Hi,
a long time ago (wow 7 years now) OpenVPN was facing the same problem
and I had to come up with a solution at this time which I wrote down here:
https://community.openvpn.net/openvpn/wiki/Nonprivileged?__cf_chl_jschl_tk__=39af44f70f734e1518810bfa4f763b5614b5d0cd-1605268198-0-AdWjPrQmfW_DxRRmKq1ebg6_bp-ISgZpLzFFC-FpzH9anyH3NEa1vtRcZAv7sQ_qLE-1pXhvVutaGK0e_jcPKwRb51xZAJrDAX58ap_o39EO-mLClM-PiYlPBmvxS68mJASvxyInfI5IuXaPFl4Rm2VSYNWjiKCIxo-qP2GCZ5h74Z-qxkoGNg96mFsUabWVqrbCaw0GGPahl6iWDZdSETK3_UD_akuSpTVY58AauKyaaT3cGq-A9r-QsLYkJ9Q9fY_gvt03AgobKFi4_E4GMn9Imsc5VYNesNb6JwHJgvTtFP9C_dzN4OD3BZV_egUMVQ
especially the part "New and working solution for Windows 7 (and above)"
- Sorry, the images are gone since Dropbox killed public folders but I
still have them
somewhere lying arround.
I used Scheduled Tasks at logon of any user that automatically created
another !privileged! scheduled task for the nonprivileged user and
started OpenVPN.
It was a bit of a hack but it worked until first SecurePoint, then
Sophos and finally OpenVPN.net came up with a client that communicated
with a service and
did no longer need administrative privileges to bring up a connection.
I think you could reproduce the same with Wireguard using my old scripts
posted above etc.
Not very nice but as always, time will tell.
Regards
Peter
On 13.11.2020 03:16, Jason A. Donenfeld wrote:
Hi Viktor,
I am actually interested in solving this. I took an initial stab at it
here, but I'm not super comfortable with the implementation or the
security implications:
https://git.zx2c4.com/wireguard-windows/commit/?h=jd/unprivd-knob
Aside from doing this from within our existing UI, the general
solution using the service-based building blocks is to simply allow
users to start and stop services that begin with "WireGuardTunnel$".
So the flow is something like:
1. wireguard /installtunnelservice path\to\sometunnel.conf.
2. Change the ACLs on WireGuardTunnel$sometunnel to fit your user.
3. Have the user use `net start` and `net stop`, or similar, to
control whether the service is up or down.
That's not super pretty, but it should work, and it is automatable.
Meanwhile, I'll keep thinking about various ways to do this in a more
"first-party" way.
Jason
