This data article describes a flow-level dataset derived from paired captures on both sides of a WireGuard virtual private network tunnel. Pre-tunnel traffic was recorded on the inner tunnel interface before encapsulation, and encrypted transport traffic was recorded on the outer side, using a GL.iNet Flint 2 (GL-MT6000) router, an inline network TAP, and a Linux capture host. Two capture sessions totaling approximately 80 h of residential broadband traffic from 10 devices were recorded with nanosecond-precision packet timestamps; the released flow-level data uses millisecond resolution as exported by NFStream. The raw captures were cleaned to retain TCP and UDP packets and to remove non-initial IPv4 fragments. Flow records were generated from the cleaned inner-side captures using NFStream, which assigned each flow an application name and application category label via deep packet inspection. Inner packets were matched to outer WireGuard transport data packets using time alignment and a padded-length consistency rule, and matched packets were attributed to flows using 5-tuple keys with temporal and capacity constraints. Encrypted-side statistics were then aggregated per flow. The released dataset consists of two Parquet files, one per capture session, that combine NFStream flow fields, including application labels and inner-side per-packet sequences for the first 255 packets, with encrypted-side derived attributes such as matched packet counts, byte totals, durations, rates, direction-specific byte volumes, packet-size statistics, inter-arrival time distributions, size-ratio metrics and outer-side per-packet sequences for the first 255 packets. This cross-correlation structure pairing pre-tunnel application labels with encrypted tunnel-side features, can support research on encrypted traffic classification, application identification, VPN detection, and feature engineering for flow-level analysis under encryption.
The proliferation of vulnerable Internet-of-Things (IoT) devices has enabled large-scale cyberattacks. Solutions like Hestia and HomeSnitch have failed to comprehensively address IoT security needs. This research evaluates if Wireguard, an emerging VPN protocol, can provide efficient security tailored for resource-constrained IoT systems. We compared Wireguards performance against standard protocols OpenVPN and IPsec in a simulated IoT environment. Metrics measured included throughput, latency, and jitter during file transfers. Initial results reveal Wireguard's potential as a lightweight yet robust IoT security solution despite disadvantages for Wireguard in our experimental environment. With further testing, Wireguards simplicity and low overhead could enable widespread VPN adoption to harden IoT devices against attacks. The protocols advantages in setup time, performance, and compatibility make it promising for integration especially on weak IoT processors and networks.
This paper explores WireGuard as a lightweight alternative to IPsec for securing the user plane as well as the control plane in an industrial Open RAN deployment at the Adtran Terafactory in Meiningen. We focus on a realistic scenario where external vendors access their hardware in our 5G factory network, posing recurrent security risks from untrusted gNBs and intermediate network elements. Unlike prior studies limited to lab setups, we implement a complete proof-of-concept in a factory environment and compare WireGuard with IPsec under industrial traffic conditions. Our approach successfully protects user data (N3 interface) against untrusted gNBs and man-in-the-middle attacks while enabling control plane (N2 interface) authentication between the access and mobility management functions (AMF) and gNB. Performance measurements show that WireGuard adds minimal overhead in throughput, latency, and Central Processing Unit (CPU) usage, achieving performance comparable to IPsec. These findings demonstrate that WireGuard offers competitive performance with significantly reduced configuration complexity, making it a strong candidate for broader adoption in O-RAN, providing a unified, ligh
Network slicing enables the provision of services for different verticals over a shared infrastructure. Nevertheless, security is still one of the main challenges when sharing resources. In this paper, we study how WireGuard can provide an encrypted Virtual Private Network (VPN) tunnel as a service between network functions in 5G setting. The open source management and orchestration entity deploys and orchestrates the network functions into network services and slices. We create multiple scenarios emulating a real-life cellular network deploying VPN-as-a-Service between the different network functions to secure and isolate network slices. The performance measurements demonstrate from 0.8 Gbps to 2.5 Gbps throughput and below 1ms delay between network functions using WireGuard. The performance evaluation results are aligned with 5G key performance indicators, making WireGuard suited to provide security in slice isolation in future generations of cellular networks.
