Cause I’m alive, live wire

It’s possible to connect to a WireGuard VPN without administrator privileges on Windows.

But by design, the process for doing so is documented poorly.

First, install the WireGuard quick configuration file as an administrator. (The user won’t be able to create or delete new tunnels, just start or stop existing ones.)

Then, you’ll need to run RegEdit as an administrator (type in regedit.msc into the Run window, right click, and select Run as administrator), and then create a DWORD key in the HKLM\Software\WireGuard\LimitedOperatorUI registry key. Set that DWORD to 1.

Then, you’ll need to provide new permissions to the user who you want to be able to connect and disconnect from your VPN.

To do this, run Local Users and Groups as an administrator (type in lusrmgr.msc into the Run window, right click, and select Run as administrator), select the Users folder, right click the user you want to give permissions to, and then click Properties.

Select the Member Of tab.

Then, click Add… at the bottom of the screen.

In the “Enter the object names to select” text box, type in Network Configuration Operators and click Check Names.

You’ll have the option to select the Network Configuration Operators group. Do so and click OK.

Click OK on the Select Groups window, and click OK on the Properties window.

Now, your non-administrative user can connect to, or disconnect from, any existing WireGuard tunnel, without being able to add or delete existing tunnels.

You’ll still need to add or delete new WireGuard connections as an administrator, but using this technique, a non-administrator can turn on or off VPN connections on Windows.

5 thoughts on “Cause I’m alive, live wire

  1. It doesn’t exist. You have to create it. I spent a long while looking for it, too.

    Keep in mind that “HKLM” = “HKEY_LOCAL_MACHINE”

    So, in other words, you have to create a new key in “HKEY_LOCAL_MACHINE\Software” and name it “WireGuard”. Then, create a DWORD in “Wireguard” and name it “LimitedOperatorUI” and set it to “1”.
    That’s it, right, @jbyrd?

  2. I run this on a Windows Server Domain and it doesn work. I use a security group for controlling the users to make it easier to manage. Just add the AD users to the security group, then add the security group to the Network Configuration Managers in lusrmgr.msc.

Leave a Reply