Issues running wireguard on windows 10 as NON-administrator - "UI is only accessible from desktops of the Builtin Administrators"
Solution 1
At present what you ask is not possible, on Windows.
Unlike other VPN tools and technologies, the Wireguard client creates a tunnel interface (showing up as a network adapter) for each connection you have configured when you try to connect, aka "on the fly". When you terminate the connection the client deletes the tunnel interface entirely. It does this outside the official VPN plumbing of Windows. That design has the severe limitation that you need to be an administrator of the machine so the software can create the interface.
I use Wireguard on Windows, Mac, and Linux. Windows is the only platform I have this issue with. Additionally, I only use the official client (version 0.38 at the time of this writing) from Wireguard. I do not know if there are others.
Solution 2
As previous solutions and comments have pointed out, activating a wireguard (WG) tunnel is not possible - the action requires privilege elevation of some kind.
The solutions mentioned so far have some downsides, at least in my use case. For completeness I'll list all solutions mentioned and add mine.
-
Normal WG installation, switch to administrator user to activate Wireguard, then switch back.
- Pro: admin user has access to all features of WG GUI
- Con: it takes time & clicks to switch users
-
Normal WG installation, add
HKLM\Software\WireGuard\LimitedOperatorUIregistry key and add user toNetwork Configuration Operatorsgroupsee WG registry keys documentation
- Pro: WG GUI accessible
- Con: messing with registry, GUI functionality severely limited, messes with privilege elevation prompt
The last point needs clarification: when working as a regular unprivileged user, Windows asks for privilege elevation for many reasons, and one needs to type the/an admin password regularly. This is pretty straightforward, because an admin account is selected by default and one can enter the password quickly. Being part of the NCO group, however, makes the user a kind of admin in the eyes of the OS, so each elevation prompt will offer the current NCO user by default - now in order to enter the password of a real admin, it's necessary to first select another user. This quickly becomes annoying after the first few times one need privilege elevation.
-
Enterprise WG install without launching admin GUI, starting / stopping WG tunnel from shortcut run as administrator
- Pro: no GUI, no WG background service, user really stays regular
- Con: no GUI
See Enterprise Usage documentation.
In brief:
- download WG MSI installer (instead of .exe)
- in admin command prompt, run
msiexec /i <installer filename>.msi DO_NOT_LAUNCH=1 - create Desktop shortcuts for WG:
-
start with command
wireguard /installtunnelservice <path to conf>.conf - stop with command `wireguard /uninstalltunnelservice
- tick
run as Administratorfor both shortcuts
-
start with command
Tunnel status can be checked with wg.exe
Solution 3
Wireguard 3.1+ now supports non-admins running wireguard, but you'll need to do some minor modifications:
https://lore.kernel.org/wireguard/[email protected]/T/#u
- Install wireguard 3.1+
- Add your user to the "Network Operators Group". Open up explorer as admin right click "My Computer" > "Manage" > "Users/Groups" > Network Operators Group
- Add an entry to the registry. Windows Key + R > regedit > create the key HKLM\SOFTWARE\WireGuard, then create a DWORD at HKLM\SOFTWARE\WireGuard\LimitedOperatorUI and set it to 1
- Logout and log back in.
- Run wireguard
Related videos on Youtube
02 : 58
02 : 47
02 : 37
03 : 55
03 : 57
Patoshi パトシ
MIT graduate developer living and working from Tokyo! (◠‿◠) Open to freelance opportunities in Crypto or Drupal. Supporting: https://girlswhocode.com https://www.liftcommunities.org https://www.pursuit.org https://www.womenwhocode.com
Updated on September 18, 2022Comments
-
Patoshi パトシ over 1 year
I get the following error when running as a non-admin:
WireGuard is running, but the UI is only accessible from desktops of the Builtin Administrators
How do I enable wireguard for win10 to work with just a regular user?
-
SPRBRN about 3 yearsI tried this, have WG running in an Admin account, but don't see the path HKLM in Regedit. I do see HKEY_LOCAL_MACHINE.
-
Kruug over 2 years@SPRBRN HKLM is shorthand for HKEY_LOCAL_MACHINE. HKCU is HKEY_CURRENT_USER, etc.
-
Community over 2 yearsAs it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.
-
patrick fogarty about 2 yearsI believe this was a caution. Wireguard and the required group can change things (e.g. NICs, default gateway, DNS, etc) end users should not. This entire thread exists because the author of Wireguard never intended it to be used by anyone other than admins. The restriction was by design. While this comment did not directly answer the question, it is a worthy caution. Research what the Network Configuration Operators group is capable of.
