The WireGuard client for Windows uses the Microsoft Data Protection API (DPAPI) to protect the configuration and keys. These are always stored encrypted with the DPAPI on the hard disk, usually in C:\Program Files\WireGuard\Data\Configuration. The user's password or a random value stored in the Microsoft account is used for encryption via DPAPI. If Active Directory is used, a duplicate key is also stored there.
The protection of the VPN configuration is therefore closely linked to the Windows login. Measures to improve security should therefore start with the Windows login. Other programs running with the rights of the respective user can gain access to the VPN configuration. However, access is not possible without a valid user login.
For full use of the WireGuard client, the rights of the administrator group are required under Windows. It is possible to set up the WireGuard VPN once as an administrator and then prepare it for other users without administrator rights. These other users require membership of the Windows user group Network Configuration Operators (S-1-5-32-556) to be able to use WireGuard.
Proceed as follows and in this order to set up access:
Open Windows User Management and add the desired user(s) to the
Network Configuration Operatorsgroup (S-1-5-32-556).Open a command prompt (cmd.exe) as administrator and execute the following command to enable access in the WireGuard client:
reg add HKLM\Software\WireGuard /v LimitedOperatorUI /t REG_DWORD /d 1 /fConfigure the desired VPN connection in the WireGuard client once as a user with administrator rights.
Users without administrator rights now see a variant of the WireGuard client with reduced options and can use it to establish and disconnect the connections previously stored by the administrator. The menu items for importing or editing connections are not available.
The WireGuard client for Windows allows the default gateway to be set in the VPN tunnel. This is implemented when configuring the tunnel on the Intra2net system via the option "" at the item "".
All data traffic, including that destined for the Internet, then first flows through the VPN tunnel to the Intra2net system. This is recommended if the client does not have a trustworthy Internet connection, e.g. a public WLAN hotspot. However, the Internet line of the Intra2net system is more heavily loaded, as the data traffic from the client to the Internet now has to be transmitted twice.
In this context, the WireGuard client for Windows also has another function, the blocking of data traffic outside the VPN tunnel. With a few exceptions, this function blocks all packets that do not enter the VPN tunnel. This applies in particular to data traffic in the local network at the client's location. For example, access to network printers, NAS drives and similar at the client's location.
You can specify whether these packets should be allowed or blocked when creating the connection on the Intra2net system. It can also be changed later when editing the VPN tunnel on the Windows client.
The Windows Filtering Platform (WFP) is used for blocking. This is not to be confused with the Windows Firewall and is located one level deeper in the system independently of the Windows Firewall. Therefore, these filters are not visible in the Windows Firewall or can be influenced by it.