This paper explores WireGuard as a lightweight alternative to IPsec for securing the user plane as well as the control plane in an industrial Open RAN deployment at the Adtran Terafactory in Meiningen. We focus on a realistic scenario where external vendors access their hardware in our 5G factory network, posing recurrent security risks from untrusted gNBs and intermediate network elements. Unlike prior studies limited to lab setups, we implement a complete proof-of-concept in a factory environment and compare WireGuard with IPsec under industrial traffic conditions. Our approach successfully protects user data (N3 interface) against untrusted gNBs and man-in-the-middle attacks while enabling control plane (N2 interface) authentication between the access and mobility management functions (AMF) and gNB. Performance measurements show that WireGuard adds minimal overhead in throughput, latency, and Central Processing Unit (CPU) usage, achieving performance comparable to IPsec. These findings demonstrate that WireGuard offers competitive performance with significantly reduced configuration complexity, making it a strong candidate for broader adoption in O-RAN, providing a unified, ligh
The proliferation of vulnerable Internet-of-Things (IoT) devices has enabled large-scale cyberattacks. Solutions like Hestia and HomeSnitch have failed to comprehensively address IoT security needs. This research evaluates if Wireguard, an emerging VPN protocol, can provide efficient security tailored for resource-constrained IoT systems. We compared Wireguards performance against standard protocols OpenVPN and IPsec in a simulated IoT environment. Metrics measured included throughput, latency, and jitter during file transfers. Initial results reveal Wireguard's potential as a lightweight yet robust IoT security solution despite disadvantages for Wireguard in our experimental environment. With further testing, Wireguards simplicity and low overhead could enable widespread VPN adoption to harden IoT devices against attacks. The protocols advantages in setup time, performance, and compatibility make it promising for integration especially on weak IoT processors and networks.
The fifth-generation (5G) mobile networks aim to host different types of services on the same physical infrastructure. Network slicing is considered as the key enabler for achieving this goal. Although there is some progress in applying and implementing network slicing in the context of 5G, the security and performance of network slicing still have many open research questions. In this paper, we propose the first OSM-WireGuard framework and its lifecycle. We implement the WireGuard secure network tunneling protocol in a 5G network to provide a VPN-as-a-Service (VPNaaS) functionality for virtualized network functions. We demonstrate that OSM instantiates WireGuard-enabled services up and running in 4 min 26 sec, with potential the initialization time to go down to 2 min 44 sec if the operator prepares images with a pre-installed and up-to-date version of WireGuard before the on-boarding process. We also show that the OSM-WireGuard framework provides considerable enhancement of up to 5.3 times higher network throughput and up to 41% lower latency compared to OpenVPN. The reported results show that the proposed framework is a promising solution for providing traffic isolation with str
Network slicing enables the provision of services for different verticals over a shared infrastructure. Nevertheless, security is still one of the main challenges when sharing resources. In this paper, we study how WireGuard can provide an encrypted Virtual Private Network (VPN) tunnel as a service between network functions in 5G setting. The open source management and orchestration entity deploys and orchestrates the network functions into network services and slices. We create multiple scenarios emulating a real-life cellular network deploying VPN-as-a-Service between the different network functions to secure and isolate network slices. The performance measurements demonstrate from 0.8 Gbps to 2.5 Gbps throughput and below 1ms delay between network functions using WireGuard. The performance evaluation results are aligned with 5G key performance indicators, making WireGuard suited to provide security in slice isolation in future generations of cellular networks.
WireGuard is a pioneering and lightweight Virtual Private Network (VPN) protocol that has been merged into the Linux kernel. It leverages the Noise secure framework to provide advanced security functionalities, such as identity hiding and perfect forward security. Although WireGuard has an optional pre-shared key mode to ensure key security, the advanced security features are guaranteed by asymmetric cryptography algorithms, which cannot be held in the face of superior quantum computers. To achieve quantum-resistant security, WireGuard should avoid using vulnerable asymmetric cryptography algorithms that are currently deeply integrated into the WireGuard protocol. In this paper, we present a solution to enhance the security of WireGuard by integrating Quantum Key Distribution (QKD). We first change the security mode to tunnel-orient Pre-Shared Keys (PSK) as the authentication anchor. We also design QKD-assisted ephemeral keys and corresponding Key Encapsulation Mechanism (KEM) to achieve WireGuard's advanced security properties without using asymmetric cryptography. We also integrate QKD keys during the key derivation to provide further security. Finally, we implement the entire protocol named WireGuard-QKD in Golang and evaluate its performance and security.
