Windows/Wireguard: Difference between revisions
mNo edit summary |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
* Install Wireguard | * Install Wireguard | ||
* Setup Wireguard config and connect to Wireguard server | * Setup Wireguard config and connect to Wireguard server | ||
* <pre> | |||
== Windows Firewall config (non-Active Directory) == | |||
* Find out Wireguard network interface name | |||
<blockquote> | |||
<syntaxhighlight lang="powershell"> | |||
Get-NetConnectionProfile -NetworkCategory 'Public' | |||
Get-NetConnectionProfile -NetworkCategory 'Private' | |||
</syntaxhighlight> | |||
</blockquote> | |||
* Set wireguard network to "private" | |||
<blockquote> | |||
<syntaxhighlight lang="powershell"> | |||
Set-NetConnectionProfile -InterfaceAlias 'wireguard???' -NetworkCategory 'Private' | |||
</syntaxhighlight> | |||
</blockquote> | |||
* Allow ping from Wireguard server to Windows | |||
** Open Windows Defender Firewall | |||
** Incoming rules | |||
** File and Printer sharing (Echo Request - ICMPv4-In) | |||
*** Profile: Domain + Private | |||
*** Enable | |||
** Remotedesktop (TCP+UDP) | |||
== Windows Firewall config (Active Directory!!) == | |||
* set-firewall.ps1 | |||
<pre> | |||
# Remove old rules | |||
Remove-NetFirewallRule -DisplayName "Custom -*" -ErrorAction SilentlyContinue | |||
# Allow ping v4 on Ethernet | |||
New-NetFirewallRule -DisplayName "Custom - Allow Ping - Ethernet" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -Action Allow -Enabled True -InterfaceAlias "Ethernet" | |||
# Block TCP on Ethernet | |||
New-NetFirewallRule -DisplayName "Custom - Block TCP - Ethernet" -Direction Inbound -Protocol TCP -Action Block -Enabled True -InterfaceAlias "Ethernet" | |||
# Block UDP on Ethernet | |||
New-NetFirewallRule -DisplayName "Custom - Block UDP - Ethernet" -Direction Inbound -Protocol UDP -Action Block -Enabled True -InterfaceAlias "Ethernet" | |||
# Allow all on Wireguard | |||
New-NetFirewallRule -DisplayName "Custom - Allow All - Wireguard" -Direction Inbound -Action Allow -Enabled True -InterfaceAlias "wireguardexample" | |||
# Verify | |||
Get-NetFirewallRule -DisplayName "Custom -*" | ForEach-Object { | |||
$rule = $_ | |||
$filter = $_ | Get-NetFirewallInterfaceFilter | |||
[PSCustomObject]@{ | |||
DisplayName = $rule.DisplayName | |||
Direction = $rule.Direction | |||
Action = $rule.Action | |||
Enabled = $rule.Enabled | |||
InterfaceAlias = $filter.InterfaceAlias | |||
} | |||
} | |||
</pre> | </pre> | ||
* Task | |||
** On system start | |||
** Delay 1min | |||
** Start programm | |||
*** "C:\Program Files\WireGuard\wireguard.exe" | |||
*** /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\wireguard-tunnel.conf.dpapi" | |||
[[Category:Windows]] | [[Category:Windows]] | ||
Latest revision as of 13:21, 9 October 2025
Windows Server as Wireguard Client
- Install Wireguard
- Setup Wireguard config and connect to Wireguard server
Windows Firewall config (non-Active Directory)
- Find out Wireguard network interface name
Get-NetConnectionProfile -NetworkCategory 'Public' Get-NetConnectionProfile -NetworkCategory 'Private'
- Set wireguard network to "private"
Set-NetConnectionProfile -InterfaceAlias 'wireguard???' -NetworkCategory 'Private'
- Allow ping from Wireguard server to Windows
- Open Windows Defender Firewall
- Incoming rules
- File and Printer sharing (Echo Request - ICMPv4-In)
- Profile: Domain + Private
- Enable
- Remotedesktop (TCP+UDP)
Windows Firewall config (Active Directory!!)
- set-firewall.ps1
# Remove old rules
Remove-NetFirewallRule -DisplayName "Custom -*" -ErrorAction SilentlyContinue
# Allow ping v4 on Ethernet
New-NetFirewallRule -DisplayName "Custom - Allow Ping - Ethernet" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -Action Allow -Enabled True -InterfaceAlias "Ethernet"
# Block TCP on Ethernet
New-NetFirewallRule -DisplayName "Custom - Block TCP - Ethernet" -Direction Inbound -Protocol TCP -Action Block -Enabled True -InterfaceAlias "Ethernet"
# Block UDP on Ethernet
New-NetFirewallRule -DisplayName "Custom - Block UDP - Ethernet" -Direction Inbound -Protocol UDP -Action Block -Enabled True -InterfaceAlias "Ethernet"
# Allow all on Wireguard
New-NetFirewallRule -DisplayName "Custom - Allow All - Wireguard" -Direction Inbound -Action Allow -Enabled True -InterfaceAlias "wireguardexample"
# Verify
Get-NetFirewallRule -DisplayName "Custom -*" | ForEach-Object {
$rule = $_
$filter = $_ | Get-NetFirewallInterfaceFilter
[PSCustomObject]@{
DisplayName = $rule.DisplayName
Direction = $rule.Direction
Action = $rule.Action
Enabled = $rule.Enabled
InterfaceAlias = $filter.InterfaceAlias
}
}
- Task
- On system start
- Delay 1min
- Start programm
- "C:\Program Files\WireGuard\wireguard.exe"
- /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\wireguard-tunnel.conf.dpapi"