WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Wireguard for Windows - local administrator necessary?
@ 2019-09-26  2:35 Chris Bennett
  2019-11-27 11:27 ` Simon Rozman
  2019-11-27 12:29 ` Jason A. Donenfeld
  0 siblings, 2 replies; 7+ messages in thread
From: Chris Bennett @ 2019-09-26  2:35 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 344 bytes --]

Hi there,

I've been experimenting with the use of the Windows Wireguard agent for
corporate VPN access.  It's been working really well!

However I've found the logged in user needs local Administrator access to
activate and de-activate a tunnel.  Is there any way around this?  Is it in
the roadmap to remove this requirement?

Thanks!

Chris

[-- Attachment #1.2: Type: text/html, Size: 481 bytes --]

<div dir="ltr">Hi there,<div><br></div><div>I&#39;ve been experimenting with the use of the Windows Wireguard agent for corporate VPN access.  It&#39;s been working really well!</div><div><br></div><div>However I&#39;ve found the logged in user needs local Administrator access to activate and de-activate a tunnel.  Is there any way around this?  Is it in the roadmap to remove this requirement?  </div><div><br></div><div>Thanks!</div><div><br></div><div>Chris</div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: Wireguard for Windows - local administrator necessary?
  2019-09-26  2:35 Wireguard for Windows - local administrator necessary? Chris Bennett
@ 2019-11-27 11:27 ` Simon Rozman
  2019-12-12 19:11   ` zrm
  2019-11-27 12:29 ` Jason A. Donenfeld
  1 sibling, 1 reply; 7+ messages in thread
From: Simon Rozman @ 2019-11-27 11:27 UTC (permalink / raw)
  To: Chris Bennett, wireguard

[-- Attachment #1.1.1: Type: text/plain, Size: 1309 bytes --]

Hi Chris!

 

This is WireGuard design. Reconfiguring network - which (dis)connecting VPN is – is administrative task.

 

If your organization issues laptops to their employees, the corporate VPN should be up at all times. You don't want them to disconnect from VPN and use those laptops on compromised networks, do you?

 

I did have an issue when roaming laptops to and from corporate WiFi, as the endpoint IP changes – restarting the tunnel helped, but adding a scheduled task to reset endpoint IP every 2 minutes using wg.exe command line works like a charm here. If that's the reason you would want your users to manipulate WireGuard tunnels?

 

Best regards,

Simon

 

From: WireGuard <wireguard-bounces@lists.zx2c4.com> On Behalf Of Chris Bennett
Sent: Thursday, September 26, 2019 4:35 AM
To: wireguard@lists.zx2c4.com
Subject: Wireguard for Windows - local administrator necessary?

 

Hi there,

 

I've been experimenting with the use of the Windows Wireguard agent for corporate VPN access.  It's been working really well!

 

However I've found the logged in user needs local Administrator access to activate and de-activate a tunnel.  Is there any way around this?  Is it in the roadmap to remove this requirement?  

 

Thanks!

 

Chris


[-- Attachment #1.1.2: Type: text/html, Size: 4904 bytes --]

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
code
	{mso-style-priority:99;
	font-family:Consolas;}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0cm;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri",sans-serif;
	mso-fareast-language:EN-US;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=SL link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'>Hi Chris!<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'>This is WireGuard design. Reconfiguring network - which (dis)connecting VPN is – is administrative task.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'>If your organization issues laptops to their employees, the corporate VPN should be up at all times. You don't want them to disconnect from VPN and use those laptops on compromised networks, do you?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'>I did have an issue when roaming laptops to and from corporate WiFi, as the endpoint IP changes – restarting the tunnel helped, but adding a scheduled task to reset endpoint IP every 2 minutes using wg.exe command line works like a charm here. If that's the reason you would want your users to manipulate WireGuard tunnels?<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal>Best regards,<o:p></o:p></p><p class=MsoNormal>Simon<o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p>&nbsp;</o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> WireGuard &lt;wireguard-bounces@lists.zx2c4.com&gt; <b>On Behalf Of </b>Chris Bennett<br><b>Sent:</b> Thursday, September 26, 2019 4:35 AM<br><b>To:</b> wireguard@lists.zx2c4.com<br><b>Subject:</b> Wireguard for Windows - local administrator necessary?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p>&nbsp;</o:p></p><div><p class=MsoNormal>Hi there,<o:p></o:p></p><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=MsoNormal>I've been experimenting with the use of the Windows Wireguard agent for corporate VPN access.&nbsp; It's been working really well!<o:p></o:p></p></div><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=MsoNormal>However I've found the logged in user needs local Administrator access to activate and de-activate a tunnel.&nbsp; Is there any way around this?&nbsp; Is it in the roadmap to remove this requirement?&nbsp;&nbsp;<o:p></o:p></p></div><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=MsoNormal>Thanks!<o:p></o:p></p></div><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=MsoNormal>Chris<o:p></o:p></p></div></div></div></div></body></html>

