Lightweight Security for Private Networks: Real-World Evaluation of WireGuard

TL;DR

This study evaluates WireGuard as a lightweight, efficient security solution for industrial 5G networks, demonstrating its practical deployment, comparable performance to IPsec, and enhanced security in real-world factory conditions.

Contribution

It provides the first real-world implementation and comparison of WireGuard with IPsec in an industrial 5G environment, highlighting its practicality and performance benefits.

Findings

WireGuard effectively secures user data against untrusted network elements.

Performance of WireGuard is comparable to IPsec in throughput, latency, and CPU usage.

WireGuard offers reduced configuration complexity, facilitating broader adoption in industrial networks.

Abstract

This paper explores WireGuard as a lightweight alternative to IPsec for securing the user plane as well as the control plane in an industrial Open RAN deployment at the Adtran Terafactory in Meiningen. We focus on a realistic scenario where external vendors access their hardware in our 5G factory network, posing recurrent security risks from untrusted gNBs and intermediate network elements. Unlike prior studies limited to lab setups, we implement a complete proof-of-concept in a factory environment and compare WireGuard with IPsec under industrial traffic conditions. Our approach successfully protects user data (N3 interface) against untrusted gNBs and man-in-the-middle attacks while enabling control plane (N2 interface) authentication between the access and mobility management functions (AMF) and gNB. Performance measurements show that WireGuard adds minimal overhead in throughput, latency, and Central Processing Unit (CPU) usage, achieving performance comparable to IPsec. These findings demonstrate that WireGuard offers competitive performance with significantly reduced configuration complexity, making it a strong candidate for broader adoption in O-RAN, providing a unified, lightweight security layer across multiple interfaces and components.