* Wireguard for Windows - local administrator necessary?
@ 2019-09-26 2:35 Chris Bennett
2019-11-27 11:27 ` Simon Rozman
2019-11-27 12:29 ` Jason A. Donenfeld
0 siblings, 2 replies; 7+ messages in thread
From: Chris Bennett @ 2019-09-26 2:35 UTC (permalink / raw)
To: wireguard
[-- Attachment #1.1: Type: text/plain, Size: 344 bytes --]
Hi there,
I've been experimenting with the use of the Windows Wireguard agent for
corporate VPN access. It's been working really well!
However I've found the logged in user needs local Administrator access to
activate and de-activate a tunnel. Is there any way around this? Is it in
the roadmap to remove this requirement?
Thanks!
Chris
[-- Attachment #1.2: Type: text/html, Size: 481 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Wireguard for Windows - local administrator necessary?
2019-09-26 2:35 Wireguard for Windows - local administrator necessary? Chris Bennett
@ 2019-11-27 11:27 ` Simon Rozman
2019-12-12 19:11 ` zrm
2019-11-27 12:29 ` Jason A. Donenfeld
1 sibling, 1 reply; 7+ messages in thread
From: Simon Rozman @ 2019-11-27 11:27 UTC (permalink / raw)
To: Chris Bennett, wireguard
[-- Attachment #1.1.1: Type: text/plain, Size: 1309 bytes --]
Hi Chris!
This is WireGuard design. Reconfiguring network - which (dis)connecting VPN is – is administrative task.
If your organization issues laptops to their employees, the corporate VPN should be up at all times. You don't want them to disconnect from VPN and use those laptops on compromised networks, do you?
I did have an issue when roaming laptops to and from corporate WiFi, as the endpoint IP changes – restarting the tunnel helped, but adding a scheduled task to reset endpoint IP every 2 minutes using wg.exe command line works like a charm here. If that's the reason you would want your users to manipulate WireGuard tunnels?
Best regards,
Simon
From: WireGuard <wireguard-bounces@lists.zx2c4.com> On Behalf Of Chris Bennett
Sent: Thursday, September 26, 2019 4:35 AM
To: wireguard@lists.zx2c4.com
Subject: Wireguard for Windows - local administrator necessary?
Hi there,
I've been experimenting with the use of the Windows Wireguard agent for corporate VPN access. It's been working really well!
However I've found the logged in user needs local Administrator access to activate and de-activate a tunnel. Is there any way around this? Is it in the roadmap to remove this requirement?
Thanks!
Chris
[-- Attachment #1.1.2: Type: text/html, Size: 4904 bytes --]
[-- Attachment #1.2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 4919 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Wireguard for Windows - local administrator necessary?
2019-09-26 2:35 Wireguard for Windows - local administrator necessary? Chris Bennett
2019-11-27 11:27 ` Simon Rozman
@ 2019-11-27 12:29 ` Jason A. Donenfeld
2019-12-03 21:07 ` [wireguard] " CHRIZTOFFER HANSEN
1 sibling, 1 reply; 7+ messages in thread
From: Jason A. Donenfeld @ 2019-11-27 12:29 UTC (permalink / raw)
To: Chris Bennett; +Cc: WireGuard mailing list
On Wed, Nov 27, 2019 at 10:07 AM Chris Bennett <chris@ceegeebee.com> wrote:
> However I've found the logged in user needs local Administrator access to activate and de-activate a tunnel. Is there any way around this? Is it in the roadmap to remove this requirement?
No intention of reducing the security of the system, no. WireGuard
requires administrator access because redirecting an entire machine's
network traffic is certainly an administrator's task.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [wireguard] Wireguard for Windows - local administrator necessary?
2019-11-27 12:29 ` Jason A. Donenfeld
@ 2019-12-03 21:07 ` CHRIZTOFFER HANSEN
2019-12-04 0:35 ` Reuben Martin
0 siblings, 1 reply; 7+ messages in thread
From: CHRIZTOFFER HANSEN @ 2019-12-03 21:07 UTC (permalink / raw)
To: Jason; +Cc: wireguard
Jason A. Donenfeld wrote on 27/11/2019 13:29:
> On Wed, Nov 27, 2019 at 10:07 AM Chris Bennett <chris@ceegeebee.com> wrote:
>> However I've found the logged in user needs local Administrator access to activate and de-activate a tunnel. Is there any way around this? Is it in the roadmap to remove this requirement?
>
> No intention of reducing the security of the system, no. WireGuard
> requires administrator access because redirecting an entire machine's
> network traffic is certainly an administrator's task.
What if you this functionality is coded as opt-in, for e.g. a org/corp
sysadmin to enable for the users, and *not* opt-out?
The the default knob will still be secure, and the sysadmin has the
conscious possibility to put power in the hand of the users. And it will
be the sysadm's choice. Not the team behind pushing the development of
WireGuard forward, taking a choice on behalf of the consumer/user base.
