Custom configuration for Windows EduVPN client

[michal-ruzicka]

For Windows users without an administration-rights-enabled user account on the system, allowing EduVPN to load users' own WireGuard configuration files would be very beneficial. EduVPN Windows client, in contrast to the original WireGuard Windows client (https://www.wireguard.com/install/), can provide client GUI for starting and shutting down the WireGuard tunnel without having administration privileges on the system. As the EduVPN client has this implemented, it would be very beneficial to allow users to use the standalone EduVPN Windows client as an alternative to the generic WireGuard client without the need of binding with the EduVPN portal or any other EduVPN server-side infrastructure.

[rozmansi]

You are suggesting eduVPN to provide a portable utility, one could use on any random PC not in your possession to allow you to connect to the Dark internet, aren't you?

All legal and security concerns aside, this is not technically possible. WireGuard tunnels require NT kernel access (hence admin requirement). wireguard-go userspace implementation requires TUN driver, again requiring NT kernel access. OpenVPN needs NT kernel access too...

Nope, you will need to obtain admin privilege to your victim's PC in any way.

[michal-ruzicka]

I am very surprised with your reaction.

At first, I would like to have EduVPN client to be able to connect and disconnect WG tunnel without admin rights. It is natural you need admin rights to install the client itself.

I am really not getting your argumentation. Original OpenVPN client provides this function – just install text config into dedicated directory in the local filesystem and you are able to connect as a user without admin rights. I just want the same for WireGuard – to be able to configure by text file, not have to connect and download from an EduVPN portal as for small/home VPN networks / peer-to-peer tunnels it is unwanted complexity added on the top of the whole setup.

Could you please describe me in deeper why that could be dangerous? Many thanks!

[rozmansi]

I am very surprised with your reaction.

Sorry, I admit I was dramatizing. Should have added some ":)" at the end to encourage readers to understand my writings somewhere between a statement and a joke.

Now, let me explain my words in neutral and respective voice...

I am really not getting your argumentation. Original OpenVPN client provides this function – just install text config into dedicated directory in the local filesystem and you are able to connect as a user without admin rights. I just want the same for WireGuard – to be able to configure by text file, not have to connect and download from a EduVPN portal as for small/home VPN networks / peer-to-peer tunnels it is unwanted complexity added on the top.

Allowing what you are suggesting opens an attack vector.

When an attacker gains access to normal user account (malware, trojan), it can scan the per-user OpenVPN dedicated directory, you are mentioning, and steal its content to gain further access to the VPN networks user is normally connecting.

Second, an attacker could inject own .ovpn files in the dedicated directory and have OpenVPN connect to one own hacking network at will.

Those are one of the reasons why original WireGuard protects VPN profile configurations by all means: tightened security on the folder where it keeps .conf files, encryption with DPAPI... Normal users must neither see the VPN configuration, let alone change it or add new.

I believe your feature request is not based on any nefarious purposes, but - unfortunately - may gravely be misused for malicious actions by others.

Last but not least, my usual rant: Do not let normal users run any random VPN tunnels on managed PCs. It might work for your dad&mum's computers, but will eventually turn against you in a corporate/research environment eduVPN is targeting.

[michal-ruzicka]

Ok, many thanks for the expansion.

However, I asked for the functionality as we went into troubles with using WireGuard on Windows machines in domain for users without admin rights as they are not able to start and stop the tunnel set-up by the device admin. It is perfectly ok for me the admin have to install the client and even configure the tunnel, however, we need specific WG VPN just for very little subset of all our users and we would like to avoid need of operating the EduVPN portal infrastructure. It would be way easier for us to install just 5 WG config files for the particular 5 users and install usable WG client for them on their machines than operating the full infrastructure. In fact, in this particular case, I consider it a smaller attack surface that unwanted and thus probably less well-maintained server-side infrastructure for an absolutely minority of all the uses.

And in fact, I am also using WG for access to my home network. Even though I have admin rights on my machine, it would be much better not have to obtain admin rights to switch on and off the tunnel. (Not mentioning I do not want to give admin rights to my wife for her device but wanting to allow her to also connect the VPN.) Again, there is no sense in this case to operate the portal in my tiny home network.

In conclusion, I see legit use cases for my request. So it would be nice to allows admins of the devices to decide, for example by configuration option, whether they want to configure locally via (text) file in small networks or via server-side portal for large organizations.

[efef]

maybe preprovisioning of WireGuard would be an option for you. An internship wrote: https://github.com/eduvpn/Research/tree/main/HTTP_provisioning It requires MS Intune to provision the VPN. Currrently this functionality is in beta.

I realize this doesn't meet your requirement to "not bind with eduVPN infra" but it might be usefull to know about

[rozmansi]

Maybe:

On client computer, install stock WireGuard.

Run as Admin: wireguard /installtunnelservice C:\path\to\some\myconfname.conf (source: https://github.com/WireGuard/wireguard-windows/blob/master/docs/enterprise.md). You may configure service for manual start (e.g. sc config WireGuardTunnel@myconfname start= demand- mind the awkward spacing).

