Hi, thanks for stepping in. While I like your suggested "always-on" solution for fixed desktop PCs I don't like the "work-around" for client laptops. A Task Scheduler which is trying every 3 minute to set a wiregurad tunnel when you are sitting in a train using a mobile connecting is nothing I'd like to see. I think there are also other scenarios where you just want to "click Connect button" on demand. E.g. when your company has multiple locations and you don't want (or cannot) use multiple VPN connections a the same time you will always have the "somewhat broken" network drives in the windows explorer too, since they weren't disconnected within a PreDown script.
Another problem (which I skipped so far) is related in point 4. of your suggestion and as I see this a also discussed within another thread here on the mailinglist. While a simple network drive can of cause be setp to a fixed IP adress to drive z: using fixed adresse is IMHO not a good solution. Like Yves Goergen pointed out in the thread "Add local DNS forwarder to Windows client" I'd like an option to add the remote DNS server to the serach list so that that I don't have to keep IP adresses in mind. But I think this discussion should be shifted to the other thread. Kind regards Stefan Am 11.11.2020 um 06:45 schrieb Simon Rozman: > Hi! > > WireGuard for Windows and OpenVPN are fundamentally different. Consider > WireGuard on Windows as an "always-on" VPN. Once configured by admin, it is > just always there, and users don't need to explicitly connect or disconnect. > Trust me, this is something your users will grow to love - no searching for a > GUI to click Connect button when all you want is to quickly view a business > document on Z:. > > Think differently. > > These are my recommendations for your use-case: > > 1. Configure the WireGuard tunnel at the company endpoint. Use specific port > rather than random. > > 2. Configure WireGuard tunnel on client computers and leave it active at all > times. > > 3. Instruct users to connect \\10.0.0.1\data as the network drive Z: and > choose Reconnect on logon to make it persistent. (I am pushing a logon-script > to do it in my deployment.) Why users? Because, seldomly users disconnect the > network drive by accident, and it pays off they know how to reconnect it. > > 4. Don't add DNS line to the WireGuard tunnel config. Otherwise, WireGuard > blocks all other DNS servers and users will not be able to access their home > LAN by hostnames. > > 5. On client laptops that roam in and out of the network where your company > endpoint resides, the tunnel company endpoint will auto-switch from public IP > to local IP. Then you put your laptop to sleep and go home. When resuming at > home, the WireGuard tunnel will still try to contact the company endpoint by > local IP and the tunnel traffic will stall. > > To mitigate this, I make a task in Task Scheduler to run "wg.exe set <your > tunnel name> peer <company endpoint pubkey> endpoint <company endpoint public > IP>:<company endpoint port>" command every 3 minutes. > > This resets the tunnel endpoint to its public IP. The tunnel traffic is > restored after leaving company network in no later than 3 minutes. The client > endpoint roaming is handled by WireGuard. > > As this scheduled task is the same for all clients, once configured and > tested, it can be exported and imported on other computers (I deploy it using > Group Policy). > > > And that's about it. Your users will always have their Z: drive there. No > need for PostUp/PreDown. > > Best regards, > Simon
