People always raise Wireguard as the end-all of VPN and yet its 2023 and there's virtually no way to deploy it in a business context.

InTune doesn't even list it as a supported VPN, and everything I see to deploy it suggests some kind of hack to bypass UAC for one specific app because the end-user software requires Admin permissions to startup and hook.

When we use L2TP with UDM Pro we get ~0.1Mbps across the wire from macOS and ~20Mbps across the wire with Windows, and yet the same VPN server running on a Mikrotik will easily achieve ~300Mbps. L2TP is so easy to deploy .. it's built into Windows and macOS. I wish they would just stop telling everyone to switch to WG and fix the performance issue that is clearly Unifi specific.

NB we are a business and our average spend for Unifi is $50K per year so we have a right to complain.

Isn't it normal that changing the destination of all of a system's network traffic would require admin permissions? Why does that make you think it's a hack?

It's completely reasonable that it requires admin permissions, but what I'm saying is that the other protocols (i.e. L2TP) that are built into macOS/Windows and mobile devices are integrated in such a way that they do not.

Most businesses never give their users admin permissions because it's a security can-of-worms, so for Unifi to push Wireguard for business doesn't make much sense. Happy for someone to point me at a turnkey Wireguard solution that just-works with InTune.

They seem to have something if you want to give them a call ;-)

> Fixed the issue where WireGuard VPN could not be used through Intune-deployed MSI installation.

Source: https://wiki.ui.com/docs/identity-enterprise-endpoints-0671

> Happy for someone to point me at a turnkey Wireguard solution that just-works with InTune.

Tailscale?

There are many enterprises install Cisco AnyConnect or ZScaler

Most VPN software has an automatic start Windows service when the user initiates the connection, thus not requiring local admin.

Needing local admin would make WG a non-starter for many organizations.

> InTune doesn't even list it as a supported VPN, and everything I see to deploy it suggests some kind of hack to bypass UAC for one specific app because the end-user software requires Admin permissions to startup and hook.

L2TP performance issues aside, I don't see how it's UniFi's fault that Microsoft's ecosystem is poor. I don't have many positive things to say about InTune.

Wireguard feels like the HDR of VPNs, adoption is slower than you'd think it would be.

> virtually no way to deploy it in a business context.

...there is tailscale

It is not compatible with UDM Pro wireguard server directly, so it’s basically a standalone solution.

Now that you mention it, the small PowerEdge is not that expensive and might be the best way to deploy as Intel Xeon has AES NI.

2.5GB of this will be introduced next.