A Windows System Admin's Blog

Covering Server Administration, Endpoint Management, Scripting and Network Management

Using WireGuard on Windows with no local administrator rights

I’ve recently been helping a non-profit uplift their security – we’ve put in a UniFi Gateway along with cleaning up their 365 tenancy and endpoint management. As part of this, we’ve implemented a WireGuard VPN back to their NAS as well as remove local admin rights from end users. Unfortunately, WireGuard by default requires local admin rights to function, however we can get around this with a few tweaks.

You’ll need to be a local admin to do all this work, you can then lower the user permissions to the Network Configuration Operators builtin group (well-known S-1-5-32-556). This user permission is required to bring the tunnel up and down, it also grants the user the ability to modify local network settings and may prompt UAC for accessing other system components (however permissions will not be elevated).

 reg add HKLM\Software\WireGuard /v LimitedOperatorUI /t REG_DWORD /d 1 /f

Once that registry key is loaded, we can now import our tunnel configuration. Then restart the endpoint. Once back at the desktop, lower the permissions to Network Configuration Operators for that user, logoff and back in – and WireGuard should be in the tray, with the ability to Activate and Deactivate the tunnel, but not edit or import any further configurations.

While it isn’t completly locked down, I’d rather that than give the end users full local administrator rights. Hope that helps someone.

Leave a Reply

More Posts

How to Configure the Management IP of a Palo Alto Firewall through a console connection

So I’ve recently started experimenting with a Palo Alto VM Firewall that we are about to trial.  Unfortunately they don’t offer a Hyper-V virtual machine so I’ve had to stick this into dev our ESXi host. After importing the .ovf, I edited the network adapters onto the right VLANs for me to get it going […]

How to spoof or mimic a hardware or MAC Address of another device on an interface on a FortiGate

I was recently out at a client and they were in the process of getting another link installed, which happened to be Cable internet which they were using for redundancy.  We put their cable modem in Bridge mode but the connection wasn’t coming up after connecting everything up.   Most cable providers authenticate with certificates […]

Speeding up LAN based Automation OS boot times using a Custom TFTP Server for Altiris (for WinPE and Linux)

One of the more easier ways of speeding up your WinPE boot times via PXE are changing the default TFTP server which comes with Altiris. First of all, open up the PXE Configuration Manager and disable Multicast since the WinPE image cannot be transferred over Multicast anyway(only DOS supports Multicast via TFTP). This simple tweak […]