How to start wireguard client on windows, in the background?

I have multiple computers (Win10 pro) placed at different remote locations (my partners) that I need to manage. I need to access them from a central location. So I have a central VPN server, and I want multiple Win10 pro instances to connect to it. I'm using L2TP, but I would like to migrate to wireguard. With L2TP, it is possible to start rasdial.exe in the background, from the task scheduler. The main goal is to start the tunnel as soon as the computer starts up, and automatically reconnect if the tunnel goes down. I need this BEFORE any user logs into the computer (e.g. in the background). I wonder if the same can be done with wireguard?

I noticed that there is a program called C:\Program Files\Wireguard\wg.exe and its command line options are very similar to the wg (linux) program:

C:\Program Files\WireGuard>wg.exe --help
Usage: wg.exe <cmd> [<args>]

Available subcommands:
  show: Shows the current configuration and device information
  showconf: Shows the current configuration of a given WireGuard interface, for use with `setconf'
  set: Change the current configuration, add peers, remove peers, or change peers
  setconf: Applies a configuration file to a WireGuard interface
  addconf: Appends a configuration file to a WireGuard interface
  syncconf: Synchronizes a configuration file to a WireGuard interface
  genkey: Generates a new private key and writes it to stdout
  genpsk: Generates a new preshared key and writes it to stdout
  pubkey: Reads a private key from stdin and writes a public key to stdout
You may pass `--help' to any of these subcommands to view usage.

But I think it is for configuration only. I think it cannot be used to activate a tunnel. The original documentation ( https://www.wireguard.com/quickstart/#command-line-interface ) explains that "the interface can ... be activated with ifconfig(8) or ip-link(8)" but of course that works for unix only. In that documentation, there is another note "Non-Linux users will instead write wireguard-go wg0" but I'm not sure what they mean here. There is no program name "wireguard-go" anywhere. The network adapter for the tunnel only shows up in the network adatpter list when the tunnel is already active. E.g. there is no network adapter that I could "enable" or "activate" when the tunnel is down. Finally, there is wireguard.exe. When started without parameters, it is a GUI application. It cannot be run without a logged in user and a desktop, and it does not activate any tunnel automatically. It has some interesting command line options. "wireguard.exe /managerservice" is used to start it as a windows service. "wireguard.exe /tunnelservice CONFIG_PATH" looks promising, but I was not able to start that. I get this error, that "the process could not connect to the service manager" or something similar. (I also get this error when I start it as administrator.)

I'm out of ideas. How should I do this?

All other solutions to this problem are not ideal. The methods I've seen are:

1. Just running as an admin

2. Adding the user account to the Network Configuration Operators

   • Pros: Wireguard gui, works smoothly
   • Cons: Your regular user gets added to an admin group and will appear in UAC prompts. This is very annoying.

3. Running the WireGuard tunnel as a windows service (as suggested in this answer)

   • Pros: Works perfectly
   • Cons: No gui, needs an elevated console.

Solution:

1. Install the latest MSI: https://download.wireguard.com/windows-client/

2. Then run this command in elevated console with your .conf file:

   wireguard /installtunnelservice C:\path\to\some\myconfname.conf

This creates a service called WireGuardTunnel$myconfname, which can be controlled using standard Windows service management utilites, such as services.msc or sc. — source

3. Control the service with "ServiceTray": https://www.coretechnologies.com/products/ServiceTray/

   (This give you a nice icon on the system tray that shows the up status of the WireGuard tunnel service. Green = connected, red = not connected, and you can start and stop it by right clicking. See image below)

   Note: When creating the service controller, save the shortcut to desktop not startup (doesn't seem to work and you can copy to startup later)

4. (optional) Change the service's startup type to manual if you don't want to be connected to the tunnel on startup.

An example of what this looks like on Win 10. Hovering the icon shows the name of the tunnel.

I found maybe easier option by: https://git.zx2c4.com/wireguard-windows/about/docs/enterprise.md

wireguard /installtunnelservice C:\path\to\some\myconfname.conf

I liked bn-l's answer, but starting or stopping the connection still requires an admin override. I decided to take it step further. I wrote a PowerShell script that creates a file in my temp directory if it doesn't exist or deletes it if it already exists. This runs without any need for additional privileges.

Then I wrote another script that starts or stops the service based on the presence or absence of that file on a one second loop. I run it as a scheduled task running as SYSTEM and triggered by system start up.

Now I use that script as a button that starts and stops the service but I don't need any admin logins or overrides, just toggle the VPN on or off. The system tray icon very conveniently shows a red or green indicator.

One more thing worth noting is that I used the config file that was created by the admin GUI. On my system, that's at "C:\Program Files\WireGuard\Data\Configurations[name of connection].conf.dpapi"