This article explains how to configure the system to allow users who are not an Administrator of the PC a limited use of the WireGuard GUI. 

When using WireGuard with its GUI on a Windows PC the user needs to be a member of the Administrators group. If the user is not a member of the Administrators group you will see the following error message:

“WireGuard is running, but the UI is only accessible from desktops of the Builtin Administrators group.”

That means a user without being member of the Administrator group can not activate / deactivate tunnels through the WireGuard GUI. But there is a specific configuration option in WireGuard to enable limited GUI interaction and the activation and deactivation of existing tunnels. For the setup you will need to have a user that can run applications and commands in an elevated mode (i.e. Run as Administrator).

Activate WireGuard Limited Operator UI  

In WireGuard you can activate a Limited Operator UI by setting the respective entry in the Registry. See the documentation here (Link opens WireGuard on GitHub site).

If the Limited Operator UI is active in the Registry users who are members of the Network Configuration Operators group can start and stop tunnels. Other GUI activities such as adding, removing, editing, importing, or exporting configurations is not possible.

To add the required Registry entry, search for the command prompt (enter cmd into the search field of Windows) and select "Run as administrator".

Paste the following command into the command prompt window and press enter:

reg add HKLM\Software\WireGuard /v LimitedOperatorUI /t REG_DWORD /d 1 /f

This command adds the key HKEY_LOCAL_MACHINE\SOFTWARE\WireGuard and entry LimitedOperatorUI with value 1 to the registry.

Add User to Network Configuration Operators Group

The user in question needs to be member of the Network Configuration Operators group.

I was successful to add a domain user to this group via the Windows PowerShell. Start the PowerShell in mode Run as administrator".

Then copy the line below to the PowerShell window and replace USERNAME with the user name you want to add:

Add-LocalGroupMember -Group "Network Configuration Operators" -Member ('USERNAME') -Verbose

If the user This email address is being protected from spambots. You need JavaScript enabled to view it. is in windows domain GLOBAL you may need to replace USERNAME with GLOBAL\This email address is being protected from spambots. You need JavaScript enabled to view it., see example below:

Add-LocalGroupMember -Group "Network Configuration Operators" -Member ('GLOBAL\This email address is being protected from spambots. You need JavaScript enabled to view it.') –Verbose

The change becomes active after the user has logged in again.

Provide a Tunnel to Activate / Deactivate in Limited UI

If you have an Admin user (i.e. user, who is member of the Administrators group) on the system, you can log in with this user and import the WireGuard tunnel configuration files in the GUI.

If do not have a user who is member of the Administrators group, the following workaround should work:

With Windows Explorer navigate to the directory where WireGuard stores the configuration files (normally C:\Program Files\WireGuard\Data\Configurations) and copy all relevant tunnel configurations files into this directory.

Now the users with the Limited UI access can select from these tunnels and activate / deactivate as needed.

Related Articles

Activate a WireGuard Tunnel on Windows from the Command Line