With the rise in cloud computing and virtualisation, secure and efficient VPN solutions are essential for network connectivity. We present a systematic performance comparison of OpenVPN (v2.6.12) and WireGuard (v1.0.20210914) across Azure and VMware environments, evaluating throughput, latency, jitter, packet loss, and resource utilisation. Testing revealed that the protocol performance is highly context dependent. In VMware environments, WireGuard demonstrated a superior TCP throughput (210.64 Mbps vs. 110.34 Mbps) and lower packet loss (12.35% vs. 47.01%). In Azure environments, both protocols achieved a similar baseline throughput (~280–290 Mbps), though OpenVPN performed better under high-latency conditions (120 Mbps vs. 60 Mbps). Resource utilisation showed minimal differences, with WireGuard maintaining slightly better memory efficiency. Security Efficiency Index calculations revealed environment-specific trade-offs: WireGuard showed marginal advantages in Azure, while OpenVPN demonstrated better throughput efficiency in VMware, though WireGuard remained superior for latency-sensitive applications. Our findings indicate protocol selection should be guided by deployment environment and application requirements rather than general superiority claims.
In the rapidly evolving landscape of digital communications, Virtual Private Networks (VPN) have become indispensable for ensuring secure and private internet connectivity. This paper delves into the technical advancements and efficiency of modern VPN technologies, with a focus on WireGuard, a relatively new entrant that has garnered significant attention for its streamlined architecture and enhanced performance. Through comparative analysis, WireGuard is evaluated against traditional VPN solutions such as OpenVPN and L2TP/IPsec, across multiple dimensions including security, performance, ease of configuration, and codebase efficiency. Our research methodology employs empirical data obtained from performance tests using standardized tools, analyzing metrics such as data transfer speed, encryption security levels, and network latency. The findings reveal that WireGuard offers substantial improvements in terms of speed and reliability, attributed to its use of state-of-the-art cryptographic protocols and a more efficient codebase. Moreover, WireGuard's integration into the Linux kernel signifies a leap towards broader adoption and compatibility across different platforms. The paper aims to provide a comprehensive overview of VPN technologies' current state, spotlighting WireGuard as a potent solution that balances security with performance. This study contributes to the ongoing discourse on enhancing digital security and network efficiency, offering insights for both academia and industry professionals looking to navigate the complexities of VPN implementation in corporate networks and beyond.
Despite widespread adoption, the WireGuard tunneling mechanism available in the Linux kernel is unable to provide high-speed connectivity in a site-to-site setup when leveraging a standard single-tunnel configuration. In fact, its capability to scale with the number of available CPU cores is limited, even in the presence of a software architecture that is intrinsically parallel.This paper proposes multiple techniques to increase the throughput of the WireGuard technology. We show how greater control over the scheduling of WireGuard tasks enables performance optimizations such as NUMA awareness, in both single- and multi-tunnel setups. Finally, we further improve the scalability when leveraging multiple tunnels by proposing a custom Inline architecture tailored to this configuration. This architecture shows an almost 2x performance improvement over a multi-tunnel deployment of vanilla WireGuard, and supports 18x times the throughput of a single tunnel setup on our machines.
This study evaluates the performance of WireGuard and IPSec VPN protocols under various network configurations to determine their efficiency, reliability, and resource utilization in different scenarios. The configurations examined include Round Robin, IEEE 802.3ad bonding, single interface/single tunnel, dual interfaces/dual tunnels, and single interface/dual tunnels. Key performance metrics such as throughput, CPU utilization, and the effects of Maximum Transmission Unit (MTU) settings were analyzed to understand the impact of these protocols on network performance. The experimental results demonstrate that WireGuard outperforms IPSec in terms of throughput and CPU efficiency, showcasing lower overhead and improved speed, making it a more suitable option for high-performance and resource-constrained environments. These findings align with existing literature, further validating WireGuard’s advantages in modern networking applications, particularly in scenarios requiring high-speed encrypted communication with minimal computational overhead. Additionally, this study provides insights into the implications of different bonding and tunneling strategies, offering practical recommendations for optimizing VPN deployments in various use cases.
