Add Windows support for defguard client

[teon]

No description provided.

[kchudy]

@wojcik91 Please describe status of your initial analysis in that matter.

[wojcik91]

@kchudy some key aspects of what I found out:

• WireGuard provides official DLLs for embedding WireGuard within Windows apps: https://www.wireguard.com/embedding/
• on the Go side of thing there are already wrappers for wintun.dll etc that largely simplify things; those are use for example by Netbird
• I tried to play around with loading DDLs manually, but was not succesfull yet
• I did not test those yet, but there are some crates which claim to provide wintun wrappers: https://crates.io/crates/wintun (important to note that this driver is lower level and not WireGuard specific)
• there are official Microsoft-provided binding for interacting with Windows APIs: https://github.com/microsoft/windows-rs
• since we already have a precedent in macOS with wireguard-go, we could potentially get away with just using the official client wg.exe which provides a basic CLI for creating tunnels; this could later be swapped for a more robust embedded solution
• following previous UNIX implementations we should probably communicate with running interfaces using native IPCs like wg-quick: https://git.zx2c4.com/wireguard-tools/tree/src/ipc-windows.h

[kchudy]

Conclusions so far:

• Implementation should focus mainly on: implementing wireguard-rs for windows, preparing an MSI package that installs defguard-client and runs defguard-service as a superuser service.
• boringtun was dropped as it only provides a C library for windows. There's no binary ready to use for windows.
• Both embeddable-dll-service and the WireGuardNT project assume that a process with the loaded DLL is a tunnel. The process needs to be kept alive in order to have the tunnel running. The tunnel can then be managed using the functions provided in the DLL. This approach would require creating a windows service capable of spawning the tunnel processes, storing tunnel handles and providing an API for managing the tunnels. The implementation should not be part of wireguard-rs as the library is stateless by design and relies on external components that do the actual tunnel management (kernel or userspace).
• The latest approach assumes using the official wireguard client for windows. The plan is to install the wireguard client after installing the defguard client using the official MSI and a silent install mode (msiexec \quiet https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec#syntax-1). The windows defguard-service could then create a tunnel using the wireguard.exe command https://git.zx2c4.com/wireguard-windows/about/docs/enterprise.md#tunnel-service. The tunnel service can then be managed using system calls (like sc) or by sockets (same as with macos implementation, this needs to be checked if the tunnel service can be managed using sockets).

[kchudy]

About silent install https://r-pufky.github.io/docs/services/wireguard/windows-setup.html#slient-install

After silent wireguard install wireguard GUI is displayed anyway. Here's how to disable this https://www.ericlight.com/getting-wireguard-on-windows-quietly.html