wolfIP now includes native wolfGuard support, bringing a FIPS-compliant WireGuard VPN tunnel directly into the stack. wolfGuard replaces the standard WireGuard cipher suite (Curve25519, ChaCha20-Poly1305, BLAKE2s) with FIPS-certified alternatives (P-256 ECDH, AES-256-GCM, SHA-256) using wolfSSL cryptographic primitives, while preserving the Noise IKpsk2 handshake and its security properties including perfect forward secrecy and automatic key rotation.
Like everything else in wolfIP, wolfGuard operates with zero dynamic memory allocation: peers, allowed-IP tables, staged packet queues, and replay windows are all sized at compile time. The implementation creates a virtual Layer 3 interface (`wg0`) driven entirely from the main `wolfguard_poll()` call, with no background threads. wolfGuard has been validated through unit tests, loopback integration tests, and bidirectional interoperability tests against the wolfGuard Linux kernel module, all runnable under ASan and UBSan.
Note that because wolfGuard uses FIPS-approved primitives, it is not interoperable with standard WireGuard peers and only communicates with other wolfGuard instances. wolfGuard ships as part of wolfIP v1.0 and uses standard wolfCrypt primitives already available in wolfSSL, requiring no special build configuration.
Want to learn more? Join us for the first official webinar introducing wolfIP, covering architecture, deployment on bare-metal and RTOS targets, and how deterministic networking supports DO-178C and EU Cyber Resilience Act compliance.
Questions or interested in FIPS-compliant VPN for your embedded platform? Reach us at or +1 425 245 8247.
Download wolfSSL Now