golang.zx2c4.com/wireguard/windows@v0.5.4-0.20230123132234-dcc0eb72a04b/docs/enterprise.md

golang.zx2c4.com/wireguard/windows@v0.5.4-0.20230123132234-dcc0eb72a04b/docs/enterprise.md (about)

     1  # Enterprise Usage
     2  
     3  WireGuard for Windows has been designed from the ground-up to make full use of standard Windows service, ACL, and CLI capabilities, making WireGuard deployable in enterprise scenarios or as part of Active Directory domains.
     4  
     5  ### Installation
     6  
     7  While consumer users are generally directed toward [wireguard-installer.exe](https://download.wireguard.com/windows-client/wireguard-installer.exe), this installer simply takes care of selecting the correct MSI for the architecture, validating signatures, and executing it. Enterprise admins can instead [download MSIs directly](https://download.wireguard.com/windows-client/) and deploy these using [Group Policy Objects](https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/use-group-policy-to-install-software). The installer makes use of standard MSI features and should be easily automatable. The additional MSI property of `DO_NOT_LAUNCH` suppresses launching WireGuard after its installation, should that be required.
     8  
     9  ### Tunnel Service versus Manager Service and UI
    10  
    11  The "manager service" is responsible for displaying a UI on select users' desktops (in the system tray), and responding to requests from the UI to do things like add, remove, start, or stop tunnels. The "tunnel service" is a separate Windows service for each tunnel. These two services may be used together, or separately, as described below. The various commands below will log errors and status to standard error, or, if standard error does not exist, to standard output.
    12  
    13  ### Tunnel Service
    14  
    15  A tunnel service may be installed or uninstalled using the commands:
    16  
    17  ```text
    18  > wireguard /installtunnelservice C:\path\to\some\myconfname.conf
    19  > wireguard /uninstalltunnelservice myconfname
    20  ```
    21  
    22  This creates a service called `WireGuardTunnel$myconfname`, which can be controlled using standard Windows service management utilites, such as `services.msc` or [`sc`](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-query).
    23  
    24  If the configuration filename ends in `.conf`, it is interpreted as a normal [`wg-quick(8)`](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8) configuration file. If it ends in `.conf.dpapi`, it is considered to be that same configuration file, but encrypted using [`CryptProtectData(bytes, "myconfname")`](https://docs.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata).
    25  
    26  The tunnel service may be queried and modified at runtime using the standard [`wg(8)`](https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8) command line utility. If the configuration file is a `.conf.dpapi` one, then Local System or Administrator permissions is required to interact with it using `wg(8)`; otherwise users of `wg(8)` must have Local System or Administrator permissions, or permissions the same as the owner of the `.conf` file. Invocation of `wg(8)` follows usual patterns on other platforms. For example:
    27  
    28  ```text
    29  > wg show myconfname
    30  interface: myconfname
    31    public key: lfTRXEWxt8mZc8cjSvOWN3tqnTpWw4v2Eg3qF6WTklw=
    32    private key: (hidden)
    33    listening port: 53488
    34  
    35  peer: JRI8Xc0zKP9kXk8qP84NdUQA04h6DLfFbwJn4g+/PFs=
    36    endpoint: 163.172.161.0:12912
    37    allowed ips: 0.0.0.0/0
    38    latest handshake: 3 seconds ago
    39    transfer: 6.55 KiB received, 4.13 KiB sent
    40  ```
    41  
    42  The `PreUp`, `PostUp`, `PreDown`, and `PostDown` configuration options may be specified to run custom commands at various points in the lifetime of a tunnel service, but only if the correct registry key is set. [See `adminregistry.md` for information.](adminregistry.md)
    43  
    44  ### Manager Service
    45  
    46  The manager service may be installed or uninstalled using the commands:
    47  
    48  ```text
    49  > wireguard /installmanagerservice
    50  > wireguard /uninstallmanagerservice
    51  ```
    52  
    53  This creates a service called `WireGuardManager`, which can be controlled using standard Windows service management utilites, such as `services.msc` or [`sc`](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-query).
    54  
    55  When executing `wireguard` with no arguments, the command first attempts to show the UI if the manager service is already running; otherwise it starts the manager service, waits for it to create a UI in the system tray, and then shows the main manager window. Therefore, `wireguard /installmanagerservice` is suitable for silent installation, whereas `wireguard` alone is suitable for interactive startup.
    56  
    57  The manager service monitors `%ProgramFiles%\WireGuard\Data\Configurations\` for the addition of new `.conf` files. Upon seeing one, it encrypts the file to a `.conf.dpapi` file, makes it unreadable to users other than Local System, confers the administrator only the ability to remove it, and then deletes the original unencrypted file. (Configurations can always be _exported_ later using the export feature of the UI.) Using this, configurations can programmatically be added to the secure store of the manager service simply by copying them into that directory.
    58  
    59  The UI is started in the system tray of all builtin Administrators when the manager service is running. A limited UI may also be started in the system tray of all builtin Network Configuration Operators, if the correct registry key is set. [See `adminregistry.md` for information.](adminregistry.md)
    60  
    61  ### Diagnostic Logs
    62  
    63  The manager and all tunnel services produce diagnostic logs in a shared ringbuffer-based log. This is shown in the UI, and also can be dumped to standard out using the command:
    64  
    65  ```text
    66  > wireguard /dumplog > C:\path\to\diagnostic\log.txt
    67  ```
    68  
    69  Alternatively, the log can be tailed continuously, for passing it to logging services:
    70  
    71  ```text
    72  > wireguard /dumplog /tail | log-ingest
    73  ```
    74  
    75  Or it can be monitored in PowerShell by piping to `select`:
    76  
    77  ```text
    78  PS> wireguard /dumplog /tail | select
    79  ```
    80  
    81  ### Updates
    82  
    83  Administrators are notified of updates within the UI and can update from within the UI, but updates can also be invoked at the command line using the command:
    84  
    85  ```text
    86  > wireguard /update
    87  ```
    88  
    89  Or, to log the status of that command:
    90  
    91  ```text
    92  > wireguard /update 2> C:\path\to\update\log.txt
    93  ```
    94  
    95  One could have Task Scheduler run it daily at 3am:
    96  
    97  ```text
    98  > schtasks /create /f /ru SYSTEM /sc daily /tn "WireGuard Update" /tr "%PROGRAMFILES%\WireGuard\wireguard.exe /update" /st 03:00
    99  ```
   100  
   101  ### Driver Removal
   102  
   103  The tunnel service creates a network adapter at startup and destroys it at shutdown. If there are no more network adapters, the driver may be removed with:
   104  
   105  ```text
   106  > wireguard /removedriver
   107  ```
   108  
   109  Or, to log the status of that command:
   110  
   111  ```text
   112  > wireguard /removedriver 2> C:\path\to\removal\log.txt
   113  ```