Sometimes you’ll run into situations where it’s preferable or necessary to change a WireGuard interface’s metric, which defines the priority with which packets will be routed through it. WireGuard is kind of “greedy” by default and sets its interfaces to an extremely low metric, which means high priority, which means traffic will be processed by WireGuard first. This makes total sense in many cases, but sometimes not so much, especially with an increasing amount of interfaces and possible routes.
I assume you ended up here because you were specifically looking for this solution. If you don’t know why you should need it, you don’t and can stop reading now :-)
On Windows, changing interface metrics is daily business for network administrators. Unfortunately, this isn’t a straightforward task when using WireGuard, because the corresponding TUN interface is removed when a tunnel is deactivated, thus losing the setting. Here’s one way to do it properly and in a persistent way:
First you’ll have to allow the execution of additional commands when a tunnel is brought up. As documented here, this requires a registry key to be set. The command reg add HKLM\Software\WireGuard /v DangerousScriptExecution /t REG_DWORD /d 1 /f does just that (single line command, press Windows key + X to open a prompt with admin permissions). It creates a DWORD key with value 1 under the path HKEY_LOCAL_MACHINE\SOFTWARE\WireGuard .
Please note that allowing this is, as mentioned in the documentation, a security risk, simply because WireGuard runs with very elevated permissions. It’s not dangerous per se, but if you for example decide to run a script which anyone can edit, someone (say: malware) could put all kinds of dangerous commands into it. So please don’t just copy & paste stuff without understanding it. Actually, that’s the official reason this additional registry step exists as I gathered from the mailing list — the assumption that Windows users are a bit dumb and will do just that, copy and paste random stuff. Which is probably true, to be honest.
Anyway, open the WireGuard GUI and edit your tunnel (or create a new one) now. The command we need goes in the [Interface] section:
[Interface]
PrivateKey = ...
Address = ...
PostUp = powershell.exe -command "Set-NetIPInterface -InterfaceAlias '%WIREGUARD_TUNNEL_NAME%' -InterfaceMetric 5000"It’s simply invoking Windows PowerShell to run the Set-NetIPInterface command with the right interface name and desired metric. Obviously, WireGuard knows what your tunnel and thus interface is called, so it can provide the name through the WIREGUARD_TUNNEL_NAME environment variable.
If you activate the tunnel now and check the output of the command route print in a prompt, you should see that the metrics for different routes have changed accordingly.
You’re welcome.
