WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Wireguard for Windows - local administrator necessary?
@ 2019-09-26  2:35 Chris Bennett
  2019-11-27 12:29 ` Jason A. Donenfeld
  0 siblings, 1 reply; 4+ messages in thread
From: Chris Bennett @ 2019-09-26  2:35 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 344 bytes --]

Hi there,

I've been experimenting with the use of the Windows Wireguard agent for
corporate VPN access.  It's been working really well!

However I've found the logged in user needs local Administrator access to
activate and de-activate a tunnel.  Is there any way around this?  Is it in
the roadmap to remove this requirement?

Thanks!

Chris

[-- Attachment #1.2: Type: text/html, Size: 481 bytes --]

<div dir="ltr">Hi there,<div><br></div><div>I&#39;ve been experimenting with the use of the Windows Wireguard agent for corporate VPN access.  It&#39;s been working really well!</div><div><br></div><div>However I&#39;ve found the logged in user needs local Administrator access to activate and de-activate a tunnel.  Is there any way around this?  Is it in the roadmap to remove this requirement?  </div><div><br></div><div>Thanks!</div><div><br></div><div>Chris</div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Wireguard for Windows - local administrator necessary?
  2019-09-26  2:35 Wireguard for Windows - local administrator necessary? Chris Bennett
@ 2019-11-27 12:29 ` Jason A. Donenfeld
  2019-12-03 21:07   ` [wireguard] " CHRIZTOFFER HANSEN
  0 siblings, 1 reply; 4+ messages in thread
From: Jason A. Donenfeld @ 2019-11-27 12:29 UTC (permalink / raw)
  To: Chris Bennett; +Cc: WireGuard mailing list

On Wed, Nov 27, 2019 at 10:07 AM Chris Bennett <chris@ceegeebee.com> wrote:
> However I've found the logged in user needs local Administrator access to activate and de-activate a tunnel.  Is there any way around this?  Is it in the roadmap to remove this requirement?

No intention of reducing the security of the system, no. WireGuard
requires administrator access because redirecting an entire machine's
network traffic is certainly an administrator's task.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [wireguard] Wireguard for Windows - local administrator necessary?
  2019-11-27 12:29 ` Jason A. Donenfeld
@ 2019-12-03 21:07   ` " CHRIZTOFFER HANSEN
  2019-12-04  0:35     ` Reuben Martin
  0 siblings, 1 reply; 4+ messages in thread
From: CHRIZTOFFER HANSEN @ 2019-12-03 21:07 UTC (permalink / raw)
  To: Jason; +Cc: wireguard


Jason A. Donenfeld wrote on 27/11/2019 13:29:
> On Wed, Nov 27, 2019 at 10:07 AM Chris Bennett <chris@ceegeebee.com> wrote:
>> However I've found the logged in user needs local Administrator access to activate and de-activate a tunnel.  Is there any way around this?  Is it in the roadmap to remove this requirement?
> 
> No intention of reducing the security of the system, no. WireGuard
> requires administrator access because redirecting an entire machine's
> network traffic is certainly an administrator's task.

What if you this functionality is coded as opt-in, for e.g. a org/corp 
sysadmin to enable for the users, and *not* opt-out?

The the default knob will still be secure, and the sysadmin has the 
conscious possibility to put power in the hand of the users. And it will 
  be the sysadm's choice. Not the team behind pushing the development of 
WireGuard forward, taking a choice on behalf of the consumer/user base.

Chriztoffer
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [wireguard] Wireguard for Windows - local administrator necessary?
  2019-12-03 21:07   ` [wireguard] " CHRIZTOFFER HANSEN
@ 2019-12-04  0:35     ` Reuben Martin
  0 siblings, 0 replies; 4+ messages in thread
From: Reuben Martin @ 2019-12-04  0:35 UTC (permalink / raw)
  To: chriztoffer; +Cc: WireGuard mailing list

[-- Attachment #1.1: Type: text/plain, Size: 1318 bytes --]

You can use fwknop to automate this type of sysadmin level changes in a
secure manner.

-Reuben

On Tue, Dec 3, 2019, 3:09 PM CHRIZTOFFER HANSEN <chriztoffer@netravnen.de>
wrote:

>
> Jason A. Donenfeld wrote on 27/11/2019 13:29:
> > On Wed, Nov 27, 2019 at 10:07 AM Chris Bennett <chris@ceegeebee.com>
> wrote:
> >> However I've found the logged in user needs local Administrator access
> to activate and de-activate a tunnel.  Is there any way around this?  Is it
> in the roadmap to remove this requirement?
> >
> > No intention of reducing the security of the system, no. WireGuard
> > requires administrator access because redirecting an entire machine's
> > network traffic is certainly an administrator's task.
>
> What if you this functionality is coded as opt-in, for e.g. a org/corp
> sysadmin to enable for the users, and *not* opt-out?
>
> The the default knob will still be secure, and the sysadmin has the
> conscious possibility to put power in the hand of the users. And it will
>   be the sysadm's choice. Not the team behind pushing the development of
> WireGuard forward, taking a choice on behalf of the consumer/user base.
>
> Chriztoffer
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #1.2: Type: text/html, Size: 2008 bytes --]

<div dir="auto">You can use fwknop to automate this type of sysadmin level changes in a secure manner. <div dir="auto"><br></div><div dir="auto">-Reuben</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 3, 2019, 3:09 PM CHRIZTOFFER HANSEN &lt;<a href="mailto:chriztoffer@netravnen.de">chriztoffer@netravnen.de</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Jason A. Donenfeld wrote on 27/11/2019 13:29:<br>
&gt; On Wed, Nov 27, 2019 at 10:07 AM Chris Bennett &lt;<a href="mailto:chris@ceegeebee.com" target="_blank" rel="noreferrer">chris@ceegeebee.com</a>&gt; wrote:<br>
&gt;&gt; However I&#39;ve found the logged in user needs local Administrator access to activate and de-activate a tunnel.  Is there any way around this?  Is it in the roadmap to remove this requirement?<br>
&gt; <br>
&gt; No intention of reducing the security of the system, no. WireGuard<br>
&gt; requires administrator access because redirecting an entire machine&#39;s<br>
&gt; network traffic is certainly an administrator&#39;s task.<br>
<br>
What if you this functionality is coded as opt-in, for e.g. a org/corp <br>
sysadmin to enable for the users, and *not* opt-out?<br>
<br>
The the default knob will still be secure, and the sysadmin has the <br>
conscious possibility to put power in the hand of the users. And it will <br>
  be the sysadm&#39;s choice. Not the team behind pushing the development of <br>
WireGuard forward, taking a choice on behalf of the consumer/user base.<br>
<br>
Chriztoffer<br>
_______________________________________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank" rel="noreferrer">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
</blockquote></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-26  2:35 Wireguard for Windows - local administrator necessary? Chris Bennett
2019-11-27 12:29 ` Jason A. Donenfeld
2019-12-03 21:07   ` [wireguard] " CHRIZTOFFER HANSEN
2019-12-04  0:35     ` Reuben Martin

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git