Create a scheduled task (e.g. "Activate VPN") with no scheduled trigger to run net start WireGuardTunnel@myconfname. It has to use SYSTEM account, "Run whether user is logged on or not", "Run with highest privileges". Also, make sure to have "Allow task to be run on demand" is checked. Once satisfied, you may export the scheduled task to XML to have it imported using schtasks /create /xml ... on other client computers. Also create a similar scheduled task to run net stop WireGuardTunnel@myconfname.

Set permissions to allow normal users to trigger your tasks. This one is tricky. I run as Administrator the following batch to do it:

@echo off

set job_name=%~1

schtasks.exe /Change /ENABLE /TN "%job_name%"
if exist "%SystemRoot%\Tasks\%job_name%.job"      cacls "%SystemRoot%\Tasks\%job_name%.job"      /g Users:R       /E
if exist "%SystemRoot%\Tasks\%job_name%.job"      cacls "%SystemRoot%\Tasks\%job_name%.job"      /g INTERACTIVE:R /E
if exist "%SystemRoot%\system32\Tasks\%job_name%" cacls "%SystemRoot%\system32\Tasks\%job_name%" /g Users:R       /E
if exist "%SystemRoot%\system32\Tasks\%job_name%" cacls "%SystemRoot%\system32\Tasks\%job_name%" /g INTERACTIVE:R /E

Create shortcut for normal users to run schtasks /run /tn "Activate VPN" and schtasks /run /tn "Deactivate VPN".

Voila.

[michal-ruzicka]

maybe preprovisioning of WireGuard would be an option for you. An internship wrote: https://github.com/eduvpn/Research/tree/main/HTTP_provisioning It requires MS Intune to provision the VPN. Currrently this functionality is in beta.

I realize this doesn't meet your requirement to "not bind with eduVPN infra" but it might be usefull to know about

Thanks but this does not seem to solve my main problem – complex server-side infrastructure is needed. I would like simple file configuration as that is the right level of complexity for small/home networks. But thanks anyway.

[michal-ruzicka]

Maybe:

On client computer, install stock WireGuard.

Run as Admin: wireguard /installtunnelservice C:\path\to\some\myconfname.conf (source: https://github.com/WireGuard/wireguard-windows/blob/master/docs/enterprise.md). You may configure service for manual start (e.g. sc config WireGuardTunnel@myconfname start= demand- mind the awkward spacing).

Create a scheduled task (e.g. "Activate VPN") with no scheduled trigger to run net start WireGuardTunnel@myconfname. It has to use SYSTEM account, "Run whether user is logged on or not", "Run with highest privileges". Also, make sure to have "Allow task to be run on demand" is checked. Once satisfied, you may export the scheduled task to XML to have it imported using schtasks /create /xml ... on other client computers. Also create a similar scheduled task to run net stop WireGuardTunnel@myconfname.

Set permissions to allow normal users to trigger your tasks. This one is tricky. I run as Administrator the following batch to do it:

@echo off

set job_name=%~1

schtasks.exe /Change /ENABLE /TN "%job_name%"
if exist "%SystemRoot%\Tasks\%job_name%.job"      cacls "%SystemRoot%\Tasks\%job_name%.job"      /g Users:R       /E
if exist "%SystemRoot%\Tasks\%job_name%.job"      cacls "%SystemRoot%\Tasks\%job_name%.job"      /g INTERACTIVE:R /E
if exist "%SystemRoot%\system32\Tasks\%job_name%" cacls "%SystemRoot%\system32\Tasks\%job_name%" /g Users:R       /E
if exist "%SystemRoot%\system32\Tasks\%job_name%" cacls "%SystemRoot%\system32\Tasks\%job_name%" /g INTERACTIVE:R /E

Create shortcut for normal users to run schtasks /run /tn "Activate VPN" and schtasks /run /tn "Deactivate VPN".

Voila.

Many thanks. This seems to be possible.

On the other hand – if EduVPN would allow device admins to install WG config file (unreadable to the users) and allow the non-admin users to start and stop tunnel via the nice EduVPN user interface (base on the config name, with no need to see the config contents), I do not see any security disadvantage but huge UX advantages for both admins (even simpler setup) and users (much nicer user interface; my wife would be scared using command line interface, for example).

I hope this would be not much work to be done on EduVPN client code base as the main functionality is the same, just another option for reading configuration would be necessary to add.

[michal-ruzicka]

Dear all, just for your information and information of anyone interested:

A few days ago, I learned of the DefGuard system: https://defguard.net/. The system is open source and available at GitHub.

The most interesting in the context of my original question is the DefGuard Client, which is available for Windows too and after installation, that requires admin access to the client computer, the client is running under standard users' accounts with no admin privileges need for creating and removing WireGurad tunnels for vanilla WireGuard servers as well as can set the tunnels up and down. All of it via a user-friendly user interface.