So I’ve been pointed at Wireguard as a possibly free lightweight secure VPN replacement for a few other older VPN/firewall solutions I’ve got clients using.
Can Wireguard on Windows be configured so it is “always on” to the point that the laptop/desktop is basically a brick if the VPN client can’t establish a tunnel back to the Wireguard server please?
So you can take the endpoint and connect to wi-fi or wired but absolutely nothing can happen unless the Wireguard client can establish a tunnel and when it does all traffic is forced over that tunnrl.
Very sorry if my terminology is a bit off I hadn’t really heard of Wireguard until a couple hours back.
Thanks 
Yes. Simply use the Wireguard service in Windows and place the config in the conf folder, that’s it, nothing more needs to be done on Windows.
Using the Wireguard app for windows, after you import the config and connect, click the edit button on the bottom right. On the bottom left of the new window there is a checkbox that says “Block untunneled traffic (kill-switch)”
“but absolutely nothing can happen”
Since you used the term absolute, no this isn’t actually true. Windows *can* override Wireguard. Even some browsers like Firefox with default DNS settings can cause some leaks. And of course anything else privileged or malware booting the OS can bypass it. Something like Firefox would be most likely (it’s still not leaking much) and the other possibilities are less likely. It’s not going to ensure traffic doesn’t leak even with the block un-tunneled traffic set. It *generally* won’t leak though.
Well I don’t think I want the config visible by end users but I also think from what I read it can be imported then it’s encrypted somehow.
That almost seems too simple to be true if it really works like that with no admin or special rights needed by the end user once it’s been installed and initially configured.
Thanks so I’m reading this
https://www.reddit.com/r/WireGuard/comments/101eob8/wg_as_service_windows/
https://github.com/WireGuard/wireguard-windows/blob/master/docs/enterprise.md
and if I understand correctly if I install it as an admin and run it once as an admin and make the initial connection to a tunnel it will automatically install as a service and connect automatically after a reboot before a user even logs in so it doesn’t matter whether the user is an admin once it’s been installed?
And the “Block untunneled traffic (kill-switch)” you mention means if the tunnel isn’t up nothing goes out over any other interfaces?
I need to play with this really but I’m just trying to get my head around the basic principles first.
The configuration is stored on the device, you can’t hide it from the user, there is also no reason to hide it, or why do you think you have the need for a hidden configuration?
That’s the idea but yes. It’s supposed to disable any traffic if the tunnel isn’t established. I just use it on my home router, not anything in an enterprise/business capacity and I’ve not had any issues with it.
Couldn’t someone with the private key connect any device they wanted to the VPN?
No because you need to authenticate the client’s public key into the server
You have the real client’s private key. You can set the private key on a bad device to the same private key as the good device. That will make the public key for the bad device the same as for the good device.
