Wireguard Windows Client questions

lenaghanm at comcast.net lenaghanm at comcast.net
Sat Apr 2 18:50:39 UTC 2022

Good day, this is my first posting on this list. I have read many of the
past messages in the Archives but cannot find the answers I'm looking for
and hoped I could get help from this list.
I currently have a set up on multiple Windows PC's where the user needs to
access services on multiple remote systems. Depending on the service the
underlying network settings of the system may need to be changed and in some
cases require connecting to a VPN server. Currently there are 2 possible VPN
services (OpenVPN and SoftEtherVPN). I now need to add a 3rd option which is

The interfaces to the VPN's are completely hidden from the users. They
simply double click on an icon for the service they want to connect to and
my code under the covers takes care of disconnecting any active sessions and
connecting to the new one. I have read the documentation on the
wireguard.exe options to see if I can develop a similar hidden mechanism to
connect and disconnect from a Wireguard peer and have the following

1. The documentation implies that if I executed the following command from a
command line "wireguard.exe" that it will start the Manager Service and show
the UI. It then states that calling wireguard.exe /installmanagerservice is
suitable for silent installation but what I find is that the Management GUI
is still activated and shown on the desktop. 
Is there anyway to start the service without the GUI window appearing? And
is there anyway to prevent the UI in the system tray from being installed?

2. If for any reason the Wireguard peer is not reachable then the Handshake
does not complete. When using the GUI the tunnel is shows Active but it is
the tunnelservice that is active not the connection. Is there a way to limit
the number of handshake retries before giving up on trying to connect?

3. From time to time the endpoint address of the peer system may have
changed (I do not use a dynamic DNS service) so when trying to connect I hit
the problem described in 2 above. I know what the new endpoint address is
and can set it dynamically using the wg set command and the connection is
then made. I would like to be able to programmatically save this change
without having to manually edit the client config files. I tried using wg
syncconf but get a permissions error because of the properties around the
dpapi config files.
Is there an alternative way to doing this short of deleting the existing
dpapi file and adding a new .conf file and have the manager service encrypt
it but that approach means I need to keep the private key in the clear
somewhere in order to create the new conf file.\

4. There are 2 option listed under wireguard command line options namely
/managerservice and /tunnelservice CONFIG_PATH - can someone tell me what
they are supposed to do every time I try running one of them I get an error
popup that says - The service process could not connect to the service

Thanks in advance for any guidance you can give me.


More information about the WireGuard mailing list