Earlier last year, we shared the integration of our FIPS-validated crypto engine, wolfCrypt, into WireGuard to create a project we call wolfGuard. We’re now extending this effort to Tailscale, the popular mesh VPN built on top of WireGuard.
Tailscale simplifies WireGuard deployment by providing a coordination server that automates key exchange, NAT traversal, and centralized policy enforcement. This eliminates the need to manually configure tunnels between every pair of machines. For organizations that require this simplicity alongside FIPS 140-3 compliance, our latest port makes this possible.
Building on wolfGuard, we replaced Tailscale’s standard cryptographic operations with wolfCrypt FIPS-certified algorithms. These substitutions span each layer of the Tailscale stack, including the Data Plane, Control Plane, DERP Relay, and Tailnet Lock.
The FIPS build is designed to work with Headscale, the open-source Tailscale control server, which we have also patched for compatibility. The result is seamless end-to-end functionality: nodes register with the FIPS Headscale server, discover one another, and establish direct wolfGuard tunnels —all backed by wolfCrypt FIPS.
wolfGuard has already been deployed in various environments to achieve FIPS compliance; Tailscale is the next logical step in securing the modern edge.
Are you interested in Tailscale with wolfCrypt FIPS 140-3?
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now