WireGuard for Windows 0.3.1 is the release you’ve been waiting for

This Monday, WireGuard founder and lead developer Jason Donenfeld announced a new WireGuard release for the Windows platform. The release is something of a godsend for administrators hoping to implement WireGuard as a replacement for more traditional end-user VPNs in a business environment, adding several new features that will make their lives easier—or simply make its implementation possible, in environments where it otherwise would not.

If you haven’t heard about WireGuard yet, it’s a relatively new VPN protocol featuring advanced cryptography. It’s implemented from the ground up as an exercise in cleanly written, minimalist, maximally secure and performant code—and it succeeded at those goals well enough to get Linus Torvalds’ own rarely-seen stamp of approval.

Installation

Those who are already using WireGuard on Windows will receive an obvious in-app prompting to download and install the new version, which works swimmingly. New users can download WireGuard directly from its website.

The simple “Download Installer” button is aimed at Windows end users, and this probes the user’s system to determine which MSI installer to fetch and execute, based on the user’s system architecture. Sysadmin types may also browse the list of MSIs directly, for use with Active Directory Group Policy automated deployments.

WireGuard for Windows currently supports x86_64, x86 (32-bit), ARM, and ARM64 architectures.

Improved tunnel management for Windows users

Probably the most desperately-sought feature in WireGuard’s windows implementation is the ability for unprivileged users to activate and deactivate WireGuard tunnels via the app’s user interface. Until release 0.3.1, WireGuard has only allowed members of the Administrators group to open the UI, let alone do anything within it.

As of version 0.3.1, that limitation has finally been removed. Unprivileged users may be added to the Windows Builtin group “Network Configuration Operators”—and, once members of that group, if and only if the requisite registry key was added and DWORD value set, they can manage their own tunnel into the corporate LAN.

There’s one more step necessary to enable the limited UI—you need to open regedit, create the key HKLMSOFTWAREWireGuard, then create a DWORD at HKLMSOFTWAREWireGuardLimitedOperatorUI and set it to 1. (Don’t be confused at the lack of HKLMSOFTWAREWireGuard itself—you’ll need to create that, too.)

Otherwise-unprivileged users who’ve been allowed into the WireGuard club can see the tunnels available and start and stop those tunnels. They cannot see the public keys for the tunnels—and more importantly, they can neither add, remove, nor edit those tunnels.

Unprivileged users also cannot exit the WireGuard application itself—they can close the dialog just fine, but the “exit WireGuard” item is missing from the context menu in the system tray. This is because closing the WireGuard app from the system tray doesn’t just get rid of the icon, or even disable the WireGuard tunnel services—it actually uninstalls those services entirely. (The services are automatically reinstalled the next time an Administrator runs the WireGuard app.)

Also new to WireGuard for Windows 0.3.1, multiple tunnels can be simultaneously activated from the GUI. This feature is also registry-gated for now—to use it, you’ll need to create a DWORD at HKLMSoftwareWireGuardMultipleSimultaneousTunnels and set it to 1. Without creating and setting that DWORD, WireGuard for Windows 0.3.1 continues to behave like earlier versions, and activating one tunnel from the GUI will automatically deactivate any others.