[-- Attachment #1.2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 4919 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Wireguard for Windows - local administrator necessary?
  2019-09-26  2:35 Wireguard for Windows - local administrator necessary? Chris Bennett
  2019-11-27 11:27 ` Simon Rozman
@ 2019-11-27 12:29 ` Jason A. Donenfeld
  2019-12-03 21:07   ` [wireguard] " CHRIZTOFFER HANSEN
  1 sibling, 1 reply; 7+ messages in thread
From: Jason A. Donenfeld @ 2019-11-27 12:29 UTC (permalink / raw)
  To: Chris Bennett; +Cc: WireGuard mailing list

On Wed, Nov 27, 2019 at 10:07 AM Chris Bennett <chris@ceegeebee.com> wrote:
> However I've found the logged in user needs local Administrator access to activate and de-activate a tunnel.  Is there any way around this?  Is it in the roadmap to remove this requirement?

No intention of reducing the security of the system, no. WireGuard
requires administrator access because redirecting an entire machine's
network traffic is certainly an administrator's task.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [wireguard] Wireguard for Windows - local administrator necessary?
  2019-11-27 12:29 ` Jason A. Donenfeld
@ 2019-12-03 21:07   ` " CHRIZTOFFER HANSEN
  2019-12-04  0:35     ` Reuben Martin
  0 siblings, 1 reply; 7+ messages in thread
From: CHRIZTOFFER HANSEN @ 2019-12-03 21:07 UTC (permalink / raw)
  To: Jason; +Cc: wireguard


Jason A. Donenfeld wrote on 27/11/2019 13:29:
> On Wed, Nov 27, 2019 at 10:07 AM Chris Bennett <chris@ceegeebee.com> wrote:
>> However I've found the logged in user needs local Administrator access to activate and de-activate a tunnel.  Is there any way around this?  Is it in the roadmap to remove this requirement?
> 
> No intention of reducing the security of the system, no. WireGuard
> requires administrator access because redirecting an entire machine's
> network traffic is certainly an administrator's task.

What if you this functionality is coded as opt-in, for e.g. a org/corp 
sysadmin to enable for the users, and *not* opt-out?

The the default knob will still be secure, and the sysadmin has the 
conscious possibility to put power in the hand of the users. And it will 
  be the sysadm's choice. Not the team behind pushing the development of 
WireGuard forward, taking a choice on behalf of the consumer/user base.

Chriztoffer
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [wireguard] Wireguard for Windows - local administrator necessary?
  2019-12-03 21:07   ` [wireguard] " CHRIZTOFFER HANSEN
@ 2019-12-04  0:35     ` Reuben Martin
  0 siblings, 0 replies; 7+ messages in thread
From: Reuben Martin @ 2019-12-04  0:35 UTC (permalink / raw)
  To: chriztoffer; +Cc: WireGuard mailing list

[-- Attachment #1.1: Type: text/plain, Size: 1318 bytes --]

You can use fwknop to automate this type of sysadmin level changes in a
secure manner.

-Reuben

On Tue, Dec 3, 2019, 3:09 PM CHRIZTOFFER HANSEN <chriztoffer@netravnen.de>
wrote:

>
> Jason A. Donenfeld wrote on 27/11/2019 13:29:
> > On Wed, Nov 27, 2019 at 10:07 AM Chris Bennett <chris@ceegeebee.com>
> wrote:
> >> However I've found the logged in user needs local Administrator access
> to activate and de-activate a tunnel.  Is there any way around this?  Is it
> in the roadmap to remove this requirement?
> >
> > No intention of reducing the security of the system, no. WireGuard
> > requires administrator access because redirecting an entire machine's
> > network traffic is certainly an administrator's task.
>
> What if you this functionality is coded as opt-in, for e.g. a org/corp
> sysadmin to enable for the users, and *not* opt-out?
>
> The the default knob will still be secure, and the sysadmin has the
> conscious possibility to put power in the hand of the users. And it will
>   be the sysadm's choice. Not the team behind pushing the development of
> WireGuard forward, taking a choice on behalf of the consumer/user base.
>
> Chriztoffer
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #1.2: Type: text/html, Size: 2008 bytes --]

