Important News:SafeLogic Announces General Availability of CryptoComply BoringCrypto! Read the announcement.

Request Consultation
Request Consultation

CryptoComply Cryptography Software

Key Capabilities

Entropy

Extended Support

FIPS 140

Cryptography Compliance

Post-Quantum Cryptography

Industries

Use Cases




FIPS 140-3 Wireguard-go Implementation with CryptoComply Go


Deploy WireGuard-style VPN connectivity in regulated environments using a validated cryptographic software foundation and a repeatable build-and-evidence workflow.

Request Technical Walkthrough

 

 

Developer Summary:

What it is: Wireguard-go (userspace) patched to use approved algorithms and built on a FIPS 140-3 validated cryptographic software foundation (CryptoComply Go).

What changes? Replace non-approved algorithms (ChaCha20-Poly1305, Curve25519, BLAKE2s) with approved equivalents (AES-GCM, P-256, SHA-256 family) and rebuild against CryptoComply Go.

How to verify: Confirm the FIPS build version (wireguard-go --version) and run the included tests; optionally,  verify that cryptographic operations route through the FIPS provider in the test harness logs, so teams have a practical path to deployment with a clearer compliance story.

What you get: Build artifacts, patch/integration guidance, and evidence materials (validation artifacts + build provenance + configuration guidance).

Key constraint: Not interoperable with standard WireGuard peers —FIPS-enabled endpoints must pair with FIPS-enabled endpoints.

wireguard-fips-use-case

Talk to an Expert

Quickstart: Build Wireguard-go FIPS with CryptoComply Go

This workflow patches wireguard-go to replace non-approved algorithms and builds it on a validated cryptographic software foundation (CryptoComply Go).

Compatibility Notes

  • Not interoperable with standard WireGuard. The cryptographic suite and Noise construction string are updated; FIPS-enabled peers must connect to other FIPS-enabled peers.
  • Userspace implementation. This use case is based on wireguard-go (userspace), not the kernel module; that changes how you deploy and test.
  • Algorithm replacements. Non-approved algorithms are replaced with approved alternatives (e.g., AES-GCM, P-256, SHA-256 Family building blocks), and the build is aligned with CryptoComply Go.
  • Plan migration intentionally. Most teams do a parallel rollout: deploy FIPS peers and migrate tunnels in phases.

FIPS-enabled-wireguard-go-use-case-at-a-glance

Build from Source

1) Clone the wireguard-go source


git clone https://github.com/WireGuard/wireguard-go.git


2) Apply the SafeLogic patch


cd wireguard-go
git apply <path>/sl-wireguard-go-fips-modification.patch


3) Run tests


cd device
go test


4) Build and install


cd ..
make
make install


5) Verify installation


wireguard-go --version


Expected output example:


wireguard-go v0.0.20250522-sl-fips

Userspace WireGuard daemon for linux-arm64.
Information available at https://www.wireguard.com.
Copyright (C) Jason A. Donenfeld


Getting Started with Docker

Prerequisites

  • Add CryptoComply Go to the cryptocomply directory
  • Add CryptoComply Core to the cryptocomply directory
  • Add the Go package to the cryptocomply directory

Build


docker build -t wg-fips .


Run


docker run -it wg-fips


Run example apps


docker build -t wg-fips -f dockerfile.demo .

cd example
docker compose up --build


Run tests


docker build -t wg-fips -f dockerfile.demo .

cd example
docker compose -f docker-compose.test.yaml run wg-server
docker compose -f docker-compose.test.yaml run wg-client


Advanced Verification 

If you use the test harness with debugger logs, you can inspect evidence that cryptographic operations are executed via the FIPS provider shared object.


cd gdb-logs
cat fips-breakpoints.log


Example snippet:


Breakpoint ... ecdh_derive;
#0  ... in ecdh_derive () from /usr/local/lib/ossl-modules/fips.so

Want the Patch + Automated Build Package?

SafeLogic provides the Wireguard-go FIPS patch and a portal-delivered use case package (including Docker examples and a test harness) to automate these steps and accelerate validation in your environment.

Talk to an Expert

FIPS Cryptography Changes (WireGuard-go)

A summary of the changes in the cryptographic suite and build approach.

Component / Primitive Default in WireGuard-go SafeLogic-Approved Replacement Notes

Scope

Kernel WireGuard (kernel-space)

wireguard-go (userspace)

Userspace build is patched/rebuilt; deployment differs from kernel module

Transport AEAD

ChaCha20-Poly1305

 AES-GCM Uses a FIPS-approved AEAD; affects peer compatibility

Key Exchange (ECDH)

Curve25519 (X25519)

NIST P-256 Uses an approved NIST curve

Handshake hash/KDF building blocks

BLAKE2s

SHA-256 / HMAC / HKDF (SHA-256) SHA-256-family building blocks

Noise construction identifier

Standard WireGuard Noise string

Updated Noise string Prevents standard peer interoperability

Cryptographic foundation (Go)

Standard Go cryptography paths

CryptoComply Go (validated) Rebuilt on a validated cryptographic software foundation for Go.

