wireguard on multi user windows ?
Jason A. Donenfeld
Jason at zx2c4.com
Mon Nov 30 12:31:40 CET 2020
Hi Henning,
That's an interesting inquiry. I guess the thing to point out is that
generally speaking, the networking stack is per-system, rather than
per-user. That means that while you're using your OpenVPN profile with
your account, some process still running by somebody else in your
family could be transferring data over it! Linux has network
namespaces to assist with properly separating, and I _think_ that
possibly the UWP VPN api on Windows might support this? But I'm not
sure. It's possible to match packets using WFP with
FWPM_CONDITION_ALE_USER_ID, but I haven't yet worked out how to apply
this to routing rules (and doing a VPN in a filter driver rather than
an adapter driver isn't very appealing).
In other words, neither OpenVPN nor WireGuard actually support your
use case. OpenVPN characteristically just opens up a potential
security hole, so you think it's doing what you want, but it really
isn't.
So the short story is that for the time being, I'm not sure how to do
per-user VPN on Windows with what we've got (adapter-level redirection
using the routing table), but I also haven't looked very hard, so it's
not a total impossibility either.
Jason
More information about the WireGuard
mailing list