The Book

User Tools

Site Tools

Trace: wireguard_01
networking:misc:wireguard_01

Setting WireGuard Client for non administrative accounts

To make the WireGuard windows app better (for non-admin users) you need to make your user(s) a member of the “Network Configuration Operators” group.

This allows you enable/disable (or choose if you have multiple) the VPN without needing to be a member of the Administrators group. You also need to add a line to the registry.

Here's the powershell code to do that (run PowerShell as administrator): 

New-ItemProperty "hklm:\software\wireguard" -Name "LimitedOperatorUI" -Value 1 -PropertyType "DWord" -Force

Or you can do it from command prompt: 

reg add HKLM\Software\WireGuard /v LimitedOperatorUI /t REG_DWORD /d 1 /f

When this key is set to DWORD(1), the UI will be launched on desktops of users belonging to the Network Configuration Operators builtin group (S-1-5-32-556), with the following limitations for members of that group:

  • Configurations are stripped of all public, private, and pre-shared keys;
  • No version update popup notifications are shown, and updates are not permitted, though a tab still indicates the availability;
  • Adding, removing, editing, importing, or exporting configurations is forbidden; and
  • Quitting the manager is forbidden.

Add user to the group (replace “$username” with real username) …
Here's the powershell code to do that (run PowerShell as administrator): 

Add-LocalGroupMember -Group "Network Configuration Operators" -Member "$username"

HKLM\Software\WireGuard\DangerousScriptExecution

When this key is set to DWORD(1), the tunnel service will execute the commands specified in the PreUp, PostUp, PreDown, and PostDown options of a tunnel configuration. Note that this execution is done as the Local System user, which runs with the highest permissions on the operating system, and is therefore a real target of malware. Therefore, you should enable this option only with the utmost trepidation. Rather than use %i, WireGuard for Windows instead sets the environment variable WIREGUARD_TUNNEL_NAME to the name of the tunnel when executing these scripts. 

reg add HKLM\Software\WireGuard /v DangerousScriptExecution /t REG_DWORD /d 1 /f

https://git.zx2c4.com/wireguard-windows/about/docs/adminregistry.md

networking/misc/wireguard_01.txt · Last modified: 2025/03/17 16:37 by sysadmin