Using WireGuard on Windows as non-admin - proper solution?

zer0flash at zer0flash at
Fri Apr 22 20:21:45 UTC 2022


On Sun, Nov 29, 2020 at 9:59 PM Jason A. Donenfeld wrote:
> On Sun, Nov 29, 2020 at 8:44 PM Phillip McMahon
> <phillip.mcmahon at> wrote:
>> Won't drag this already long and confusing thread out. Not challenging
>> the current implementation, just the notion that any other suggestion
>> is a dead end and the topic is closed.
> Alright. Well, if you do think of good reasons why NCO is not a good
> match for unpriv'd WireGuard control, please let me know. The whole
> basis of going that route is the apparent intuition that these two
> types of things, network modification and tunnel up/down, are one and
> the same. But if you have in mind a way where the analogy breaks down,
> that'd be very interesting to learn and would potentially be grounds
> for changing course.

We provision a lot of road warrior laptops, where users are not admins. 
They can of course use 5g, wifi or lan as required and have to be able 
to switch on/off the vpn tunnel. If working from our office for example, 
they do not need the vpn due to an existing site-to-site vpn connection. 
So they need to turn it off by themselves. That's why the feature makes 
a lot of sense in my humble opinition.

However, any member of the local "Network Configuration Operators" group 
is not only able to to activate the WireGuard tunnel but also

- disable any firewall rules
- add new any firewall rules
- disable the whole firewall by changing the default to allow all incoming
- change ip address / dns settings on any interface

I think that adding an otherwise unprivileged user to the NCO group just 
for activating a preconfigured vpn tunnel might pose security issues in 
other areas.

> Jason



More information about the WireGuard mailing list