The fifth-generation (5G) mobile networks aim to host different types of services on the same physical infrastructure. Network slicing is considered as the key enabler for achieving this goal. Although there is some progress in applying and implementing network slicing in the context of 5G, the security and performance of network slicing still have many open research questions. In this paper, we propose the first OSM-WireGuard framework and its lifecycle. We implement the WireGuard secure network tunneling protocol in a 5G network to provide a VPN-as-a-Service (VPNaaS) functionality for virtualized network functions. We demonstrate that OSM instantiates WireGuard-enabled services up and running in 4 min 26 sec, with potential the initialization time to go down to 2 min 44 sec if the operator prepares images with a pre-installed and up-to-date version of WireGuard before the on-boarding process. We also show that the OSM-WireGuard framework provides considerable enhancement of up to 5.3 times higher network throughput and up to 41% lower latency compared to OpenVPN. The reported results show that the proposed framework is a promising solution for providing traffic isolation with str
WireGuard is a pioneering and lightweight Virtual Private Network (VPN) protocol that has been merged into the Linux kernel. It leverages the Noise secure framework to provide advanced security functionalities, such as identity hiding and perfect forward security. Although WireGuard has an optional pre-shared key mode to ensure key security, the advanced security features are guaranteed by asymmetric cryptography algorithms, which cannot be held in the face of superior quantum computers. To achieve quantum-resistant security, WireGuard should avoid using vulnerable asymmetric cryptography algorithms that are currently deeply integrated into the WireGuard protocol. In this paper, we present a solution to enhance the security of WireGuard by integrating Quantum Key Distribution (QKD). We first change the security mode to tunnel-orient Pre-Shared Keys (PSK) as the authentication anchor. We also design QKD-assisted ephemeral keys and corresponding Key Encapsulation Mechanism (KEM) to achieve WireGuard's advanced security properties without using asymmetric cryptography. We also integrate QKD keys during the key derivation to provide further security. Finally, we implement the entire protocol named WireGuard-QKD in Golang and evaluate its performance and security.
With the rise in cloud computing and virtualisation, secure and efficient VPN solutions are essential for network connectivity. We present a systematic performance comparison of OpenVPN (v2.6.12) and WireGuard (v1.0.20210914) across Azure and VMware environments, evaluating throughput, latency, jitter, packet loss, and resource utilisation. Testing revealed that the protocol performance is highly context dependent. In VMware environments, WireGuard demonstrated a superior TCP throughput (210.64 Mbps vs. 110.34 Mbps) and lower packet loss (12.35% vs. 47.01%). In Azure environments, both protocols achieved a similar baseline throughput (~280–290 Mbps), though OpenVPN performed better under high-latency conditions (120 Mbps vs. 60 Mbps). Resource utilisation showed minimal differences, with WireGuard maintaining slightly better memory efficiency. Security Efficiency Index calculations revealed environment-specific trade-offs: WireGuard showed marginal advantages in Azure, while OpenVPN demonstrated better throughput efficiency in VMware, though WireGuard remained superior for latency-sensitive applications. Our findings indicate protocol selection should be guided by deployment environment and application requirements rather than general superiority claims.
In the rapidly evolving landscape of digital communications, Virtual Private Networks (VPN) have become indispensable for ensuring secure and private internet connectivity. This paper delves into the technical advancements and efficiency of modern VPN technologies, with a focus on WireGuard, a relatively new entrant that has garnered significant attention for its streamlined architecture and enhanced performance. Through comparative analysis, WireGuard is evaluated against traditional VPN solutions such as OpenVPN and L2TP/IPsec, across multiple dimensions including security, performance, ease of configuration, and codebase efficiency. Our research methodology employs empirical data obtained from performance tests using standardized tools, analyzing metrics such as data transfer speed, encryption security levels, and network latency. The findings reveal that WireGuard offers substantial improvements in terms of speed and reliability, attributed to its use of state-of-the-art cryptographic protocols and a more efficient codebase. Moreover, WireGuard's integration into the Linux kernel signifies a leap towards broader adoption and compatibility across different platforms. The paper aims to provide a comprehensive overview of VPN technologies' current state, spotlighting WireGuard as a potent solution that balances security with performance. This study contributes to the ongoing discourse on enhancing digital security and network efficiency, offering insights for both academia and industry professionals looking to navigate the complexities of VPN implementation in corporate networks and beyond.