Chriztoffer
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [wireguard] Wireguard for Windows - local administrator necessary?
2019-12-03 21:07 ` [wireguard] " CHRIZTOFFER HANSEN
@ 2019-12-04 0:35 ` Reuben Martin
0 siblings, 0 replies; 7+ messages in thread
From: Reuben Martin @ 2019-12-04 0:35 UTC (permalink / raw)
To: chriztoffer; +Cc: WireGuard mailing list
[-- Attachment #1.1: Type: text/plain, Size: 1318 bytes --]
You can use fwknop to automate this type of sysadmin level changes in a
secure manner.
-Reuben
On Tue, Dec 3, 2019, 3:09 PM CHRIZTOFFER HANSEN <chriztoffer@netravnen.de>
wrote:
>
> Jason A. Donenfeld wrote on 27/11/2019 13:29:
> > On Wed, Nov 27, 2019 at 10:07 AM Chris Bennett <chris@ceegeebee.com>
> wrote:
> >> However I've found the logged in user needs local Administrator access
> to activate and de-activate a tunnel. Is there any way around this? Is it
> in the roadmap to remove this requirement?
> >
> > No intention of reducing the security of the system, no. WireGuard
> > requires administrator access because redirecting an entire machine's
> > network traffic is certainly an administrator's task.
>
> What if you this functionality is coded as opt-in, for e.g. a org/corp
> sysadmin to enable for the users, and *not* opt-out?
>
> The the default knob will still be secure, and the sysadmin has the
> conscious possibility to put power in the hand of the users. And it will
> be the sysadm's choice. Not the team behind pushing the development of
> WireGuard forward, taking a choice on behalf of the consumer/user base.
>
> Chriztoffer
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
[-- Attachment #1.2: Type: text/html, Size: 2008 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Wireguard for Windows - local administrator necessary?
2019-11-27 11:27 ` Simon Rozman
@ 2019-12-12 19:11 ` zrm
2019-12-12 20:26 ` Jason A. Donenfeld
0 siblings, 1 reply; 7+ messages in thread
From: zrm @ 2019-12-12 19:11 UTC (permalink / raw)
To: wireguard
On 11/27/19 06:27, Simon Rozman wrote:
> Hi Chris!
>
> This is WireGuard design. Reconfiguring network - which (dis)connecting
> VPN is – is administrative task.
>
> If your organization issues laptops to their employees, the corporate
> VPN should be up at all times. You don't want them to disconnect from
> VPN and use those laptops on compromised networks, do you?
>
> I did have an issue when roaming laptops to and from corporate WiFi, as
> the endpoint IP changes – restarting the tunnel helped, but adding a
> scheduled task to reset endpoint IP every 2 minutes using wg.exe command
> line works like a charm here. If that's the reason you would want your
> users to manipulate WireGuard tunnels?
>
> Best regards,
>
> Simon
It makes sense that users shouldn't be able to manipulate WireGuard
tunnels by default, but shouldn't it be possible to change the default
through something less drastic than giving the user full administrator
access?
For example, the registry in modern Windows is permissioned with ACLs.
It could be made the case that modifying a WireGuard tunnel on Windows
is done by writing to a particular registry location and then poking the
service to prompt it to look there for new configuration. Then the
administrator could explicitly give a user or group permission to modify
that registry location if they should be able to modify WireGuard
configuration. Or the same thing could also be done with a filesystem
location.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Wireguard for Windows - local administrator necessary?
2019-12-12 19:11 ` zrm
@ 2019-12-12 20:26 ` Jason A. Donenfeld
0 siblings, 0 replies; 7+ messages in thread
From: Jason A. Donenfeld @ 2019-12-12 20:26 UTC (permalink / raw)
To: zrm; +Cc: WireGuard mailing list
On Thu, Dec 12, 2019 at 8:12 PM zrm <zrm@trustiosity.com> wrote:
> It makes sense that users shouldn't be able to manipulate WireGuard
> tunnels by default, but shouldn't it be possible to change the default
> through something less drastic than giving the user full administrator
> access?
I have no desire to add complex ACL schemes inside WireGuard. Catering
to that kind of user demand inevitably results in a security disaster.
Network and firewall config is an administrative task. Be
administrator. If you want to do otherwise, you're free to run your
own service that listens for commands on a named pipe with whatever
ACLs you want. But the development of that kind of ACL'd backdoor is
up to you and your organization.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-12-12 20:27 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-26 2:35 Wireguard for Windows - local administrator necessary? Chris Bennett
2019-11-27 11:27 ` Simon Rozman
2019-12-12 19:11 ` zrm
2019-12-12 20:26 ` Jason A. Donenfeld
2019-11-27 12:29 ` Jason A. Donenfeld
2019-12-03 21:07 ` [wireguard] " CHRIZTOFFER HANSEN
2019-12-04 0:35 ` Reuben Martin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).