Add FIPS 140-2 compliance information for VPN protocols

FEATURES.md

@@ -114,23 +114,31 @@ Add functionality to configure and set up VPN connections for organizational use
 ### Proposed Implementation
 
 #### VPN Server Options:
-1. **WireGuard**
+1. **IPSec/IKEv2** ⭐ **FIPS 140-2 Compliant**
-   - Modern, fast, secure VPN protocol
+   - **Best FIPS compliance** - Can use FIPS 140-2 validated cryptographic modules
-   - Simple configuration
-   - Low overhead
-   - Built-in key management
-
-2. **OpenVPN**
-   - Mature and widely supported
-   - Flexible configuration
-   - Strong encryption
-   - Cross-platform support
-
-3. **IPSec/IKEv2**
    - Native OS support
    - Fast reconnection
    - Good for mobile devices
    - Strong security
+   - Recommended for government/enterprise requiring FIPS compliance
+   - Use strongSwan or other FIPS-validated implementations
+
+2. **OpenVPN** ⚠️ **FIPS Compatible (with configuration)**
+   - Can support FIPS 140-2 when using FIPS-validated OpenSSL libraries
+   - Requires careful configuration and FIPS mode enablement
+   - Mature and widely supported
+   - Flexible configuration
+   - Strong encryption (AES-256, SHA-256)
+   - Cross-platform support
+   - **Note:** Must use FIPS-validated OpenSSL and enable FIPS mode
+
+3. **WireGuard** ❌ **Not FIPS 140-2 Validated**
+   - Modern, fast, secure VPN protocol
+   - Uses modern cryptography (ChaCha20, Curve25519) - not yet FIPS-validated
+   - Simple configuration
+   - Low overhead
+   - Built-in key management
+   - **Note:** Not suitable for environments requiring FIPS 140-2 compliance
 
 #### Features to Include:
 1. **Server Configuration**
@@ -149,10 +157,12 @@ Add functionality to configure and set up VPN connections for organizational use
 
 3. **Security Features**
    - Strong encryption (AES-256, ChaCha20)
+   - **FIPS 140-2 compliance option** (for IPSec/OpenVPN)
    - Perfect Forward Secrecy
    - Kill switch (block non-VPN traffic)
    - DNS leak protection
    - Split tunneling options
+   - FIPS-validated cryptographic modules (when required)
 
 4. **Monitoring & Logging**
    - Connection logs
@@ -171,6 +181,7 @@ Add functionality to configure and set up VPN connections for organizational use
 Add to the web form:
 - [ ] Enable VPN server setup
 - [ ] Select VPN protocol (WireGuard, OpenVPN, IPSec)
+- [ ] **Enable FIPS 140-2 compliance mode** (for IPSec/OpenVPN)
 - [ ] Configure VPN network (subnet, IP range)
 - [ ] Set up authentication method
 - [ ] Configure DNS servers for VPN clients
@@ -183,10 +194,18 @@ Add to the web form:
 #### Tools to Integrate:
 - `wireguard` / `wireguard-tools`
 - `openvpn` / `easy-rsa`
-- `strongswan` (for IPSec)
+- `strongswan` (for IPSec) - **Supports FIPS 140-2**
+- `openssl` (FIPS-validated version for OpenVPN FIPS mode)
 - `ufw` / `iptables` (firewall rules)
 - `qrencode` (QR code generation)
 
+#### FIPS 140-2 Requirements:
+- **IPSec**: Use strongSwan with FIPS-validated cryptographic libraries
+- **OpenVPN**: Requires FIPS-validated OpenSSL library and FIPS mode configuration
+- **WireGuard**: Currently not FIPS-validated (use IPSec/OpenVPN for FIPS requirements)
+- System must have FIPS mode enabled: `/proc/sys/crypto/fips_enabled`
+- Use only FIPS-approved algorithms (AES-256, SHA-256, RSA, ECDSA)
+
 #### Script Structure:
 ```bash
 # Proposed function structure
@@ -201,11 +220,14 @@ monitor_vpn_connections()
 ### Security Considerations
 
 - Use strong encryption algorithms
+- **For FIPS compliance**: Use IPSec with strongSwan or OpenVPN with FIPS-validated OpenSSL
 - Implement proper key rotation
 - Secure key storage
 - Network isolation
 - Regular security audits
 - Access control and user management
+- **FIPS 140-2**: Ensure system crypto modules are FIPS-validated
+- Use only FIPS-approved cryptographic algorithms when FIPS mode is enabled
 
 ### Status
 **Status:** Planned for future release