WireGuard Server on Windows - Best way

VPN
1

I have tested a solution to run one of my WireGuard servers on Windows to access the host and also the local network at site. I have borrowed much of the setup from:
https://www.henrychang.ca/how-to-setup-wireguard-vpn-server-on-windows/

But, my experience is that the NAT (ICS - Internet Connection Sharing) is not 100% stable. Sometimes just stop working. This was about 6 months ago.

Now I’m about to setup a new server. I have successfully used an Ubuntu VM with WireGuard Server in Hyper-V on Windows. This works 100% with the NAT, very reliable. But I get the overhead of a VM.

I’m seeking advices and experience here before I walk the VM path… Thanks!

2

just use https://github.com/micahmo/WgServerforWindows for windows deployment it fixes all quirks with ICS, have it on one server persisted through windows updates and all nasty stuff (power outage etc)

3

You can try https://www.wiresock.net/wiresock-vpn-gateway/ to setup Wireguard server on Windows.

4 
New-NetNat -Name "WG_NAT" -InternalIPInterfaceAddressPrefix "192.168.222.0/24"

Persists over restarts. That much simpler than operating over COM objects and… I don’t even have required DLL on Windows Server Core 2019.

SharedAccess service is stopped, so I assume the NetNat PowerShell module does not use ICS.

5

Why do you need NAT on the Windows server? Why not assign and use a subnet that is valid for network, and setup routing on the various devices on the network for that subnet.

I suggest trying to avoid NAT as much as possible, only using it on the firewall/router connecting you to the Internet.

6

I run a VPS with Windows 2016 and all ports open. I do not want to provide access to the VPS local system for my clients - only access to the public internet.

Will I still be faced with the same issues highlighted in this post if I use WgServerforWindows?

7

can wireguard clients connected to wireguard server access local smb shares on the network?

8

After 5 days of test, I’m only happy with the solution of running WG with:
https://github.com/micahmo/WgServerforWindows

I have it running on 3 servers so far. Thanks!

9

This reply should be the first result on google

10

Thanks for sharing! I’ll check it out!

11

Are you using Windows 10/11 or Windows Server?

I’m on Windows Server 2019, and maybe it lacks the NAT option, and I have to use ICS.
https://github.com/micahmo/WgServerforWindows#internet-sharing

I will test tomorrow.

12

Is there a version of this that doesn’t require me to download and install visual studio and compile the author’s code before I run it?

13

Thanks, I have not tried yet.

But I saw the license-note. Some of the servers are not for “private use”. How are they licensed, I could not found information regarding it.

14

That was a new option to me.

I have always used NAT on the VPN server (WireGuard / OpenVPN). How and where to configure and setup routing instead?

15

https://github.com/micahmo/WgServerforWindows will most properly do this for you. Then you need to limit the clients so they can only access public IP’s (no LAN IP’s). I guess Windows Defender Firewall needs to be involved if need security. Eg. Not only configure internet-only access on the client, but enforcing it on the server-side. If the client are kind and only wants to access internet then you can configure it with AllowedIPs

https://www.reddit.com/r/WireGuard/comments/s8i80h/comment/hu4wqod/?utm\_source=share&utm\_medium=web2x&context=3

16

w10 atm, yeah nat is not working for me iether but ICS does the job

17

yes, there is precompiled release to dl https://github.com/micahmo/WgServerforWindows/releases/download/v2.0.10/WS4WSetup-2.0.10.exe

18

To be honest, the software was conceived for home users (I myself use it on three home PCs) and I did not think that someone would need a commercial license, because using Linux servers would be cheaper and more efficient. In any case, if the rules of your company require written permission to use the software, I think I can sign it.

19

Well people often use NAT because it makes things easier. As to how and where, it completely depends on the rest of your network, which can make things complicated. Particularly if you are using consumer ‘routers’ that don’t let you add static routes.

Things will work far better if you can setup routing properly though. It may seem more complex because you have to configured other things, but it will often work far better then any NAT based setup.

20

After successfully deploying it to 3 Windows Servers I have seen NAT as an option on all. So I have not tried the ICS option.