March 24, 2026
Wolf in FIPS clothing
WolfGuard: WireGuard with FIPS 140-3 cryptography
WolfGuard brings gov-grade crypto to WireGuard, devs howl
TLDR: WolfSSL launched WolfGuard, a WireGuard refit using government‑approved cryptography that can match performance on modern CPUs but can’t interoperate with classic WireGuard. The crowd is split: compliance folks cheer, while many devs call it security theater—or even a downgrade—and wonder if Go’s FIPS mode already suffices.
WireGuard just showed up in a suit and tie. wolfSSL launched WolfGuard, a refit that swaps WireGuard’s trendy math for FIPS 140-3—the U.S. government’s approved crypto list—promising drop‑in replacement, symbolic links, and speed that can match CPU‑boosted WireGuard. It can live alongside classic WireGuard, but they can’t talk to each other, and the installer even renames your old commands for a “transparent” swap. Cue the popcorn.
The top comment sets the tone: if you don’t already have a contract that literally says you need FIPS, you don’t want it. Another voice gushes that WireGuard’s magic came from one focused developer, not compliance committees—so adapting it for bureaucracy feels wrong. One blunt take: “So… a step backward in security?” Fans of government checkboxes clutched pearls; devs rolled eyes at “security theater.”
Meanwhile, the pragmatists asked the million‑dollar question: can’t you just use Go’s new FIPS mode with wireguard‑go instead? And one curious bystander begged for real advantages beyond pleasing auditors. Translation: the room is split between “enterprise needs this” and “don’t mess with a good thing.” Want the receipts? Here’s the repo. Want the vibe? Imagine a wolf in a compliance costume and Reddit shouting “who asked for this?”
Key Points
- •WolfGuard is a wolfSSL FIPS 140-3 cryptography refactor of Linux kernel-based WireGuard, maintaining similar usage and tooling.
- •It consists of a kernel module (wolfguard.ko) and a user tool (wg-fips), relying on libwolfssl.ko and libwolfssl.so from the same wolfSSL source.
- •Cryptography is remapped to FIPS-approved algorithms (e.g., SECP256R1, AES-256-GCM, SHA2-256, SHA2-256-HMAC, SHA2-256 Hash-DRBG).
- •Installation provides drop-in replacements for wg and wg-quick; WolfGuard can coexist with WireGuard but is not interoperable with it.
- •Performance can match or exceed CPU-accelerated WireGuard with --enable-intelasm on x86; builds are available from non-FIPS and FIPS-certified sources with specific flags.