wireguard is inherently non-fips. wireguard requires one to use Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF which either are not yet unapproved; or unlikely to ever be approved (blake participated in SHA-3 contest and did not get selected).

When using go fips toolchains, it would be nice to ensure that when fips enforcement is turned on, one doesn't build the wireguard backend.

There are a few popular build tags / experiments for it; and also golang 1.24 introduced a default way for it see all the defails in https://tip.golang.org/doc/security/fips140

I wonder if flannel would be receptive to adding build-tags to automatically compile-out / turn off wireguard backend, when flannel is built with a go toolchain in FIPS enforcement mode.