WireGuard on STM32U5A5VJT6 ?

xezi · ‎2024-11-08

Hello,

I'm currently working on a project using the STM32U5A5VJT6 processor, and I'm exploring the feasibility of implementing WireGuard in a bare-metal environment. I found one mention of WireGuard in this community post [link], however afaik it is an application for an OS based ST product. So I'm looking for more detailed insights.

Is STM actively working on any initiatives to bring WireGuard support to processors like the STM32U5A5VJT6, especially for bare-metal implementations?
The WireGuard protocol was primarily designed for OS-based systems with kernel support, which makes bare-metal implementation exceptionally challenging. Given the cryptographic and networking demands, has anyone made significant progress or come across alternative approaches that could support WireGuard (or similar VPN functionality) on an STM32?
I encountered Mongoose’s library for networking on STM32, which offers some guidance on web server setups. Are there other resources or community-driven efforts that address VPNs or similar secure communication protocols for STM32 processors without an OS?

Any advice, resources, or shared experiences would be greatly appreciated!

Thank you,
Xezi

Pavel A. · ‎2024-11-08

Exactly because of difficulties of porting crypto libraries to bare metal, consider instead a [more or less] lightweight OS that is posix-compatible enough. Of course this will require more RAM and flash than typical bare metal things but should be affordable.

Crucial points for a VPN implementation: it must be

- compatible, with continued support, not vendor-locked

- easy to review, test, validate

- easy to patch / update / upgrade

All this calls for OS-based implementation. Not necessarily Linux.

xezi · ‎2024-11-11

Thank you for your input.

For this project, we are committed to using ThreadX, which brings its own set of challenges for implementing WireGuard. While there is a WireGuard implementation in C [link], it depends on lwIP, and as a community-driven project, it doesn’t fully align with the robustness and warranties our requirements demand. From my initial research, it appears that porting lwIP functionalities to ThreadX would be quite complex and might require significant adaptation to achieve compatibility, especially for low-level networking operations.

If anyone has experience with similar ports or alternative secure communication protocols that integrate more seamlessly with ThreadX and NetX Duo, I’d greatly appreciate any insights.

Pavel A. · ‎2024-11-11

> as a community-driven project, it doesn’t fully align with the robustness and warranties our requirements demand.

And ThreadX? It is no longer backed by Microsoft.

david_pnfd · ‎2026-02-26

Hi xezi,

I know this thread is a bit older, but I stumbled across it because I went through the exact same headache a while ago.

You are 100% right! Trying to wrap the existing lwIP based WireGuard implementations intoNetX Duo is a nightmare. It totally kills the performance, ruins the zero-copy architecture of NetX, and just feels like a hack when you need robustness.

Because of this exact pain point, I actually wrote a native WireGuard VPN stack completely for Azure RTOS / NetX Duo over the last few months ...

Its currently running on a STM32H573 at a 250 MHz MCU frequency, and I'm consistently getting a throughput of around 8.9 MBit/s w.If you are still working on this you can check out the reference architecture and the public API here:

https://github.com/pnfd/STM32H5-WireGuard-AzureRTOS

Happy to exchange thoughts if you are still looking into this specific architecture. And if you need some support on this topic please let me know ...

Best regards, David