HN
Today

WolfGuard: WireGuard with FIPS 140-3 cryptography

WolfGuard introduces a FIPS 140-3 compliant refactor of the popular WireGuard VPN, meticulously replacing its core cryptographic primitives with government-approved algorithms like SECP256R1 and AES-256-GCM. This technical deep dive provides a pathway for organizations needing certified security without sacrificing WireGuard's efficiency or ease of use. The project stands out on HN for its focus on enterprise-grade security and standards compliance in modern networking infrastructure.

4
Score
0
Comments
#6
Highest Rank
5h
on Front Page
First Seen
Mar 24, 4:00 PM
Last Seen
Mar 24, 8:00 PM
Rank Over Time
146151620

The Lowdown

WolfGuard is presented as wolfSSL's FIPS 140-3 compliant refactoring of the WireGuard VPN, aiming to provide a secure tunneling solution that meets stringent federal information processing standards. It fundamentally alters the cryptographic backbone of WireGuard while striving to maintain an identical user experience and comparable performance.

  • FIPS 140-3 Compliance: The primary objective of WolfGuard is to achieve FIPS 140-3 certification by replacing WireGuard's default cryptographic algorithms with approved alternatives.
  • Cryptographic Overhaul: Key algorithms are systematically swapped, such as Curve25519 for ECDH being replaced by SECP256R1, XChaCha20-Poly1305 for AEAD replaced by AES-256-GCM, and Blake2s for hashing superseded by SHA2-256.
  • Seamless Integration: WolfGuard is designed as a drop-in replacement, featuring a wolfguard.ko kernel module and a wg-fips configuration tool. It installs symbolic links to mimic WireGuard's command-line tools, even renaming existing WireGuard executables.
  • Coexistence and Performance: The system allows for simultaneous operation of both WolfGuard and original WireGuard tunnels. Performance, particularly with Intel assembly optimizations (--enable-intelasm), is noted to match or exceed CPU-accelerated WireGuard, capable of saturating gigabit Ethernet on modern CPUs.
  • Detailed Build Instructions: The project provides comprehensive guides for building from both non-FIPS and FIPS-certified wolfSSL sources, outlining the necessary git commands, configuration options, and kernel module installation steps, including specific handling for FIPS integrity hashes.
  • Compatibility: WolfGuard builds are interoperable with each other but not with standard WireGuard. Public key compression is supported in later FIPS versions to ensure compatibility with client applications expecting specific key lengths.

In essence, WolfGuard offers a specialized, standards-compliant VPN solution for environments demanding FIPS 140-3 certified cryptography. By leveraging the familiar architecture of WireGuard and integrating wolfSSL's certified components, it delivers a robust and high-performance secure networking option.