lgnyy
commented
1 year ago Wireguard.exe needs to be run with SYSTEM privileges; Please call psexec.exe - s - i "wireguard. exe" tun0 https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
Open salmanmalik-emb opened 1 year ago
lgnyy
commented
1 year ago Wireguard.exe needs to be run with SYSTEM privileges; Please call psexec.exe - s - i "wireguard. exe" tun0 https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
nikwo
commented
5 months ago @salmanmalik-emb if you're using userspace implementation of wireguard(wireguard-go) you could rewrite SecurityDescriptor for uapi server before calling UAPIListen, in my case, D: (A;OICI;GA;;;S-1-5-32-544) (A;OICI;GA;;;S-1-5-18)(A;OICI; GRGW;;;S-1-5-11)
(Allow all for system user and local administrator, allow authenticated user to write/read)
drwpls
commented
2 months ago I wonder how could you figure it.
@salmanmalik-emb if you're using userspace implementation of wireguard(wireguard-go) you could rewrite SecurityDescriptor for uapi server before calling UAPIListen, in my case, D: (A;OICI;GA;;;S-1-5-32-544) (A;OICI;GA;;;S-1-5-18)(A;OICI; GRGW;;;S-1-5-11)
(Allow all for system user and local administrator, allow authenticated user to write/read)
nikwo
commented
2 months ago I wonder how could you figure it.
@salmanmalik-emb if you're using userspace implementation of wireguard(wireguard-go) you could rewrite SecurityDescriptor for uapi server before calling UAPIListen, in my case, D: (A;OICI;GA;;;S-1-5-32-544) (A;OICI;GA;;;S-1-5-18)(A;OICI; GRGW;;;S-1-5-11)
(Allow all for system user and local administrator, allow authenticated user to write/read)
Just copy-pasted openvpn3 client implementation of uapi😁
drwpls
commented
2 months ago @lgnyy was right, the security descriptor must run with SYSTEM privileges, for who's in trouble with this, you can run wireguard-go in foreground with psexec, or using windows service to run in background.
@nikwo how can you run wgctrl-go to configure the tun created in wireguard-go. I run wgctrl-go but it can't Dial the Pipe due to Permission denied. Thanks.
@salmanmalik-emb if you're using userspace implementation of wireguard(wireguard-go) you could rewrite SecurityDescriptor for uapi server before calling UAPIListen, in my case, D: (A;OICI;GA;;;S-1-5-32-544) (A;OICI;GA;;;S-1-5-18)(A;OICI; GRGW;;;S-1-5-11)
(Allow all for system user and local administrator, allow authenticated user to write/read)
nikwo
commented
2 months ago @nikwo how can you run wgctrl-go to configure the tun created in wireguard-go.
I run wgctrl-go but it can't Dial the Pipe due to Permission denied. Thanks.
You need to run wireguard-go from privileged user, but you need to allow user to use this Winpipe. S-1-5-11 is a group of authenticated users, you allow them to read-write pipe. Step-by-step: 1) Run wireguard-go with system user (you can run it as windows system service, don't forget to check "allow users to interact with service") 2) Make windows security descriptor with this template 3) listen, err := (&namedpipe.ListenConfig{SecurityDescriptor: secDesc}).Listen(\\.\pipe\yourappname) 4) connect from user space app via namedpipe.DialContext(\\.\pipe\yourappname) namedpipe package: golang.zx2c4.com/wireguard/ipc/namedpipe
I am getting the same error reported before Issue https://github.com/WireGuard/wgctrl-go/issues/108
Found this additional chat for this issue. https://www.mail-archive.com/wireguard@lists.zx2c4.com/msg06053.html
Please let me know if it has been fixed or how to solve this issue.