Despite widespread adoption, the WireGuard tunneling mechanism available in the Linux kernel is unable to provide high-speed connectivity in a site-to-site setup when leveraging a standard single-tunnel configuration. In fact, its capability to scale with the number of available CPU cores is limited, even in the presence of a software architecture that is intrinsically parallel.This paper proposes multiple techniques to increase the throughput of the WireGuard technology. We show how greater control over the scheduling of WireGuard tasks enables performance optimizations such as NUMA awareness, in both single- and multi-tunnel setups. Finally, we further improve the scalability when leveraging multiple tunnels by proposing a custom Inline architecture tailored to this configuration. This architecture shows an almost 2x performance improvement over a multi-tunnel deployment of vanilla WireGuard, and supports 18x times the throughput of a single tunnel setup on our machines.
Digital behaviors such as sleep, social interactions, and productivity reflect how individuals structure their daily lives. Among university students, online activity patterns mirror academic schedules, social rhythms, and lifestyle habits, with disruptions linked to sleep, stress, and well-being. Existing approaches-including wearables, apps, and surveys-depend on self-report or active participation, limiting long-term adherence. Passive sensing of network traffic offers a scalable alternative for the unobtrusive capture of smartphone usage patterns that preserves privacy. This study evaluated the degree to which encrypted smartphone network traffic, collected via a standard virtual private network (VPN), can capture patterns of digital behavior. We assessed feasibility (sustained data capture) and acceptability (usability, burden, and privacy perceptions) and examined how traffic-derived features reveal aspects of digital behavior-including timing, intensity, and regularity-relevant to health and daily functioning. We conducted a 2-week prospective observational study at New York University. Participants installed the WireGuard VPN client on personal smartphones, enabling passive capture of encrypted network traffic. Feasibility was assessed using a mixed methods approach combining quantitative measures of user retention and data coverage with qualitative analysis of semistructured exit interviews. Acceptability was evaluated using the System Usability Scale, NASA Task Load Index, and qualitative interview analysis. Exploratory analyses visualized traffic-derived features in relation to digital activity patterns. Thirty-eight students consented, of whom 29 (76.3%) contributed valid network traffic data and formed the analytic cohort. Within this cohort, 93% of participants (27/29; Wilson 95% CI 78%-98%) contributed at least 5 days of monitoring, corresponding to 71% retention relative to all consented participants (27/38; Wilson 95% CI 55%-83%). The mean data coverage within the analytic cohort (n=24) was 74.1% (SD 19.3%; median 77.1%, IQR 63.6%-90.0%; bootstrap 95% CI 66.3%-81.4%). These participants contributed an average of 311.6 (∼13 d, SD 3.5) hours of monitored traffic, ranging from 121 to 496 hours. Acceptability outcomes were evaluated among participants completing the exit survey and interview. Usability ratings were high (System Usability Scale score: mean 78, SD 14.96), and perceived workload was low (NASA Task Load Index scores were minimal). Participants described the system as easy to install, unobtrusive, and generally trustworthy, although some reported temporarily disabling the VPN during activities they considered private. No inferential statistical tests were conducted; analyses were descriptive. Exploratory analyses indicated that traffic-derived features reflected daily digital activity rhythms and revealed distinctive lifestyle patterns, including gaming and irregular late-night food delivery use. VPN-based monitoring of encrypted smartphone traffic was feasible and acceptable, enabling sustained passive data collection with minimal burden. This approach shows promise as a scalable, device-agnostic method for digital phenotyping that captures fine-grained behavioral rhythms while preserving privacy. With broader validation, this technique could expand the toolkit for studying health and well-being in everyday life.
NetworkGuard is a modular edge-based virtual network sensing framework designed for residential smart home security. The system interprets network telemetry-such as DNS queries, firewall events, VPN latency, and connection establishment delay-as structured sensing signals for gateway-level monitoring. Implemented on a Raspberry Pi 4 and managed via an Android interface, NetworkGuard integrates DNS filtering (Pi-hole), firewall enforcement (UFW), encrypted VPN tunneling (WireGuard), and an AI-assisted advisory layer for contextual log interpretation. During a six-week residential deployment, DNS blocking efficiency improved from 81.2% to 97.0% following blocklist refinement, while VPN connection establishment time decreased from approximately 3012 ms to 2410 ms after configuration tuning. ICMP-based measurements indicated a stable tunnel latency under moderate traffic conditions. Controlled validation scenarios-including DNS manipulation attempts, port scanning, and VPN interruption testing-confirmed consistent firewall enforcement and tunnel containment. The results demonstrate that layered security principles can be adapted into a lightweight, reproducible edge architecture suitable for small-scale residential IoT environments without a reliance on enterprise infrastructure.
