Windows/Wireguard

Windows Server as Wireguard Client

• Install Wireguard
• Setup Wireguard config and connect to Wireguard server

Windows Firewall config (non-Active Directory)

• Find out Wireguard network interface name

Get-NetConnectionProfile -NetworkCategory 'Public'
Get-NetConnectionProfile -NetworkCategory 'Private'

• Set wireguard network to "private"

Set-NetConnectionProfile -InterfaceAlias 'wireguard???' -NetworkCategory 'Private'

• Allow ping from Wireguard server to Windows
  • Open Windows Defender Firewall
  • Incoming rules
  • File and Printer sharing (Echo Request - ICMPv4-In)
    • Profile: Domain + Private
    • Enable
  • Remotedesktop (TCP+UDP)

Windows Firewall config (Active Directory!!)

• set-firewall.ps1

# Remove old rules
Remove-NetFirewallRule -DisplayName "Custom -*" -ErrorAction SilentlyContinue

# Allow ping v4 on Ethernet
New-NetFirewallRule -DisplayName "Custom - Allow Ping - Ethernet" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -Action Allow -Enabled True -InterfaceAlias "Ethernet"

# Block TCP on Ethernet
New-NetFirewallRule -DisplayName "Custom - Block TCP - Ethernet" -Direction Inbound -Protocol TCP -Action Block -Enabled True -InterfaceAlias "Ethernet"

# Block UDP on Ethernet
New-NetFirewallRule -DisplayName "Custom - Block UDP - Ethernet" -Direction Inbound -Protocol UDP -Action Block -Enabled True -InterfaceAlias "Ethernet"

# Allow all on Wireguard
New-NetFirewallRule -DisplayName "Custom - Allow All - Wireguard" -Direction Inbound -Action Allow -Enabled True -InterfaceAlias "wireguardexample"

# Verify
Get-NetFirewallRule -DisplayName "Custom -*" | ForEach-Object {
      $rule = $_
      $filter = $_ | Get-NetFirewallInterfaceFilter
      [PSCustomObject]@{
          DisplayName = $rule.DisplayName
          Direction = $rule.Direction
          Action = $rule.Action
          Enabled = $rule.Enabled
          InterfaceAlias = $filter.InterfaceAlias
      }
  }