Wireguard Windows running GUI as non-admin

It can be a problem for users to run the WireGuard client when logged in as a non-admin user, and even when running the Wireguard as admin you get the message "WireGuard is running, but the UI is only accessible from desktops of the Builtin Administrators group."

It's possible to connect to a WIreGuard VPN without having administrator privileges, but sadly the process is not well documented. Here's how you do that:

1. Install WireGuard configuration file

Start by installing the WireGuard quick configuration file as an administrator. The user won't be able to create or delete new tunnels, just use existing ones.

2. RegEdit editing

Now for some deep dive stuffRun RegEdit as an administrator. To do that type in regedit.msc into the Run window, right click, and select Run as administrator. 

Once Regedit opens, expand the hive and keys for  HKLM\Software\WireGuard\LimitedOperatorUI. Right click the LimitedOperatorUI key, and create a DWORD key and set it to 1

3. Providing permissions to non-admin user.

After setting the RegEdit DWORD key, you need to provide new permissions to the user who you want to be able to connect/disconnect to the VPN.

To do this, run Local Users and Groups as an administrator (type in lusrmgr.msc into the Run window, right click, and select Run as administrator), select the Users folder, right click the user you want to give permissions to, and then click Properties.

Select the Member Of tab. Then, click Add… at the bottom of the screen.

In the “ Enter the object names to select” text box, type in Network Configuration Operators and click Check Names.

You will have the option to select the Network Configuration Operators group. Do that and click OK. Then click OK on the Select Groups window, and click OK on the Properties window.

4. The last step.

Logout and login as the non-admin user. Find the WireGuard program, right-click and select "run as admin" one time. Then reboot and it should work for the non-admin user.

Alternative solution

The following method also works for some users:

  1. Install Wireguard as administrator and import the configuration file.
  2. Create a new task via Task Scheduler
  3. In General -> Security Options execute independently of the user login and with highest privileges
  4. In Trigger, start task and Choose on login
  5. in Actions, start program and select the path to wireguard.exe