<div dir="auto">You can use fwknop to automate this type of sysadmin level changes in a secure manner. <div dir="auto"><br></div><div dir="auto">-Reuben</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 3, 2019, 3:09 PM CHRIZTOFFER HANSEN &lt;<a href="mailto:chriztoffer@netravnen.de">chriztoffer@netravnen.de</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Jason A. Donenfeld wrote on 27/11/2019 13:29:<br>
&gt; On Wed, Nov 27, 2019 at 10:07 AM Chris Bennett &lt;<a href="mailto:chris@ceegeebee.com" target="_blank" rel="noreferrer">chris@ceegeebee.com</a>&gt; wrote:<br>
&gt;&gt; However I&#39;ve found the logged in user needs local Administrator access to activate and de-activate a tunnel.  Is there any way around this?  Is it in the roadmap to remove this requirement?<br>
&gt; <br>
&gt; No intention of reducing the security of the system, no. WireGuard<br>
&gt; requires administrator access because redirecting an entire machine&#39;s<br>
&gt; network traffic is certainly an administrator&#39;s task.<br>
<br>
What if you this functionality is coded as opt-in, for e.g. a org/corp <br>
sysadmin to enable for the users, and *not* opt-out?<br>
<br>
The the default knob will still be secure, and the sysadmin has the <br>
conscious possibility to put power in the hand of the users. And it will <br>
  be the sysadm&#39;s choice. Not the team behind pushing the development of <br>
WireGuard forward, taking a choice on behalf of the consumer/user base.<br>
<br>
Chriztoffer<br>
_______________________________________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank" rel="noreferrer">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
</blockquote></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Wireguard for Windows - local administrator necessary?
  2019-11-27 11:27 ` Simon Rozman
@ 2019-12-12 19:11   ` zrm
  2019-12-12 20:26     ` Jason A. Donenfeld
  0 siblings, 1 reply; 7+ messages in thread
From: zrm @ 2019-12-12 19:11 UTC (permalink / raw)
  To: wireguard

On 11/27/19 06:27, Simon Rozman wrote:
> Hi Chris!
> 
> This is WireGuard design. Reconfiguring network - which (dis)connecting 
> VPN is – is administrative task.
> 
> If your organization issues laptops to their employees, the corporate 
> VPN should be up at all times. You don't want them to disconnect from 
> VPN and use those laptops on compromised networks, do you?
> 
> I did have an issue when roaming laptops to and from corporate WiFi, as 
> the endpoint IP changes – restarting the tunnel helped, but adding a 
> scheduled task to reset endpoint IP every 2 minutes using wg.exe command 
> line works like a charm here. If that's the reason you would want your 
> users to manipulate WireGuard tunnels?
> 
> Best regards,
> 
> Simon

It makes sense that users shouldn't be able to manipulate WireGuard 
tunnels by default, but shouldn't it be possible to change the default 
through something less drastic than giving the user full administrator 
access?

For example, the registry in modern Windows is permissioned with ACLs. 
It could be made the case that modifying a WireGuard tunnel on Windows 
is done by writing to a particular registry location and then poking the 
service to prompt it to look there for new configuration. Then the 
administrator could explicitly give a user or group permission to modify 
that registry location if they should be able to modify WireGuard 
configuration. Or the same thing could also be done with a filesystem 
location.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Wireguard for Windows - local administrator necessary?
  2019-12-12 19:11   ` zrm
@ 2019-12-12 20:26     ` Jason A. Donenfeld
  0 siblings, 0 replies; 7+ messages in thread
From: Jason A. Donenfeld @ 2019-12-12 20:26 UTC (permalink / raw)
  To: zrm; +Cc: WireGuard mailing list

On Thu, Dec 12, 2019 at 8:12 PM zrm <zrm@trustiosity.com> wrote:
> It makes sense that users shouldn't be able to manipulate WireGuard
> tunnels by default, but shouldn't it be possible to change the default
> through something less drastic than giving the user full administrator
> access?

I have no desire to add complex ACL schemes inside WireGuard. Catering
to that kind of user demand inevitably results in a security disaster.
Network and firewall config is an administrative task. Be
administrator. If you want to do otherwise, you're free to run your
own service that listens for commands on a named pipe with whatever
ACLs you want. But the development of that kind of ACL'd backdoor is
up to you and your organization.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-26  2:35 Wireguard for Windows - local administrator necessary? Chris Bennett
2019-11-27 11:27 ` Simon Rozman
2019-12-12 19:11   ` zrm
2019-12-12 20:26     ` Jason A. Donenfeld
2019-11-27 12:29 ` Jason A. Donenfeld
2019-12-03 21:07   ` [wireguard] " CHRIZTOFFER HANSEN
2019-12-04  0:35     ` Reuben Martin

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git