How to configure a Wireguard Windows 10 VPN client

Originally published at: https://serversideup.net/how-to-configure-a-wireguard-windows-10-vpn-client/

This post belongs to my “mini-course” on Gain flexibility & increase privacy with Wireguard VPN. I’ll only be walking through how to set up a client for Wireguard on Windows 10. If you don’t have a server (or even if you already have one), definitely start from the top. I make a few assumptions and…

Any way to set a DNS search suffix in this?

Oh… and I should add how much I appreciated you pulling all this information in to one place. It was very helpful.

No problem! Glad I could help @bretmiller. I was just as frustrated as you, so that’s why I did it!

As you are already aware of, I basically focused my efforts on having my Internet traffic route through the server (so I can have a static IP to manage other services):

Looking at my example above, I assume you want the macOS device to be able to communicate with the Windows 10 device through a DNS suffix?

To be honest, I did run into some DNS issues that I got halfway through. If this is what you are looking for, I could do some more tinkering and report back to you.

I’m using it to connect my personal Windows laptop to our corporate office, so was wanting easier access to local servers where we just specify the server name rather than the FQDN. I did eventually find an answer, so here it is in case it helps someone else:

In Registry editor, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Add a string value named SearchList with a comma-separated list of domains.

Note that this isn’t connection-specific, it’s global. In my case, I’m OK with that. From the GitHub source, it looks like “DNSSearch” will be a config option eventually for the wireguard Windows client and that will be a better solution than making it global for most people.

1 Like

Thanks for sharing your solution! I’ll probably need this in my next step, so thanks a ton.

I want to create a WireGuard VPN (just like how you are using it – accessing internal systems), but I want to firewall off their access.

Use case:

  • Workstations can VPN in from home
  • All of their Internet traffic SHOULD NOT be sent over the connection
  • Only RDP and possibly local DNS should be sent over the VPN tunnel
  • Any other requests over the VPN tunnel will get blocked by the server firewall

Not sure how I am going to do it, but it’s on my list to investigate. :upside_down_face:

I haven’t tried to restrict traffic, but I suspect you can do that with the firewall on the server side. Right now I’m having a bit of blocking issue with that so I need to figure out how to enable everything.

As far as restricting which traffic the client sends, here’s my client configuration which should help…

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxx=
Address = 10.44.1.101/16, fddd:6cdd:d7dd:66dd:44:1:0:101/80
DNS = 10.1.1.2, 10.2.1.2, fddd:6cdd:d7dd:66dd:1::2, fddd:6cdd:d7dd:66dd:2::2

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 10.1.0.0/16, 10.2.0.0/16, fddd:6cdd:d7dd:66dd:1::/80, ffddd:6cdd:d7dd:66dd:2::/80
Endpoint = 1.1.1.1:51820

Hope that helps.

1 Like

Dear Jay Thanks for the great article!

In your article, in “create new tunnel” window there is a “block un-tunneled traffic (kill switch)” checkbox. In fact, one of the screenshot has it but the other other one does not. I have the latest wireguard client application installed (missing the checkbox) on my windows 10 64 bit.

Without that checkbox, I am not able restrict certain traffic to go through vpn tunnel.

If you have any idea please let me know.

Best

Hey @tdpocket!

Sorry for the delayed response, it’s been a busy few days for me. What I learned is the Block untunneled traffic does not appear until you have AllowedIPs in your config file.

I just tested it out and that’s how it worked for me:

Hey @tdpocket,

To further clarify, the checkbox appears only if you route 0.0.0.0/0, not if you selectively route traffic. I created definitions for either, preferring most of the time to route only the essential business network traffic through the tunnel and allow everything else to use the internet connection.

On Windows, if you selectively route traffic, you need to include your local DNS server in the DNS = list or Windows will think there is no internet on either connection.

1 Like

Yup, you are totally right. Thanks for clarifying @bretmiller!!