This research investigates of the performance of three popular VPN solutions namely Cloudflare, ZeroTier and WireGuard, by measuring their effect on network performance and server resource usage across multiple metrics such as file upload/download speeds, round-trip time (RTT), web latency, and server CPU usage. The aim is to find the best solution for certain workloads by benchmarking these solutions in a controlled manner. The results of these experiments showed large performance differences. The results were consistent for all tests: WireGuard provided the fastest upload and download speed (19 seconds and 52 seconds, for 1000 MB files, respectively), the lowest web latency (50 milliseconds for 1000 connections), and the most efficient CPU utilization (24% at 1000 connections). For small size of packets (less than 700 bytes), Cloudflare provided competitive RTTs around 10 milliseconds and balanced performance for light workloads. However, it was not scalable indicated by web latency about 200 milliseconds and CPU utilization higher than 32% in high-concurrency scenarios. Conversely with lower workloads, ZeroTier struggled with download of heavy file sizes and lots of connections such as downloading with 1000 MB in size took 84 seconds and up to 62% of CPU utilization. WireGuard emerges as the best-suited high-performance solution for scalable applications. Cloudflare and ZeroTier offer trade-offs helpful to particular use cases, providing perspective on which VPN solution to choose depending on workload requirements and resource constraints.
In most split-tunnel VPN/ZTNA deployments, installing an internal route authorizes the entire device, not a specific application, to use it. An unprivileged malicious process can therefore reach internal services by reusing routes intended for corporate applications. We present ProcRoute, a system that restricts internal-route access to explicitly authorized applications. ProcRoute models route access as an access-control problem: application identities are principals, destination prefixes with port and protocol constraints are resources, and a total, default-deny decision function mediates every connect() and UDP sendmsg() to an internal destination. Processes without a grant retain external access but are denied internal routes under our threat model. We describe ProcRoute's formal model, a Linux prototype built on cgroup v2 and eBPF socket-address hooks, and two complementary evaluations. In a two-machine WireGuard deployment, ProcRoute matches the WireGuard baseline and 13% faster than an nftables cgroup-matching configuration, with a p50 connect latency of 93 $μ$s (+3.6 $μ$s over baseline), flat policy scaling to 5,000 prefixes, and sub-millisecond revocation. Single-machine l
We present a layered and modular network architecture that combines Quantum Key Distribution (QKD) and Post-Quantum Cryptography (PQC) to provide scalable end-to-end security across long distance multi-hop, trusted-node quantum networks. To ensure interoperability and efficient practical deployment, hop-wise tunnels between physically secured nodes are protected by WireGuard with periodically rotated pre-shared keys sourced via the ETSI GS QKD 014 interface. On top, Rosenpass performs a PQC key exchange to establish an end-to-end data channel without modifying deployed QKD devices or network protocols. This dual-layer composition yields post-quantum forward secrecy and authenticity under practical assumptions. We implement the design using open-source components and validate and evaluate it in simulated and lab test-beds. Experiments show uninterrupted operation over multi-hop paths, low resource footprint and fail-safe mechanisms. We further discuss the design's compositional security, wherein the security of each individual component is preserved under their combination and outline migration paths for operators integrating QKD-aware overlays in existing infrastructures.
The complexity and scale of Internet attacks call for distributed, cooperative observatories capable of monitoring malicious traffic across diverse networks. Holoscope is a lightweight, cloud-native platform designed to simplify the deployment and management of distributed telescope (passive) and honeypot (active) sensors, used to collect and analyse attack traffic by exposing or simulating vulnerable systems. Built upon K3s and WireGuard, Holoscope offers secure connectivity, automated node onboarding, and resilient operation even in resource-constrained environments. Through modular design and Infrastructure-as-Code principles, it supports dynamic sensor orchestration, automated recovery and processing. We build, deploy and operate Holoscope across multiple institutions and cloud networks in Europe and Brazil, enabling unified visibility into large-scale attack phenomena while maintaining ease of integration and security compliance.
IBN is an emerging network management paradigm that allows automated closed-loop control and management of network devices and services. Closed-loop control requires security primitives to avoid intrusive human impact on network policies, posing a serious security challenge. This paper addresses this critical problem by securing the management plane in IBN systems. We propose a novel security framework based on WireGuard that augments the existing standards to secure intent communication between intent stakeholders. The framework guarantees isolation through WireGuard tunnels and provides inherent authentication and access control mechanisms to avoid intrusion in IBN systems. This work contributes to developing secure, efficient, and flexible communication channels within the IBN ecosystem, ensuring the integrity and confidentiality of network intents and operational data. Experimental results show the suitability and superiority of WireGuard compared to OpenVPN.
In contrast to its predecessors, 5G supports a wide range of commercial, industrial, and critical infrastructure scenarios. One key feature of 5G, ultra-reliable low latency communication, is particularly appealing to such scenarios for its real-time capabilities. However, 5G's enhanced security, mostly realized through optional security controls, imposes additional overhead on the network performance, potentially hindering its real-time capabilities. To better assess this impact and guide operators in choosing between different options, we measure the latency overhead of IPsec when applied over the N3 and the service-based interfaces to protect user and control plane data, respectively. Furthermore, we evaluate whether WireGuard constitutes an alternative to reduce this overhead. Our findings show that IPsec, if configured correctly, has minimal latency impact and thus is a prime candidate to secure real-time critical scenarios.
