Duplicate IP address, and permissions problems on Windows

Daniel Lenski dlenski at gmail.com
Wed Apr 7 23:05:02 UTC 2021


On Wed, Apr 7, 2021 at 1:18 AM David Woodhouse <dwmw2 at infradead.org> wrote:
>
> On Tue, 2021-04-06 at 18:17 -0600, Jason A. Donenfeld wrote:
> > With regards to permissions, you must be Local System, which is
> > already the case if you're running inside a service. If you'd like to
> > run as a mere Administrator process, you can steal a token with a
> > technique like https://git.zx2c4.com/wireguard-tools/tree/src/ipc-uapi-windows.h#n14
> > or https://git.zx2c4.com/wireguard-windows/tree/elevate/doas.go#n30
>
> Great, thanks!
>
> Is there a list of precisely which operations require such privileges?
> Is it only *creating* an adapter? Or only if doing so requires the
> kernel driver to be loaded for the first time?
>

I'm a little confused by this. In my testing of our recent builds of
OpenConnect on Windows 2012 R2 with wintun-0.10.2…

Running as Administrator *has been* sufficient to allow OpenConnect to
open the Wintun adapters, as well as to configure them with "netsh",
etc.

Is there some additional environment we should be testing in, where
Administrator may *not* be sufficient?

Thanks,
Dan


More information about the WireGuard mailing list