's usage. To start, and for now, I
> prefer to put "risky" settings behind a flag.
> But the latter point I'm much more hesitant to change. You recalled
> that I was initially entirely wary of this feature all together. This
> is true. It was only upon hearing the excellent idea of the NCO group
> that it became tenable for me. The reason is that the NCO group is a
> preexisting designation as part of the operating system that confers
> these privileges. And there's an easy argument to be made that adding
> the ability to stop/start tunnels does not add anything extra beyond
> what NCO can already do (like changing IP addresses or disabling
> adapters). Therefore, the brilliance of the NCO suggestion, in my
> mind, was that we're not adding any additional holes to the Windows
> security model. That makes it very compelling to me.
> It seems like you want to go back to challenge the initial hesitation
> again: maybe we _should_ add additional caveats to the existing
> Windows model, you suggest. Maybe. But if we can avoid doing so, I
> really would prefer that, and it seems like NCO group strikes a good
> balance.
> What's the situation you have in mind in which an administrator would
> permit a user to enable and disable tunnels but would not permit the
> other privileges conferred by NCO? What is the impedance mismatch that
> you are thinking about?
> Jason

Use this contact page to send me encrypted messages and files

P.S. Drowning in email? Try SaneBox and take back control: I love it.

More information about the WireGuard mailing list