WolfGuard: WireGuard with FIPS 140-3 cryptography

WolfGuard is the wolfSSL FIPS-compliant refactor of Linux kernel-based WireGuard, originally designed and authored by Jason Donenfeld. Usage is essentially identical. There are two principal components to WolfGuard, the wolfguard.ko kernel module and the wg-fips configuration tool. wolfguard.ko depends on the libwolfssl.ko kernel module, and wg-fips depends on the libwolfssl.so library — these dependencies are built from the same wolfSSL source, with kernel module and user library configuration respectively. The wg-fips-quick script works exactly like wg-quick in WireGuard, but with configuration scripts in /etc/wolfguard containing SECP256R1 public and private keys.

Symbolic links are installed in the installation bin directory from wg to wg-fips, and from wg-quick to wg-fips-quick, for transparent drop-in replacement of WireGuard. If WireGuard executables are found during installation, they are renamed to wg-wireguard and wg-wireguard-quick, with wg-wireguard-quick modified to call wg-wireguard, and with a safety copy left at wg-wireguard-quick.unpatched.

WolfGuard remaps cryptography from WireGuard as follows:

| Algo category | WireGuard | WolfGuard | |---|---|---| | ECDH | Curve25519 | SECP256R1 | | AEAD | XChaCha20-Poly1305 | AES-256-GCM | | digest | Blake2s | SHA2-256 | | authenticating digest | Blake2s-HMAC | SHA2-256-HMAC | | internal hash | SipHash | SHA2-256 | | DRBG | ChaCha20 DRBG | SHA2-256 Hash-DRBG |

Note that WolfGuard and WireGuard can coexist on the same system, simultaneously establishing WolfGuard and WireGuard tunnels.

If libwolfssl.ko is configured with --enable-intelasm, performance of WolfGuard matches or exceeds that of CPU-accelerated WireGuard, thanks to CPU acceleration of the AES-256-GCM and SHA2-256 operations. Without --enable-intelasm, WolfGuard is slightly slower than CPU-accelerated WireGuard, but is still capable of saturating gigabit ethernet on modern CPUs.

FIPS-certified and non-certified builds of WolfGuard are fully interoperable with each other, but cannot interoperate with WireGuard due to the different cryptographic algorithms used.