Windows Issue: This security ID may not be assigned as the owner of this object.

[salmanmalik-emb]

I am getting the same error reported before
Issue https://github.com/WireGuard/wgctrl-go/issues/108

Found this additional chat for this issue.
https://www.mail-archive.com/[email protected]/msg06053.html

Please let me know if it has been fixed or how to solve this issue.

[lgnyy]

Wireguard.exe needs to be run with SYSTEM privileges; Please call psexec.exe - s - i "wireguard. exe" tun0
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec

[nikwo]

@salmanmalik-emb if you're using userspace implementation of wireguard(wireguard-go) you could rewrite SecurityDescriptor for uapi server before calling UAPIListen, in my case, D: (A;OICI;GA;;;S-1-5-32-544) (A;OICI;GA;;;S-1-5-18)(A;OICI; GRGW;;;S-1-5-11)

(Allow all for system user and local administrator, allow authenticated user to write/read)

[drwpls]

I wonder how could you figure it.

@salmanmalik-emb if you're using userspace implementation of wireguard(wireguard-go) you could rewrite SecurityDescriptor for uapi server before calling UAPIListen, in my case, D: (A;OICI;GA;;;S-1-5-32-544) (A;OICI;GA;;;S-1-5-18)(A;OICI; GRGW;;;S-1-5-11)

(Allow all for system user and local administrator, allow authenticated user to write/read)

[nikwo]

I wonder how could you figure it.

@salmanmalik-emb if you're using userspace implementation of wireguard(wireguard-go) you could rewrite SecurityDescriptor for uapi server before calling UAPIListen, in my case, D: (A;OICI;GA;;;S-1-5-32-544) (A;OICI;GA;;;S-1-5-18)(A;OICI; GRGW;;;S-1-5-11)

(Allow all for system user and local administrator, allow authenticated user to write/read)

Just copy-pasted openvpn3 client implementation of uapi😁

[drwpls]

@lgnyy was right, the security descriptor must run with SYSTEM privileges, for who's in trouble with this, you can run wireguard-go in foreground with psexec, or using windows service to run in background.

@nikwo how can you run wgctrl-go to configure the tun created in wireguard-go.
I run wgctrl-go but it can't Dial the Pipe due to Permission denied. Thanks.

@salmanmalik-emb if you're using userspace implementation of wireguard(wireguard-go) you could rewrite SecurityDescriptor for uapi server before calling UAPIListen, in my case, D: (A;OICI;GA;;;S-1-5-32-544) (A;OICI;GA;;;S-1-5-18)(A;OICI; GRGW;;;S-1-5-11)

(Allow all for system user and local administrator, allow authenticated user to write/read)

[nikwo]

@nikwo how can you run wgctrl-go to configure the tun created in wireguard-go.

I run wgctrl-go but it can't Dial the Pipe due to Permission denied. Thanks.

You need to run wireguard-go from privileged user, but you need to allow user to use this Winpipe. S-1-5-11 is a group of authenticated users, you allow them to read-write pipe.
Step-by-step:

1. Run wireguard-go with system user (you can run it as windows system service, don't forget to check "allow users to interact with service")
2. Make windows security descriptor with this template
3. listen, err := (&namedpipe.ListenConfig{SecurityDescriptor: secDesc}).Listen(\\.\pipe\yourappname)
4. connect from user space app via namedpipe.DialContext(\\.\pipe\yourappname)
   namedpipe package: golang.zx2c4.com/wireguard/ipc/namedpipe

[nengc]

@salmanmalik-emb if you're using userspace implementation of wireguard(wireguard-go) you could rewrite SecurityDescriptor for uapi server before calling UAPIListen, in my case, D: (A;OICI;GA;;;S-1-5-32-544) (A;OICI;GA;;;S-1-5-18)(A;OICI; GRGW;;;S-1-5-11)

(Allow all for system user and local administrator, allow authenticated user to write/read)

I tesed, the wireguard-go wg0 can run, but wgctrl-go will get the error Error: Unable to open IPC handle via SYSTEM impersonation: 6