Using WireGuard on Windows as non-admin - proper solution?
zer0flash at anterias.io
zer0flash at anterias.io
Fri Apr 22 20:21:45 UTC 2022
Hi,
On Sun, Nov 29, 2020 at 9:59 PM Jason A. Donenfeld wrote:
> On Sun, Nov 29, 2020 at 8:44 PM Phillip McMahon
> <phillip.mcmahon at gmail.com> wrote:
>> Won't drag this already long and confusing thread out. Not challenging
>> the current implementation, just the notion that any other suggestion
>> is a dead end and the topic is closed.
>
> Alright. Well, if you do think of good reasons why NCO is not a good
> match for unpriv'd WireGuard control, please let me know. The whole
> basis of going that route is the apparent intuition that these two
> types of things, network modification and tunnel up/down, are one and
> the same. But if you have in mind a way where the analogy breaks down,
> that'd be very interesting to learn and would potentially be grounds
> for changing course.
We provision a lot of road warrior laptops, where users are not admins.
They can of course use 5g, wifi or lan as required and have to be able
to switch on/off the vpn tunnel. If working from our office for example,
they do not need the vpn due to an existing site-to-site vpn connection.
So they need to turn it off by themselves. That's why the feature makes
a lot of sense in my humble opinition.
However, any member of the local "Network Configuration Operators" group
is not only able to to activate the WireGuard tunnel but also
- disable any firewall rules
- add new any firewall rules
- disable the whole firewall by changing the default to allow all incoming
- change ip address / dns settings on any interface
I think that adding an otherwise unprivileged user to the NCO group just
for activating a preconfigured vpn tunnel might pose security issues in
other areas.
>
> Jason
>
Regards
--
Fabian
More information about the WireGuard
mailing list