WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN. However, WireGuard will not run on Windows when the user is a non-administrator account.
Unlike other VPN tools and technologies, the Wireguard client creates a tunnel interface (showing up as a network adapter) for each connection you have configured when you try to connect, aka “on the fly”. When you terminate the connection the client deletes the tunnel interface entirely. It does this outside the official VPN plumbing of Windows. That design has the severe limitation that you need to be an administrator of the machine so the software can create the interface.
There are two possible workarounds to enable the WireGuard interface.
Switch to the administrator account to activate WireGuard than switch back to the standard user account.
- Pro: admin user has access to all WireGuard GUI
- Con: it takes time to switch between accounts
Add a registry key and add user to the Network Configuration Operators group.
- Pro: WireGuard GUI is accessible
- Con: messing with registry, GUI functionality severely limited, messes with privilege elevation prompt
Network Configuration Operators
Members of the Network Configuration Operators group can have the following administrative privileges to manage configuration of networking features:
- Modify the Transmission Control Protocol/Internet Protocol (TCP/IP) properties for a local area network (LAN) connection, which includes the IP address, the subnet mask, the default gateway, and the name servers.
- Rename the LAN connections or remote access connections that are available to all the users.
- Enable or disable a LAN connection.
- Modify the properties of all remote access connections of users.
- Delete all the remote access connections of users.
- Rename all the remote access connections of users.
- Issue
ipconfig, ipconfig /release, and ipconfig /renew commands. - Enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card.
This group appears as an SID until the domain controller is made the primary domain controller and it holds the operations master (FSMO) role. This group can’t be renamed, deleted, or removed.
The Network Configuration Operators group applies to the Windows Server operating system in Default Active Directory security groups.
How to add a User to a Group on Windows
The images below are captured from Windows 11. However, the same steps apply to Windows 10, but they may look slightly different.
- From the administrator account, open your computer’s Start menu. The Start menu button looks like a Windows icon on your desktop taskbar.
- Type
Computer Management and click Open - Click on
System Tools drop down to expose Local Users and Groups. Then click on the drop down to expose the Groups folder. Click on the Groups folder that will display on the groups in the right-hand pane. You can now double-click on Network Configuration Operators. - Click the Add… button
- Add each user by typing the name into the block and then pressing Check Names. Repeat this for each user on the computer. Then press OK.
How to add a registry key
The images below are captured from Windows 11. However, the same steps apply to Windows 10, but they may look slightly different.
- From the administrator account, open your computer’s Start menu. The Start menu button looks like a Windows icon on your desktop taskbar.
- Type
Registry Editior and click Open - Navigate to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\. If you have a WireGuard folder, skip the next step. - If you do not have a WireGuard folder, right-click on
SOFTWARE and select New -> Key and type “WireGuard” - On the WireGuard folder, right-click and choose New ->
DWORD (32-bit) Value and name it LimitedOperatorUI - Double-click on the new DWORD and enter
1 for the value. - Press OK and close all the windows. Restart the computer. Users should now be able to start the WireGuard client to connect.
When this key is set to DWORD(1), the UI will be launched on desktops of users belonging to the Network Configuration Operators builtin group (S-1-5-32-556), with the following limitations for members of that group: - Configurations are stripped of all public, private, and pre-shared keys; - No version update popup notifications are shown, and updates are not permitted, though a tab still indicates the availability; - Adding, removing, editing, importing, or exporting configurations is forbidden; and - Quitting the manager is forbidden. However, basic functionality such as starting and stopping tunnels remains intact.
References
FAQs
WireGuard does not work on Windows unless you are an administrator. However, you can enable a regular user to control the service after an admin has installed and configured it.
Can I use WireGuard on Windows? ›
In a browser, navigate to our WireGuard configuration generator. Log in by entering your Mullvad account number. Under Platform, select Windows. Click on Generate key.
What is the default user for WireGuard? ›
⚠️ The default username and password are admin .
