Skip to content
Tech News
← Back to articles

WolfGuard: WireGuard with FIPS 140-3 cryptography

2026-03-24 | original
read original get WireGuard VPN Kit → more articles
Why This Matters

WolfGuard introduces a FIPS 140-3 compliant version of WireGuard, enhancing security standards for VPN encryption. Its compatibility as a drop-in replacement allows organizations and consumers to upgrade their VPN security without changing existing configurations, making it a significant step toward more secure and compliant VPN solutions in the tech industry.

Key Takeaways

WolfGuard VPN with FIPS 140-3 cryptography

WolfGuard is the wolfSSL FIPS-compliant refactor of Linux kernel-based WireGuard, originally designed and authored by Jason Donenfeld. Usage is essentially identical. There are two principal components to WolfGuard, the wolfguard.ko kernel module and the wg-fips configuration tool. wolfguard.ko depends on the libwolfssl.ko kernel module, and wg-fips depends on the libwolfssl.so library — these dependencies are built from the same wolfSSL source, with kernel module and user library configuration respectively. The wg-fips-quick script works exactly like wg-quick in WireGuard, but with configuration scripts in /etc/wolfguard containing SECP256R1 public and private keys.

Symbolic links are installed in the installation bin directory from wg to wg-fips , and from wg-quick to wg-fips-quick , for transparent drop-in replacement of WireGuard. If WireGuard executables are found during installation, they are renamed to wg-wireguard and wg-wireguard-quick , with wg-wireguard-quick modified to call wg-wireguard , and with a safety copy left at wg-wireguard-quick.unpatched .

WolfGuard remaps cryptography from WireGuard as follows:

Algo category WireGuard WolfGuard ECDH Curve25519 SECP256R1 AEAD XChaCha20-Poly1305 AES-256-GCM digest Blake2s SHA2-256 authenticating digest Blake2s-HMAC SHA2-256-HMAC internal hash SipHash SHA2-256 DRBG ChaCha20 DRBG SHA2-256 Hash-DRBG

Note that WolfGuard and WireGuard can coexist on the same system, simultaneously establishing WolfGuard and WireGuard tunnels.

If libwolfssl.ko is configured with --enable-intelasm , performance of WolfGuard matches or exceeds that of CPU-accelerated WireGuard, thanks to CPU acceleration of the AES-256-GCM and SHA2-256 operations. Without --enable-intelasm , WolfGuard is slightly slower than CPU-accelerated WireGuard, but is still capable of saturating gigabit ethernet on modern CPUs.

Building and Installation

Below are two sets of instructions, the first for building from non-FIPS sources, and the second for building from FIPS-certified sources. In both cases, the WolfGuard user tool and script are named wg-fips and wg-fips-quick , reflecting their use of FIPS-approved algorithms regardless of FIPS certification status. FIPS-certified and non-certified builds of WolfGuard are fully interoperable with each other, but cannot interoperate with WireGuard.

The --enable-intelasm option should only be used with x86 CPU targets, and for FIPS, only on FIPS sources that support it. Contact us at [email protected] for more info.

... continue reading

Explore topics: wireguard wolfssl wolfguard fips linux
Related:
How this strange little distro can boost your Linux skills
Wine 11 rewrites how Linux runs Windows games at kernel with massive speed gains
I finally see why Opera GX for Linux is more than just a browser for gamers
Amnezia Has a New VPN Protocol to Stay a Step Ahead of Censors
io_uring, libaio performance across Linux kernels and an unexpected IOMMU trap

© 2026 GoKawiil

About | Editorial Policy | Contact