The Compliance Gap with Standard WireGuard

Standard WireGuard uses a cryptography suite chosen for simplicity and performance. That’s a great fit for many environments, but it creates friction when buyers require FIPS 140-3-validated cryptography and evidence that cryptographic operations are implemented through validated modules and approved algorithms.

How SafeLogic closes the gap: SafeLogic provides a practical path to run userspace wireguard-go in regulated environments by patching wireguard-go to replace non-approved algorithms with approved equivalents and rebuilding it on a FIPS 140-3 validated cryptographic software foundation (CryptoComply Go). SafeLogic also provides verification steps and the artifacts teams typically retain for audits—validation artifacts (as applicable), build provenance, and configuration guidance—so compliance is implementable and auditable rather than assumed.

Access, Rollout, and Evidence

A clear path from artifacts to production, including rollout steps and the evidence most compliance programs expect.

cnsa-2.0-algorithms

 

How Customers Access it

Customers access the required build artifacts through SafeLogic’s Customer Portal and integrate them into internal artifact repositories and CI/CD pipelines.

  • Delivery formats: pre-built artifacts and/or build toolchain integration (based on customer workflow)
  • Supported language: Go (wireguard-go userspace implementation)
  • Supported platforms (OS/architectures): CryptoComply builds are available across a broad set of operating systems and CPU architectures, with support spanning rigorously tested environments.
  • Selecting the right build: Customers use the Customer Portal to locate the exact build by product, version, operating system, architecture, and language, then pull artifacts into internal repositories and pipelines.

Need the exact OS/architecture matrix for your environment?

Talk to an Expert

Typical Rollout

Proof of Concept

Confirm environment fit and peer model.

Integration

Rebuild WireGuard-go against CryptoComply Go and validate configuration.

Verification

Confirm approved algorithm paths and prepare evidence package.

Production

Deploy through standard rollout and monitoring.

Evidence for Auditors

  • Module Security Policy / validation artifacts for the underlying cryptographic foundation
  • Guidance on approved configuration/operation (program-dependent)
  • Integration notes mapping implementation behavior to the validated foundation

cryptography-security-policy-fips-140-validation-artifacts

Frequently Asked Questions

Is this interoperable with standard WireGuard?

Not by default. The cryptographic suite changes and the Noise construction string is updated, so standard WireGuard peers won’t interoperate. FIPS-enabled endpoints must pair with FIPS-enabled endpoints.

Which algorithms change in the FIPS-enabled suite?

The suite moves to approved alternatives (for example, AES-GCM, NIST P-256, and SHA-256-family building blocks such as HMAC/HKDF).

What changes operationally?

It remains a userspace VPN deployment (WireGuard-go), but you adopt the SafeLogic build, rebuild against a validated cryptographic foundation, and plan peer compatibility during rollout.

Does this meet FIPS 140-3 requirements?

It’s built on validated cryptography and uses approved primitives. Whether this satisfies your program depends on your definition of “meets FIPS” and the evidence your auditors expect (e.g., operational environment, boundary considerations, and documentation).

Does this affect performance?

Performance varies by platform and traffic profile. In many enterprise environments, AES-GCM benefits from hardware acceleration on modern CPUs, and benchmarking during POC is the best way to confirm expected performance for your deployment.

What artifacts do we get for auditors?

Typically: module Security Policy / validation artifacts for the underlying cryptographic foundation, plus integration and configuration guidance aligned to your program needs.

Do we need kernel WireGuard support?

No. This use case is based on WireGuard-go (userspace).

How do we verify we’re using approved cryptographic paths?

Verification typically comes from build provenance (validated foundation), configuration guidance, and verification steps aligned to your compliance program.

Is this based on Go “BoringCrypto”?

This use case is built on CryptoComply Go as the validated cryptographic foundation. If your program specifically references Go+BoringCrypto or another mechanism, SafeLogic can help map your requirements to an approved deployment approach.

Explore More Use Cases

Apache FIPS
Apache FIPS

Apache FIPS
NGINX-logo-small
NGINX-logo-small

NGINX FIPS
node-js-logo-2
node-js-logo-2

Node.js FIPS

Ready to Deploy Wireguard-go in Regulated Environments?

Get guidance on interoperability, rollout planning, and the evidence your program requires.
Call us at 844-436-2797 or complete the form below.