There exists a verification gap between formal protocol specifications and their actual implementations, which this work aims to bridge via monitoring for compliance to the formal specification. We instrument the networking and cryptographic library the application uses to obtain a stream of events. This is possible even without source code access. We then use an efficient algorithm to match these observations to traces that are valid in the specification model. In contrast to prior work, our algorithm can handle non-determinism and thus, multiple sessions. It also achieves a low overhead, which we demonstrate on the WireGuard reference implementation and a case study from prior work. We find that the reference Tamarin model for WireGuard can be used with little change: We only need to specify wire formats and correct some small inaccuracies that we discovered while conducting the case study. We also provide a soundness result for our algorithm that ensures it accepts only event streams that are valid according to the specification model.
Universal Composability (UC) is the gold standard for cryptographic security, but mechanizing proofs of UC is notoriously difficult. A recently-discovered connection between UC and Robust Compilation (RC)$\unicode{x2014}$a novel theory of secure compilation$\unicode{x2014}$provides a means to verify UC proofs using tools that mechanize equality results. Unfortunately, the existing methods apply only to perfect UC security, and real-world protocols relying on cryptography are only computationally secure. This paper addresses this gap by lifting the connection between UC and RC to the computational setting, extending techniques from the RC setting to apply to computational UC security. Moreover, it further generalizes the UC$\unicode{x2013}$RC connection beyond computational security to arbitrary equalities, providing a framework to subsume the existing perfect case, and to instantiate future theories with more complex notions of security. This connection allows the use of tools for proofs of computational indistinguishability to properly mechanize proofs of computational UC security. We demonstrate this power by using CryptoVerif to mechanize a proof that parts of the Wireguard prot
We introduce CryptoBap, a platform to verify weak secrecy and authentication for the (ARMv8 and RISC-V) machine code of cryptographic protocols. We achieve this by first transpiling the binary of protocols into an intermediate representation and then performing a crypto-aware symbolic execution to automatically extract a model of the protocol that represents all its execution paths. Our symbolic execution resolves indirect jumps and supports bounded loops using the loop-summarization technique, which we fully automate. The extracted model is then translated into models amenable to automated verification via ProVerif and CryptoVerif using a third-party toolchain. We prove the soundness of the proposed approach and used CryptoBap to verify multiple case studies ranging from toy examples to real-world protocols, TinySSH, an implementation of SSH, and WireGuard, a modern VPN protocol.
As enterprises increasingly migrate their applications to the cloud, the demand for secure and cost-effective Wide Area Networking (WAN) solutions for data transmission between branches and data centers grows. Among these solutions, Software-Defined Wide Area Networking (SD-WAN) has emerged as a promising approach. However, existing SD-WAN implementations largely rely on IPSec tunnels for data encryption between edge routers, resulting in drawbacks such as extended setup times and limited throughput. Additionally, the SD-WAN control plane rarely takes both latency and monetary cost into consideration when determining routes between nodes, resulting in unsatisfactory Quality of Service (QoS). We propose WirePlanner, an SD-WAN solution that employs a novel algorithm for path discovery, optimizing both latency and cost, and configures WireGuard tunnels for secure and efficient data transmission. WirePlanner considers two payment methods: Pay-As-You-Go, where users pay for a fixed amount of bandwidth over a certain duration, and Pay-For-Data-Transfer, where users pay for the volume of transmitted data. Given an underlay topology of edge routers and a user-defined budget constraint, Wir
Security protocols are essential building blocks of modern IT systems. Subtle flaws in their design or implementation may compromise the security of entire systems. It is, thus, important to prove the absence of such flaws through formal verification. Much existing work focuses on the verification of protocol *models*, which is not sufficient to show that their *implementations* are actually secure. Verification techniques for protocol implementations (e.g., via code generation or model extraction) typically impose severe restrictions on the used programming language and code design, which may lead to sub-optimal implementations. In this paper, we present a methodology for the modular verification of strong security properties directly on the level of the protocol implementations. Our methodology leverages state-of-the-art verification logics and tools to support a wide range of implementations and programming languages. We demonstrate its effectiveness by verifying memory safety and security of Go implementations of the Needham-Schroeder-Lowe, Diffie-Hellman key exchange, and WireGuard protocols, including forward secrecy and injective agreement for WireGuard. We also show that ou