WireGuard for Windows 0.3.1 is the release you’ve been waiting for | GeekComparison

I heroically resisted the urge to have one
Enlarge / I heroically resisted the urge to create a “WireGuard for Workgroups 0.3.1” image for this piece.

Jim Salter

Last Monday, WireGuard founder and lead developer Jason Donenfeld announced a new WireGuard release for the Windows platform. The release is a godsend for administrators who want to implement WireGuard as a replacement for more traditional VPNs for end users in a business environment, adding several new features that will make their lives easier – or simply enable their implementation, in environments where it otherwise not.

If you haven’t heard of WireGuard, it’s a relatively new VPN protocol with advanced cryptography. It was implemented from the start as an exercise in cleanly written, minimalist, maximum-safe, and high-performance code – and it succeeded well enough in those goals to earn Linus Torvalds’ own, rarely-seen stamp of approval.

Installation

Existing WireGuard users will get clear UI hints to download and install the new version directly from within the application itself.
Enlarge / Existing WireGuard users will get clear UI hints to download and install the new version directly from within the application itself.

Jim Salter

Those already using WireGuard on Windows will receive a clear in-app notification to download and install the new version, which works great. New users can download WireGuard directly from its website.

The simple “Download Installer” button is intended for Windows end users, and it examines the user’s system to determine which MSI installer to download and run, based on the user’s system architecture. Sysadmin types can also browse the list of MSIs directly for use with automated Active Directory Group Policy deployments.

WireGuard for Windows currently supports x86_64, x86 (32-bit), ARM, and ARM64 architectures.

Improved tunnel management for Windows users

Probably the most sought-after feature in WireGuard’s Windows implementation is the ability for unauthorized users to activate and deactivate WireGuard tunnels through the app’s UI. Until release 0.3.1, WireGuard only allowed members of the Administrators group to open the user interface, let alone do anything in it.

As of version 0.3.1, that limitation has finally been lifted. Non-privileged users can be added to the Windows built-in “Network Configuration Operators” group – and once they are a member of that group, if and only when the required registry key is added and the DWORD value is set can they manage their own tunnel to the corporate LAN.

One more step is needed to enable the restricted UI: you need to open regeditcreate the key HKLM\SOFTWARE\WireGuardthen create a DWORD HKLM\SOFTWARE\WireGuard\LimitedOperatorUI and set it up 1. (Don’t be confused by the lack of HKLM\SOFTWARE\WireGuard yourself – you have to make that too.)

Otherwise unauthorized users who have been admitted to the WireGuard club can see the available tunnels and start and stop those tunnels. They can’t see the public keys for the tunnels, and more importantly, they can’t add, delete, or edit those tunnels.

Unprivileged users also cannot close the WireGuard application itself – they can close the dialog just fine, but the “Exit WireGuard” item is missing from the context menu in the system tray. This is because closing the WireGuard app from the system tray doesn’t just remove the icon or even disable the WireGuard tunneling services – it actually deletions those services completely. (The services are automatically reinstalled the next time an administrator runs the WireGuard app.)

Also new in WireGuard for Windows 0.3.1, multiple tunnels can be activated simultaneously from the GUI. This feature is also registry-gated for now – to use it you need to have a DWORD Bee HKLM\Software\WireGuard\MultipleSimultaneousTunnels and set it to 1. Without creating and setting that DWORDWireGuard for Windows 0.3.1 will continue to behave like previous versions, and activating one tunnel from the GUI will automatically deactivate all others.

Leave a Comment