netbird icon indicating copy to clipboard operation
netbird copied to clipboard
verified publisher icon netbirdio

Be able to deploy NetBird under System Account as Always-On-VPN

Open PowershellScripter opened this issue 1 year ago • 16 comments

Is your feature request related to a problem? Please describe. No.

Describe the solution you'd like Being able to utilize NetBird as an Always On VPN that can be installed and ran under the MACHINE context. This means, being able to install the netbird client as the 'SYSTEM' account under windows and have it run the service as that account.

Describe alternatives you've considered We have tried to use Tailscale under the same context, running the VPN unattended as SYSTEM and Tailscale doesnt have this ability as it never creates the server mode key under the system context. Alot of crafty manipulation of task schedules and scripts had to be done to get it working somewhat as needed. Itd be nice to have NetBird (a vpn solution that runs under true kernel level Wireguard) be able to run as the system account.

Additional context This is insanely beneficial for massive scale deployments where companies want to push the vpn out to all their systems and have the ability to setup the VPN without user interaction / userprofile dependency. Also makes it useful to be able to build custom windows images that get deployed in different states / countries and build the images to be able to connect to the VPN as the system account to join to the companies domain as well as reconnect at boot to be able to pull domain configs etc.

PowershellScripter avatar Mar 03 '24 23:03 PowershellScripter

+1

SinghNanak avatar Mar 05 '24 09:03 SinghNanak

This would be hugely beneficial to everyone who's still very on-prem heavy, but want a more modern enterprise VPN. The case for Always-On VPN is often regulated industries or government, or just enterprises with a large network-IDS infrastructure in place.

As an example, the Danish government has a compliance framework for all government institutions that, among other things, require:

  • VPN on all client endpoints, no matter the OS
  • Deployed in Always-On Mode
  • In a force-tunnel configuration
  • With all connections denied if not connected to the VPN
  • With a loophole that allows traffic to HTTP (tcp/80) and HTTPS (tcp/443) for a limited time at the request of the logged in user to log in to any guest wifi captive portals.

That specific requirement was written with Cisco in mind, as it's the most widely used VPN provider in the Danish government. But it would be super sweet if we could break free from Cisco, as we already have experience with plain Wireguard between servers. Running Wireguard as a service as SYSTEM is a good first step.

kjentech avatar Apr 16 '24 08:04 kjentech

Is there any update on if this is possible to do yet or if it will be implemented or not?

PowershellScripter avatar May 14 '24 17:05 PowershellScripter

Possible there will be an AlwaysOn VPN option that can be installed and connected at the MACHINE level rather than user?

PowershellScripter avatar Aug 24 '24 19:08 PowershellScripter