Issues running wireguard on windows 10 as NON-administrator - "UI is only accessible from desktops of the Builtin Administrators"
I get the following error when running as a non-admin:
WireGuard is running, but the UI is only accessible from desktops of the Builtin Administrators
How do I enable wireguard for win10 to work with just a regular user?
At present what you ask is not possible, on Windows.
Unlike other VPN tools and technologies, the Wireguard client creates a tunnel interface (showing up as a network adapter) for each connection you have configured when you try to connect, aka "on the fly". When you terminate the connection the client deletes the tunnel interface entirely. It does this outside the official VPN plumbing of Windows. That design has the severe limitation that you need to be an administrator of the machine so the software can create the interface.
I use Wireguard on Windows, Mac, and Linux. Windows is the only platform I have this issue with. Additionally, I only use the official client (version 0.38 at the time of this writing) from Wireguard. I do not know if there are others.
As previous solutions and comments have pointed out, activating a wireguard (WG) tunnel is not possible - the action requires privilege elevation of some kind.
The solutions mentioned so far have some downsides, at least in my use case. For completeness I'll list all solutions mentioned and add mine.
-
Normal WG installation, switch to administrator user to activate Wireguard, then switch back.
- Pro: admin user has access to all features of WG GUI
- Con: it takes time & clicks to switch users
-
Normal WG installation, add
HKLM\Software\WireGuard\LimitedOperatorUI
registry key and add user toNetwork Configuration Operators
groupsee WG registry keys documentation
- Pro: WG GUI accessible
- Con: messing with registry, GUI functionality severely limited, messes with privilege elevation prompt
The last point needs clarification: when working as a regular unprivileged user, Windows asks for privilege elevation for many reasons, and one needs to type the/an admin password regularly. This is pretty straightforward, because an admin account is selected by default and one can enter the password quickly. Being part of the NCO group, however, makes the user a kind of admin in the eyes of the OS, so each elevation prompt will offer the current NCO user by default - now in order to enter the password of a real admin, it's necessary to first select another user. This quickly becomes annoying after the first few times one need privilege elevation.
-
Enterprise WG install without launching admin GUI, starting / stopping WG tunnel from shortcut run as administrator
- Pro: no GUI, no WG background service, user really stays regular
- Con: no GUI
See Enterprise Usage documentation.
In brief:
- download WG MSI installer (instead of .exe)
- in admin command prompt, run
msiexec /i <installer filename>.msi DO_NOT_LAUNCH=1
- create Desktop shortcuts for WG:
-
start with command
wireguard /installtunnelservice <path to conf>.conf
- stop with command `wireguard /uninstalltunnelservice
- tick
run as Administrator
for both shortcuts
-
start with command
Tunnel status can be checked with wg.exe