Wireguard Windows Client questions

Simon Rozman simon at rozman.si
Fri Apr 22 16:16:05 UTC 2022

> 1. The documentation implies that if I executed the following command
> from a command line "wireguard.exe" that it will start the Manager
> Service and show the UI. It then states that calling wireguard.exe
> /installmanagerservice is suitable for silent installation but what I
> find is that the Management GUI is still activated and shown on the
> desktop.
> Is there anyway to start the service without the GUI window appearing?
> And is there anyway to prevent the UI in the system tray from being
> installed?

Try wireguard.exe /installtunnelservice mytunnel.conf and wireguard.exe /uninstalltunnelservice mytunnel.conf.

> 2. If for any reason the Wireguard peer is not reachable then the
> Handshake does not complete. When using the GUI the tunnel is shows
> Active but it is the tunnelservice that is active not the connection. Is
> there a way to limit the number of handshake retries before giving up on
> trying to connect?

WireGuard is connection-less. Only after there is a packet for a peer, it'll perform handshake with the peer and sent the packet to it. See it as on-demand connection. Now, if you insist on verifying if the connection is possible over the VPN tunnel, send a ping thru the tunnel and see if the handshake occurs and succeeds.

> 3. From time to time the endpoint address of the peer system may have
> changed (I do not use a dynamic DNS service) so when trying to connect I
> hit the problem described in 2 above. I know what the new endpoint
> address is and can set it dynamically using the wg set command and the
> connection is then made. I would like to be able to programmatically
> save this change without having to manually edit the client config
> files. I tried using wg syncconf but get a permissions error because of
> the properties around the dpapi config files.
> Is there an alternative way to doing this short of deleting the existing
> dpapi file and adding a new .conf file and have the manager service
> encrypt it but that approach means I need to keep the private key in the
> clear somewhere in order to create the new conf file.\

Jason suggested me to add a Scheduled Task to call wg.exe set mytunnel peer pubkey endpoint on a few minute basis. It works like a charm when roaming back and forth between local and remote networks.

It's way more efficient than deactivating the tunnel, updating config and reactivating the tunnel.

> 4. There are 2 option listed under wireguard command line options namely
> /managerservice and /tunnelservice CONFIG_PATH - can someone tell me
> what they are supposed to do every time I try running one of them I get
> an error popup that says - The service process could not connect to the
> service controller.wireguard

Those options are to be used by Windows SCM when wireguard.exe runs as a service.

If you are familiar with programming, you might want to take a look into the embeddable-dll-service folder in the wireguard-windows repo.


More information about the WireGuard mailing list