Issues running wireguard on windows 10 as NON-administrator - "UI is only accessible from desktops of the Builtin Administrators"

Question

I get the following error when running as a non-admin:

WireGuard is running, but the UI is only accessible from desktops of the Builtin Administrators

How do I enable wireguard for win10 to work with just a regular user?

Answer 1

At present what you ask is not possible, on Windows.

Unlike other VPN tools and technologies, the Wireguard client creates a tunnel interface (showing up as a network adapter) for each connection you have configured when you try to connect, aka "on the fly". When you terminate the connection the client deletes the tunnel interface entirely. It does this outside the official VPN plumbing of Windows. That design has the severe limitation that you need to be an administrator of the machine so the software can create the interface.

I use Wireguard on Windows, Mac, and Linux. Windows is the only platform I have this issue with. Additionally, I only use the official client (version 0.38 at the time of this writing) from Wireguard. I do not know if there are others.

Answer 2

As previous solutions and comments have pointed out, activating a wireguard (WG) tunnel is not possible - the action requires privilege elevation of some kind.

The solutions mentioned so far have some downsides, at least in my use case. For completeness I'll list all solutions mentioned and add mine.

1. Normal WG installation, switch to administrator user to activate Wireguard, then switch back.

   • Pro: admin user has access to all features of WG GUI
   • Con: it takes time & clicks to switch users

2. Normal WG installation, add HKLM\Software\WireGuard\LimitedOperatorUI registry key and add user to Network Configuration Operators group

   see WG registry keys documentation

   • Pro: WG GUI accessible
   • Con: messing with registry, GUI functionality severely limited, messes with privilege elevation prompt

   The last point needs clarification: when working as a regular unprivileged user, Windows asks for privilege elevation for many reasons, and one needs to type the/an admin password regularly. This is pretty straightforward, because an admin account is selected by default and one can enter the password quickly. Being part of the NCO group, however, makes the user a kind of admin in the eyes of the OS, so each elevation prompt will offer the current NCO user by default - now in order to enter the password of a real admin, it's necessary to first select another user. This quickly becomes annoying after the first few times one need privilege elevation.

3. Enterprise WG install without launching admin GUI, starting / stopping WG tunnel from shortcut run as administrator

   • Pro: no GUI, no WG background service, user really stays regular
   • Con: no GUI

   See Enterprise Usage documentation.

   In brief:

   1. download WG MSI installer (instead of .exe)
   2. in admin command prompt, run msiexec /i <installer filename>.msi DO_NOT_LAUNCH=1
   3. create Desktop shortcuts for WG:
      • start with command wireguard /installtunnelservice <path to conf>.conf
      • stop with command `wireguard /uninstalltunnelservice
      • tick run as Administrator for both shortcuts

   Tunnel status can be checked with wg.exe

Answer 3

Wireguard 3.1+ now supports non-admins running wireguard, but you'll need to do some minor modifications:

https://lore.kernel.org/wireguard/[email protected]/T/#u

• Install wireguard 3.1+
• Add your user to the "Network Configuration Operators". Open up explorer as admin right click "My Computer" > "Manage" > "Users/Groups" > Network Configuration Operators
• Add an entry to the registry. Windows Key + R > regedit > create the key HKLM\SOFTWARE\WireGuard, then create a DWORD at HKLM\SOFTWARE\WireGuard\LimitedOperatorUI and set it to 1
• Logout and log back in.
• Run wireguard

Answer 4

You can't open the UI as a regular user. However, there is a way to enable Wireguard to work with a regular user in Windows 10, giving the user the ability to freely start and stop the Wireguard tunnel.

Since Wireguard runs as a service in Windows, you can change the permissions for that service, without having to give the user more privilege than it needs to have.

1. Configure the Wireguard tunnel on the machine using an admin account and the GUI then start the tunnel

2. Open a command prompt and change the permissions for the service

   sc.exe sdset WireGuardTunnel$NameOfTheTunnel "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;WD)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

3. You can then start and stop the tunnel using those commands. Don't use the GUI to start/stop at this point

   sc stop WireGuardTunnel$NameOfTheTunnel

   sc start WireGuardTunnel$NameOfTheTunnel

4. Create a batch file, one for each command, like WireguardON.bat and WiregaurdOFF.bat and put them somewhere the client could access (on its desktop or something)

5. Logout and log back in with the user account. It should be able to start and stop the service, even after a reboot.

Answer 5

All other solutions to this problem are not ideal. The methods I've seen are:

1. Just running as an admin

2. Adding the user account to the Network Configuration Operators

   • Pros: Wireguard gui, works smoothly
   • Cons: Your regular user gets added to an admin group and will appear in UAC prompts. This is very annoying and probably bad security.

3. Running the WireGuard tunnel as a windows service (as suggested in this answer)

   • Pros: Works perfectly
   • Cons: No gui, needs an elevated console.

4. Using Task Scheduler as in this answer (didn't work for me at all).

Solution:

1. Install the latest MSI: https://download.wireguard.com/windows-client/

2. Then run this command in elevated console with your .conf file:

   wireguard /installtunnelservice C:\path\to\some\myconfname.conf

This creates a service called WireGuardTunnel$myconfname, which can be controlled using standard Windows service management utilites, such as services.msc or sc. — source

3. Control the service with "ServiceTray": https://www.coretechnologies.com/products/ServiceTray/

   (This give you a nice icon on the system tray that shows the up status of the WireGuard tunnel service. Green = connected, red = not connected, and you can start and stop it by right clicking. See image below)

   Note: When creating the service controller, save the shortcut to desktop not startup (doesn't seem to work and you can copy to startup later)

4. (optional) Change the service's startup type to manual if you don't want to be connected to the tunnel on startup.

An example of what this looks like on Win 10. Hovering the icon shows the name of the tunnel.

Answer 6

If you add it to the Network Operators Group, the User will be able to change IP address, change adapter and modify network settings which might end up compromising on the network. If there is any other possibility, please post.

Answer 7

I know this Thread is old, but if other's looking for an answer. Found this site via Google and searched for a solution. But in the end, I found my own solution.

1. Install Wireguard as admin and import the conf.
2. Create a new task via task scheduler
3. In General -> security options execute independently of the user login and with highest privileges
4. In Trigger, start task, choose on login
5. in Actions, start program (path to wireguard.exe)

Answer 8

Easy powershell oneliner that switch the tunnel state if configuration named "wireguard"

if (wg) {wireguard /uninstalltunnelservice wireguard} else {wireguard /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\wireguard.conf.dpapi"}

Based on answer uEv340yQ3gU1. Thanks to him.

Theortically you can add it in windows scheduler like task executed by system and give non admin user permission trigger it.(not tested)