Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Be able to deploy NetBird under System Account as Always-On-VPN #1661

Open
PowershellScripter opened this issue Mar 3, 2024 · 3 comments
Open

Be able to deploy NetBird under System Account as Always-On-VPN #1661

PowershellScripter opened this issue Mar 3, 2024 · 3 comments
Labels
feature-request

Comments

@PowershellScripter
Copy link

Is your feature request related to a problem? Please describe.
No.

Describe the solution you'd like
Being able to utilize NetBird as an Always On VPN that can be installed and ran under the MACHINE context.
This means, being able to install the netbird client as the 'SYSTEM' account under windows and have it run the service as that account.

Describe alternatives you've considered
We have tried to use Tailscale under the same context, running the VPN unattended as SYSTEM and Tailscale doesnt have this ability as it never creates the server mode key under the system context. Alot of crafty manipulation of task schedules and scripts had to be done to get it working somewhat as needed.
Itd be nice to have NetBird (a vpn solution that runs under true kernel level Wireguard) be able to run as the system account.

Additional context
This is insanely beneficial for massive scale deployments where companies want to push the vpn out to all their systems and have the ability to setup the VPN without user interaction / userprofile dependency.
Also makes it useful to be able to build custom windows images that get deployed in different states / countries and build the images to be able to connect to the VPN as the system account to join to the companies domain as well as reconnect at boot to be able to pull domain configs etc.
@nsdhanoa
Copy link

nsdhanoa commented Mar 5, 2024

+1

@kjentech
Copy link

kjentech commented Apr 16, 2024
edited

This would be hugely beneficial to everyone who's still very on-prem heavy, but want a more modern enterprise VPN. The case for Always-On VPN is often regulated industries or government, or just enterprises with a large network-IDS infrastructure in place.

As an example, the Danish government has a compliance framework for all government institutions that, among other things, require:

  • VPN on all client endpoints, no matter the OS
  • Deployed in Always-On Mode
  • In a force-tunnel configuration
  • With all connections denied if not connected to the VPN
  • With a loophole that allows traffic to HTTP (tcp/80) and HTTPS (tcp/443) for a limited time at the request of the logged in user to log in to any guest wifi captive portals.

That specific requirement was written with Cisco in mind, as it's the most widely used VPN provider in the Danish government. But it would be super sweet if we could break free from Cisco, as we already have experience with plain Wireguard between servers. Running Wireguard as a service as SYSTEM is a good first step.

@PowershellScripter
Copy link
Author

Is there any update on if this is possible to do yet or if it will be implemented or not?

@mrbluecoat mrbluecoat mentioned this issue May 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nsdhanoa @PowershellScripter @kjentech