Software-Defined Wide Area Networks (SD-WAN) have emerged as a rapidly evolving technology designed to meet the growing demand for flexible, secure, and scalable network infrastructures. This paper provides a review of SD-WAN techniques, focusing on their principles of operation, mechanisms, and evolution, with particular attention to applications in resource-constrained environments such as mobile, satellite, and radio networks. The analysis highlights key architectural elements, including security mechanisms, monitoring methods and metrics, and management protocols. A classification of both commercial (e.g., Cisco SD-WAN, Fortinet Secure SD-WAN, VMware SD-WAN, Palo Alto Prisma SD-WAN, HPE Aruba EdgeConnect) and research-based solutions is presented. The overview covers overlay protocols such as Overlay Management Protocol (OMP), Dynamic Multipath Optimization (DMPO), App-ID, OpenFlow, and NETCONF, as well as tunneling mechanisms such as IPsec and WireGuard. The discussion further covers control plane architectures (centralized, distributed, and hybrid) and network monitoring methods, including latency, jitter, and packet loss measurement. The growing importance of Artificial Intelligence (AI) in optimizing path selection and improving threat detection in SD-WAN environments, especially in resource-constrained networks, is emphasized. Analysis of solutions indicates that SD-WAN improves performance, reduces latency, and lowers operating costs compared to traditional WAN architectures. The paper concludes with guidelines and recommendations for using SD-WAN in resource-constrained environments.
Encryption of network traffic should guarantee anonymity and prevent potential interception of information. Encrypted virtual private networks (VPNs) are designed to create special data tunnels that allow reliable transmission between networks and/or end users. However, as has been shown in a number of scientific papers, encryption alone may not be sufficient to secure data transmissions in the sense that certain information may be exposed. Our team has constructed a large dataset that contains generated encrypted network traffic data. This dataset contains a general network traffic model consisting of different types of network traffic such as web, emailing, video conferencing, video streaming, and terminal services. For the same network traffic model, data are measured for different scenarios, i.e., for data traffic through different types of VPNs and without VPNs. Additionally, the dataset contains the initial handshake of the VPN connections. The dataset can be used by various data scientists dealing with the classification of encrypted network traffic and encrypted VPNs.
In most split-tunnel VPN/ZTNA deployments, installing an internal route authorizes the entire device, not a specific application, to use it. An unprivileged malicious process can therefore reach internal services by reusing routes intended for corporate applications. We present ProcRoute, a system that restricts internal-route access to explicitly authorized applications. ProcRoute models route access as an access-control problem: application identities are principals, destination prefixes with port and protocol constraints are resources, and a total, default-deny decision function mediates every connect() and UDP sendmsg() to an internal destination. Processes without a grant retain external access but are denied internal routes under our threat model. We describe ProcRoute's formal model, a Linux prototype built on cgroup v2 and eBPF socket-address hooks, and two complementary evaluations. In a two-machine WireGuard deployment, ProcRoute matches the WireGuard baseline and 13% faster than an nftables cgroup-matching configuration, with a p50 connect latency of 93 $μ$s (+3.6 $μ$s over baseline), flat policy scaling to 5,000 prefixes, and sub-millisecond revocation. Single-machine l
We present a layered and modular network architecture that combines Quantum Key Distribution (QKD) and Post-Quantum Cryptography (PQC) to provide scalable end-to-end security across long distance multi-hop, trusted-node quantum networks. To ensure interoperability and efficient practical deployment, hop-wise tunnels between physically secured nodes are protected by WireGuard with periodically rotated pre-shared keys sourced via the ETSI GS QKD 014 interface. On top, Rosenpass performs a PQC key exchange to establish an end-to-end data channel without modifying deployed QKD devices or network protocols. This dual-layer composition yields post-quantum forward secrecy and authenticity under practical assumptions. We implement the design using open-source components and validate and evaluate it in simulated and lab test-beds. Experiments show uninterrupted operation over multi-hop paths, low resource footprint and fail-safe mechanisms. We further discuss the design's compositional security, wherein the security of each individual component is preserved under their combination and outline migration paths for operators integrating QKD-aware overlays in existing infrastructures.
