Wireguard Windows Service Issues

Simon Rozman simon at rozman.si
Mon Jan 17 10:51:01 UTC 2022 

Hi,

> I believe there's a bug in the Windows service implementation, if this
> issue is by design, it's problematic.
> 
> I have non-admin users were when I initially set them up with wireguard,
> I configured it to use the service, using the command:
> 
> wireguard /installtunnelservice "C:\Program
> Files\WireGuard\Data\Configurations\vpn.domain.org.conf.dpapi"
> 
> The tunnel worked fine the first time. Then the user reboots the laptop,
> or closes it or leaves whatever coffee shop they were at and get
> disconnected from the wireless network they were using. When this
> happens, for some reason, the wireguard service then gets torn down
> never to come back again until I issue the command from my admin account
> again.

Can you do the wireguard /dumplog > wireguard.log and investigate.

> There was an issue with some users initial configuration in that they
> could not query hostname via DNS, so that entering the command to
> installservice would not even create the service.

WireGuard services start early on boot - sometimes even before the DNSCache (DNS Client). If the service can't resolve hostnames used in the config file, it will stop. But it will log this. Resolution to this problem is:
- Use IPs rather than hostnames.
- Add hostnames you use in your .conf file to C:\Windows\system32\drivers\etc\hosts.
- Add DNSCache dependency to the WireGuardTunnel$<your tunnel name> service.

I personally would pick one of the first two options above. Don't like the idea my laptop is asking a coffee shop's DNS what is my VPN endpoint IP address.

> Here's a few notes that might help with understanding.
> - Users must have the VPN established before they log into the active
> directory servers on the remote network so that they can get all of
> their GPO directives.
> - Wireguard Service should stay up so that any time a users connects to
> any network, the VPN is established immediately after that.
> - The Wireguard service should also stay because non-admin users cannot
> create a new service

I understand. That is exactly how we use WireGuard in our company.

> If this issue is how things will stay, and this is not considered a bug,
> how would you configure windows non-admin users to tunnel to an
> enterprise network before login via WireGuard and to continuously try to
> establish the tunnel while the user is not connected to a network?

Let me assure you, the behavior you are expecting is definitely pathological. Please investigate the log file why the tunnel service does not persist as it should.

Best regards,
Simon

More information about the WireGuard mailing list