WireGuard
Windows Issue: This security ID may not be assigned as the owner of this object.
I am getting the same error reported before Issue https://github.com/WireGuard/wgctrl-go/issues/108
Found this additional chat for this issue. https://www.mail-archive.com/[email protected]/msg06053.html
Please let me know if it has been fixed or how to solve this issue.
Wireguard.exe needs to be run with SYSTEM privileges; Please call psexec.exe - s - i "wireguard. exe" tun0 https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
@salmanmalik-emb if you're using userspace implementation of wireguard(wireguard-go) you could rewrite SecurityDescriptor for uapi server before calling UAPIListen, in my case, D: (A;OICI;GA;;;S-1-5-32-544) (A;OICI;GA;;;S-1-5-18)(A;OICI; GRGW;;;S-1-5-11)
(Allow all for system user and local administrator, allow authenticated user to write/read)
I wonder how could you figure it.
@salmanmalik-emb if you're using userspace implementation of wireguard(wireguard-go) you could rewrite SecurityDescriptor for uapi server before calling UAPIListen, in my case, D: (A;OICI;GA;;;S-1-5-32-544) (A;OICI;GA;;;S-1-5-18)(A;OICI; GRGW;;;S-1-5-11)
(Allow all for system user and local administrator, allow authenticated user to write/read)
I wonder how could you figure it.
@salmanmalik-emb if you're using userspace implementation of wireguard(wireguard-go) you could rewrite SecurityDescriptor for uapi server before calling UAPIListen, in my case, D: (A;OICI;GA;;;S-1-5-32-544) (A;OICI;GA;;;S-1-5-18)(A;OICI; GRGW;;;S-1-5-11)
(Allow all for system user and local administrator, allow authenticated user to write/read)
Just copy-pasted openvpn3 client implementation of uapi😁
@lgnyy was right, the security descriptor must run with SYSTEM privileges, for who's in trouble with this, you can run wireguard-go in foreground with psexec, or using windows service to run in background.
@nikwo how can you run wgctrl-go to configure the tun created in wireguard-go. I run wgctrl-go but it can't Dial the Pipe due to Permission denied. Thanks.
@salmanmalik-emb if you're using userspace implementation of wireguard(wireguard-go) you could rewrite SecurityDescriptor for uapi server before calling UAPIListen, in my case, D: (A;OICI;GA;;;S-1-5-32-544) (A;OICI;GA;;;S-1-5-18)(A;OICI; GRGW;;;S-1-5-11)
(Allow all for system user and local administrator, allow authenticated user to write/read)
@nikwo how can you run wgctrl-go to configure the tun created in wireguard-go.
I run wgctrl-go but it can't Dial the Pipe due to Permission denied. Thanks.
You need to run wireguard-go from privileged user, but you need to allow user to use this Winpipe. S-1-5-11 is a group of authenticated users, you allow them to read-write pipe. Step-by-step:
- Run wireguard-go with system user (you can run it as windows system service, don't forget to check "allow users to interact with service")
- Make windows security descriptor with this template
- listen, err := (&namedpipe.ListenConfig{SecurityDescriptor: secDesc}).Listen(\\.\pipe\yourappname)
- connect from user space app via namedpipe.DialContext(\\.\pipe\yourappname) namedpipe package: golang.zx2c4.com/wireguard/ipc/namedpipe
@salmanmalik-emb if you're using userspace implementation of wireguard(wireguard-go) you could rewrite SecurityDescriptor for uapi server before calling UAPIListen, in my case, D: (A;OICI;GA;;;S-1-5-32-544) (A;OICI;GA;;;S-1-5-18)(A;OICI; GRGW;;;S-1-5-11)
(Allow all for system user and local administrator, allow authenticated user to write/read)
I tesed, the wireguard-go wg0 can run, but wgctrl-go will get the error Error: Unable to open IPC handle via SYSTEM impersonation: 6