How to generate WireGuard keys in Windows? ›
I don't have a key pair
Choose the Desktop or mobile option and click on WireGuard. In the next window, click on I don't have a key pair. Name your new key pair. Click on Generate a new key pair.
Why not to use WireGuard? ›
Unreliable Monotonic Counter. WireGuard uses the system time as a reliable monotonic counter. If this jumps forward, a user might DoS their own keys, by making it impossible to later have a value larger, or an adversary controlling system time could store a handshake initiation for use later.
How to get VPN without admin? ›
Using Pulse Secure VPN Without Admin Permissions
- Navigate to the Microsoft Store. ...
- Search for Pulse Secure in the Microsoft Store.
- Click Get.
- If prompted to log in, click No Thanks.
- After installation, navigate to your VPN Settings.
- Click Add VPN Connection.
- Click Save.
- Click Connect.
There are no known security flaws in either protocol. If security is your topmost priority, the conservative option is OpenVPN. It has simply been around much longer than WireGuard, gone through more third-party security audits, and has a far longer track record than WireGuard.
Which is better OpenVPN or WireGuard Home server? ›
The biggest notable differences between WireGuard and OpenVPN are speed and security. While WireGuard is generally faster, OpenVPN provides heavier security. The differences between these two protocols are also their defining features. We've taken a closer look at each so you can really understand how they work.
Is Tailscale faster than WireGuard? ›
Performance. Using WireGuard directly offers better performance than using Tailscale. Tailscale does more than WireGuard, so that will always be true. We aim to minimize that gap, and Tailscale generally offers good bandwidth and excellent latency, particularly compared to non-WireGuard VPNs.
Does WireGuard hide IP address? ›
When you connect to our VPN server via WireGuard, your device can only see the IP address 10.2. 0.2, and the website you visit can only see the public IP address of our VPN server. Your true IP address remains secure and private, just as it would with OpenVPN.
To view the status of one or more WireGuard tunnels, use the show wireguard [<instance>] command. This command prints the status of all WireGuard tunnels and can optionally limit the output to a specific instance.
Why do I have WireGuard on my PC? ›
Why am I seeing WireGuard on my computer? To provide you with a better VPN experience, Trend Micro has started using this new protocol. You may notice 'wgclient' or 'WireGuard' on your computer because your Trend Micro VPN is currently active and ensuring that your information is protected.
How does WireGuard work on Windows? ›
At the heart of WireGuard is a concept called Cryptokey Routing, which works by associating public keys with a list of tunnel IP addresses that are allowed inside the tunnel. Each network interface has a private key and a list of peers. Each peer has a public key.
How to configure WireGuard server on Windows? ›
How to manually configure WireGuard on Windows
- Download and install the official WireGuard VPN client.
- Sign in to account.protonvpn.com, go to Downloads → WireGuard configuration, and download a WireGuard configuration file. ...
- Open the official WireGuard VPN client and click Import Tunnel(s) from File.
To make the WireGuard windows app better for standard windows users, you need to make your user(s) a member of the “Network Configuration Operators” group. This allows you to enable/disable (or choose if you have multiple) the VPN without needing to be a member of the Administrators group.
How do I disable firewall without admin rights? ›
Scroll down the Services list and look for Windows Firewall. Double-click on it and under the General tab, click on Stop. Then click Apply and OK. This video will benefit those viewers who use a Windows computer and would like to turn off the firewall, even if they are not running the administrator account.
How can Chrome be installed without admin rights? ›
Install Google Chrome
- Before you start.
- Step 1: Download the Google Chrome file.
- Step 2: Download Chrome for Windows.
- Step 3: Save the file.
- Step 4: Run the file.
- Step 5: User Account Control pop up.
- Step 6: Install without admin privileges.
- Optional step 7: Pin Chrome to the taskbar.
PIA offers WireGuard® alongside OpenVPN.
