wolfSSL is excited to announce the release of its new user-space VPN client. This client is written entirely in Rust, leveraging the language’s safety and performance characteristics. The implementation is based on the popular open-source boringtun project. Crucially, this new client incorporates FIPS-validated cryptography through the use of the wolfGuard protocol. This solution ensures a highly secure, reliable, and FIPS-compliant VPN connection. It is an ideal offering for organizations needing robust, next-generation VPN capabilities with stringent security requirements.
Try It Out!
These instructions show how to set up a demo VPN connection between two machines, running wolfGuard-boringtun from user-space on each side. The IP addresses, ports, and device names can all be changed as desired. This example will use a device name of wg50.
Install Dependencies
Ensure that the following dependencies are installed:
gcc git make socat
If you do not already have a Rust development environment set up, first install Rust.
Build and Install wolfssl library
This should be done on each machine.
git clone https://github.com/wolfSSL/wolfssl cd wolfssl ./autogen.sh ./configure --enable-all make make check sudo make install cd ..
Build wolfGuard wg-fips configuration utility and generate keys
This should be done on each machine.
git clone https://github.com/wolfSSL/wolfGuard cd wolfGuard/user-src make ./wg-fips genkey | tee private-key ./wg-fips pubkey < private-key cd ../..
The genkey step above will generate and print a private key, while the pubkey step will print the corresponding public key.
Build wolfGuard-boringtun
If you installed wolfssl to /usr/local/lib (the default) above, then run these to ensure your system can find it:
export LIBRARY_PATH=/usr/local/lib echo /usr/local/lib | sudo tee /etc/ld.so.conf.d/local.conf sudo ldconfig
Then, on each endpoint, do:
git clone -b wolfguard https://github.com/wolfSSL/wolfGuard-boringtun cd wolfGuard-boringtun # If using a FIPS-enabled wolfssl build: cargo build --features fips # Otherwise: cargo build
This will create a binary at target/debug/boringtun-cli.
Configuration Script
Next we’ll create a configuration script to configure the wg device. Create a shell script (example wg50.sh) with these contents (different for each endpoint):
Endpoint A (Listening side)
#!/bin/sh -x DEV=wg50 ip address add dev $DEV 172.17.0.1/24 cat <<EOF | socat - UNIX-CONNECT:/var/run/wireguard/$DEV.sock set=1 listen_port=51820 private_key=ABCDEF0123456789bXe3k4x8uhiJOrw/IEA6+tm0001 public_key=ABCDEF0123456789R0A+1jntktYLYEJaVSK8QAuQdbR3oYNS/Jv1/zAHQZQpC1oxBigAA33UilFPHAghqcl0002 allowed_ip=172.17.0.2/32 EOF ip link set up dev $DEV
Endpoint B
#!/bin/sh -x DEV=wg50 ip address add dev $DEV 172.17.0.2/24 cat <<EOF | socat - UNIX-CONNECT:/var/run/wireguard/$DEV.sock set=1 private_key=ABCDEF0123456789bXe3k4x8uhiJOrw/IEA6+tm0002 public_key=ABCDEF0123456789R0A+1jntktYLYEJaVSK8QAuQdbR3oYNS/Jv1/zAHQZQpC1oxBigAA33UilFPHAghqcl0001 endpoint=192.168.122.204:51820 allowed_ip=172.17.0.1/32 EOF ip link set up dev $DEV
Make sure it is executable:
chmod +x wg50.sh
Replace the private_key with the generated private key above.
Replace the public_key with the public key from the other endpoint.
Note that any “=” padding characters at the end of the keys should be omitted.
Replace the IP address in the endpoint= line with the correct IP address of the listening endpoint.
Optionally, change the VPN IP addresses and listen port as desired.
Running boringtun-cli
Finally, we will run boringtun-cli on each endpoint.
From within the wolfGuard-boringtun directory, execute:
sudo target/debug/boringtun-cli -f wg50
This will run boringtun-cli in the foreground and log to the current terminal, which can be useful while getting things up and running. If desired later, remove the -f flag to tell boringtun-cli to fork and run as a daemon.
After boringtun-cli is running, execute “ip a” (from another terminal if needed) and verify that the “wg50” interface is shown.
Then, execute the configuration script to configure the interface and wolfGuard:
sudo ./wg50.sh
Once this is done on each endpoint, from endpoint B, execute a ping to initiate a connection to the listening endpoint A:
ping 172.17.0.1
After this point, endpoint A should also be able to ping the VPN address of endpoint B:
ping 172.17.0.2
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at .
Download wolfSSL Now