The complexity and scale of Internet attacks call for distributed, cooperative observatories capable of monitoring malicious traffic across diverse networks. Holoscope is a lightweight, cloud-native platform designed to simplify the deployment and management of distributed telescope (passive) and honeypot (active) sensors, used to collect and analyse attack traffic by exposing or simulating vulnerable systems. Built upon K3s and WireGuard, Holoscope offers secure connectivity, automated node onboarding, and resilient operation even in resource-constrained environments. Through modular design and Infrastructure-as-Code principles, it supports dynamic sensor orchestration, automated recovery and processing. We build, deploy and operate Holoscope across multiple institutions and cloud networks in Europe and Brazil, enabling unified visibility into large-scale attack phenomena while maintaining ease of integration and security compliance.
In contrast to its predecessors, 5G supports a wide range of commercial, industrial, and critical infrastructure scenarios. One key feature of 5G, ultra-reliable low latency communication, is particularly appealing to such scenarios for its real-time capabilities. However, 5G's enhanced security, mostly realized through optional security controls, imposes additional overhead on the network performance, potentially hindering its real-time capabilities. To better assess this impact and guide operators in choosing between different options, we measure the latency overhead of IPsec when applied over the N3 and the service-based interfaces to protect user and control plane data, respectively. Furthermore, we evaluate whether WireGuard constitutes an alternative to reduce this overhead. Our findings show that IPsec, if configured correctly, has minimal latency impact and thus is a prime candidate to secure real-time critical scenarios.
IBN is an emerging network management paradigm that allows automated closed-loop control and management of network devices and services. Closed-loop control requires security primitives to avoid intrusive human impact on network policies, posing a serious security challenge. This paper addresses this critical problem by securing the management plane in IBN systems. We propose a novel security framework based on WireGuard that augments the existing standards to secure intent communication between intent stakeholders. The framework guarantees isolation through WireGuard tunnels and provides inherent authentication and access control mechanisms to avoid intrusion in IBN systems. This work contributes to developing secure, efficient, and flexible communication channels within the IBN ecosystem, ensuring the integrity and confidentiality of network intents and operational data. Experimental results show the suitability and superiority of WireGuard compared to OpenVPN.
There exists a verification gap between formal protocol specifications and their actual implementations, which this work aims to bridge via monitoring for compliance to the formal specification. We instrument the networking and cryptographic library the application uses to obtain a stream of events. This is possible even without source code access. We then use an efficient algorithm to match these observations to traces that are valid in the specification model. In contrast to prior work, our algorithm can handle non-determinism and thus, multiple sessions. It also achieves a low overhead, which we demonstrate on the WireGuard reference implementation and a case study from prior work. We find that the reference Tamarin model for WireGuard can be used with little change: We only need to specify wire formats and correct some small inaccuracies that we discovered while conducting the case study. We also provide a soundness result for our algorithm that ensures it accepts only event streams that are valid according to the specification model.
Universal Composability (UC) is the gold standard for cryptographic security, but mechanizing proofs of UC is notoriously difficult. A recently-discovered connection between UC and Robust Compilation (RC)$\unicode{x2014}$a novel theory of secure compilation$\unicode{x2014}$provides a means to verify UC proofs using tools that mechanize equality results. Unfortunately, the existing methods apply only to perfect UC security, and real-world protocols relying on cryptography are only computationally secure. This paper addresses this gap by lifting the connection between UC and RC to the computational setting, extending techniques from the RC setting to apply to computational UC security. Moreover, it further generalizes the UC$\unicode{x2013}$RC connection beyond computational security to arbitrary equalities, providing a framework to subsume the existing perfect case, and to instantiate future theories with more complex notions of security. This connection allows the use of tools for proofs of computational indistinguishability to properly mechanize proofs of computational UC security. We demonstrate this power by using CryptoVerif to mechanize a proof that parts of the Wireguard prot