6

I have multiple computers (Win10 pro) placed at different remote locations (my partners) that I need to manage. I need to access them from a central location. So I have a central VPN server, and I want multiple Win10 pro instances to connect to it. I'm using L2TP, but I would like to migrate to wireguard. With L2TP, it is possible to start rasdial.exe in the background, from the task scheduler. The main goal is to start the tunnel as soon as the computer starts up, and automatically reconnect if the tunnel goes down. I need this BEFORE any user logs into the computer (e.g. in the background). I wonder if the same can be done with wireguard?

I noticed that there is a program called C:\Program Files\Wireguard\wg.exe and its command line options are very similar to the wg (linux) program:

C:\Program Files\WireGuard>wg.exe --help
Usage: wg.exe <cmd> [<args>]

Available subcommands:
  show: Shows the current configuration and device information
  showconf: Shows the current configuration of a given WireGuard interface, for use with `setconf'
  set: Change the current configuration, add peers, remove peers, or change peers
  setconf: Applies a configuration file to a WireGuard interface
  addconf: Appends a configuration file to a WireGuard interface
  syncconf: Synchronizes a configuration file to a WireGuard interface
  genkey: Generates a new private key and writes it to stdout
  genpsk: Generates a new preshared key and writes it to stdout
  pubkey: Reads a private key from stdin and writes a public key to stdout
You may pass `--help' to any of these subcommands to view usage.

But I think it is for configuration only. I think it cannot be used to activate a tunnel. The original documentation ( https://www.wireguard.com/quickstart/#command-line-interface ) explains that "the interface can ... be activated with ifconfig(8) or ip-link(8)" but of course that works for unix only. In that documentation, there is another note "Non-Linux users will instead write wireguard-go wg0" but I'm not sure what they mean here. There is no program name "wireguard-go" anywhere. The network adapter for the tunnel only shows up in the network adatpter list when the tunnel is already active. E.g. there is no network adapter that I could "enable" or "activate" when the tunnel is down. Finally, there is wireguard.exe. When started without parameters, it is a GUI application. It cannot be run without a logged in user and a desktop, and it does not activate any tunnel automatically. It has some interesting command line options. "wireguard.exe /managerservice" is used to start it as a windows service. "wireguard.exe /tunnelservice CONFIG_PATH" looks promising, but I was not able to start that. I get this error, that "the process could not connect to the service manager" or something similar. (I also get this error when I start it as administrator.)

I'm out of ideas. How should I do this?

Improve this question
7
  • you have in my mind 2 options, either use nssm as a third party software or use the wg client that could be running via a wg file from autostart or basically even untested via schedule
    – djdomi
    Commented Mar 12, 2022 at 15:30
  • Use nssm how? What should it start?
    – nagylzs
    Commented Mar 12, 2022 at 15:41
  • with the non sucking service manager you can install the service as you need
    – djdomi
    Commented Mar 12, 2022 at 15:42
  • I know what nssm is. But you need to tell a command to start. What should be the command?
    – nagylzs
    Commented Mar 12, 2022 at 15:43
  • 2
    "C:\Program Files\WireGuard\wireguard.exe" /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\NAME_OF_CONNECTION.conf.dpapi" is a common way remind that wg and wireguard is not the same
    – djdomi
    Commented Mar 12, 2022 at 15:58

5 Answers 5

Reset to default
5

I found instructions for this at https://r-pufky.github.io/docs/services/wireguard/windows-setup.html

Start-Process 'C:\Program Files\WireGuard\wireguard.exe' -ArgumentList '/installtunnelservice', 'my-tunnel.conf' -Wait -NoNewWindow -PassThru | Out-Null
Start-Process sc.exe -ArgumentList 'config', 'WireGuardTunnel$my-tunnel', 'start= delayed-auto' -Wait -NoNewWindow -PassThru | Out-Null
Start-Service -Name WireGuardTunnel$my-tunnel -ErrorAction SilentlyContinue
Improve this answer
6

All other solutions to this problem are not ideal. The methods I've seen are:

  1. Just running as an admin

  2. Adding the user account to the Network Configuration Operators

    • Pros: Wireguard gui, works smoothly
    • Cons: Your regular user gets added to an admin group and will appear in UAC prompts. This is very annoying.

  3. Running the WireGuard tunnel as a windows service (as suggested in this answer)

    • Pros: Works perfectly
    • Cons: No gui, needs an elevated console.

Solution:

  1. Install the latest MSI: https://download.wireguard.com/windows-client/

  2. Then run this command in elevated console with your .conf file:

    wireguard /installtunnelservice C:\path\to\some\myconfname.conf

This creates a service called WireGuardTunnel$myconfname, which can be controlled using standard Windows service management utilites, such as services.msc or sc. — source

  1. Control the service with "ServiceTray": https://www.coretechnologies.com/products/ServiceTray/

    (This give you a nice icon on the system tray that shows the up status of the WireGuard tunnel service. Green = connected, red = not connected, and you can start and stop it by right clicking. See image below)

    Note: When creating the service controller, save the shortcut to desktop not startup (doesn't seem to work and you can copy to startup later)

  2. (optional) Change the service's startup type to manual if you don't want to be connected to the tunnel on startup.

An example of what this looks like on Win 10. Hovering the icon shows the name of the tunnel.

Improve this answer
2

I found maybe easier option by: https://git.zx2c4.com/wireguard-windows/about/docs/enterprise.md

wireguard /installtunnelservice C:\path\to\some\myconfname.conf

Improve this answer
1

I liked bn-l's answer, but starting or stopping the connection still requires an admin override. I decided to take it step further. I wrote a PowerShell script that creates a file in my temp directory if it doesn't exist or deletes it if it already exists. This runs without any need for additional privileges.

Then I wrote another script that starts or stops the service based on the presence or absence of that file on a one second loop. I run it as a scheduled task running as SYSTEM and triggered by system start up.

Now I use that script as a button that starts and stops the service but I don't need any admin logins or overrides, just toggle the VPN on or off. The system tray icon very conveniently shows a red or green indicator.

One more thing worth noting is that I used the config file that was created by the admin GUI. On my system, that's at "C:\Program Files\WireGuard\Data\Configurations[name of connection].conf.dpapi"

Improve this answer
1

On Windows, you can have Wireguard configure itself to automatically install a Windows Service, and to provide an icon to the Notification Area showing the status of the service and the ability to connect and disconnect to any configured Wireguard peer.

I have installed the x64 version of Wireguard in the default location, so running this command sets up an auto-start service, along with the manager service:

wireguard /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\My-Wireguard.conf.dpapi"
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .