Enlarge /. I heroically defied the urge to create a WireGuard for Workgroups 0.3.1 image for this piece.

Jim Salter

This Monday the founder and main developer of WireGuard, Jason Donenfeld, announced a new WireGuard version for the Windows platform. The release is a godsend for administrators looking to implement WireGuard as a replacement for more traditional end-user VPNs in a business environment. They're adding several new features that make their lives easier – or simply allow implementation in environments where it wouldn't otherwise.

If you haven't heard of WireGuard, it's a relatively new VPN protocol with advanced cryptography. It was implemented from the ground up as an exercise in neatly written, minimalistic, maximally secure and high-performance code – and it achieved these goals well enough to receive Linus Torvalds' rarely seen seal of approval.


Existing WireGuard users will be prompted with obvious user interface notes to download and install the new version directly from the application itself.Enlarge /. Existing WireGuard users will be prompted with obvious user interface notes to download and install the new version directly from the application itself.

Jim Salter

Those who already use WireGuard on Windows will get an obvious in-app prompt to download and install the new version, which is working fine. New users can download WireGuard directly from its website.

The simple "Download Installer" button is for Windows end users. In this way, the user's system determines which MSI installer to get and run based on the user's system architecture. Sysadmin types can also search the list of MSIs directly for use in automated Active Directory group policy deployments.

WireGuard for Windows currently supports x86_64, x86 (32-bit), ARM, and ARM64 architectures.

Improved tunnel management for Windows users

  • If the registry DWORD value for LimitedOperatorUI is set to 1 and the current user is a member of the Windows built-in Network Configuration Operators group, WireGuard will launch a functioning but limited user interface.

    Jim Salter

  • If we examine them side by side, we can see that there are no pubkeys displayed on the restricted UI and there are no controls for importing / exporting / deleting tunnels.

    Jim Salter

  • To enable much of the new WireGuard for Windows features, you will need to create a new registry key and DWORD values ​​to allow them. Note: The HKLM Software WireGuard key itself does not exist until you create it!

    Jim Salter

  • If you are not a member of Network Configuration Operators, or if you forgot to create the DWORD HKLMSOFTWAREWireGuardLimitedOperatorUI in the registry, you will see this error.

    Jim Salter

  • Network configuration operators can start the WireGuard interface, but not close it. Notice the missing item in the taskbar context list.

    Jim Salter

Probably the most requested feature in the Windows implementation of WireGuard is the ability for non-privileged users to enable and disable WireGuard tunnels through the app's user interface. Up to release 0.3.1, WireGuard only allowed members of the administrator group to open the user interface, let alone do anything in it.


From version 0.3.1 this restriction has been lifted for good. Non-privileged users can be added to the Windows built-in "Network Configuration Operators" group. Once members of this group have added the required registry key and set the DWORD value, they can manage their own tunnel into the corporate LAN.

There is one more step required to activate the limited user interface: you have to open regedit, create the key HKLM SOFTWARE WireGuard, then create a DWORD under HKLM SOFTWARE WireGuard LimitedOperatorUI and set it to 1. (Do not confuse this due to the lack of HKLM SOFTWARE WireGuard yourself – you have to create that too.)

Otherwise, non-privileged users who have joined the WireGuard Club can view the available tunnels and start and stop those tunnels. They cannot see the public keys for the tunnels – and more importantly, they cannot add, remove, or edit these tunnels.

Non-privileged users cannot terminate the WireGuard application themselves. You can close the dialog without any problems, but the "Exit WireGuard" element is missing from the context menu in the taskbar. This is because closing the WireGuard app from the system tray not only removes the icon or even disables the WireGuard tunnel services, but actually completely uninstalled these services. (The services are automatically reinstalled the next time an administrator runs the WireGuard app.)

Also new in WireGuard for Windows 0.3.1, several tunnels can be activated simultaneously via the GUI. For the time being, this function is also controlled by registration. To use them you have to create a DWORD under HKLM Software WireGuard MultipleSimultaneousTunnels and set it to 1. Without creating and defining this DWORD, WireGuard for Windows 0.3.1 will continue. If you behave as in previous versions and activate a tunnel via the GUI, all others are automatically deactivated.


Please enter your comment!
Please enter your name here