Duplicate IP address, and permissions problems on Windows

David Woodhouse dwmw2 at infradead.org
Wed Apr 7 08:18:25 UTC 2021

On Tue, 2021-04-06 at 18:17 -0600, Jason A. Donenfeld wrote:
> It's pretty typical behavior on Windows for IP addresses to be
> exclusive per interface. WireGuard for Windows does something similar:
> https://git.zx2c4.com/wireguard-windows/tree/tunnel/addressconfig.go#n22

Thanks. That seems to run cleanupAddressesOnDisconnectedInterfaces()
only if the original SetIPAddressesForFamily() call return
ERROR_OBJECT_ALREADY_EXISTS, while I was fairly sure that in my case
the CreateUnicastIpAddressEntry() call was succeeding. I'll go and
experiment with it some more.

> With regards to permissions, you must be Local System, which is
> already the case if you're running inside a service. If you'd like to
> run as a mere Administrator process, you can steal a token with a
> technique like https://git.zx2c4.com/wireguard-tools/tree/src/ipc-uapi-windows.h#n14
> or https://git.zx2c4.com/wireguard-windows/tree/elevate/doas.go#n30

Great, thanks!

Is there a list of precisely which operations require such privileges?
Is it only *creating* an adapter? Or only if doing so requires the
kernel driver to be loaded for the first time?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5174 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20210407/897917b8/attachment.bin>

More information about the WireGuard mailing list