Lightweight Security for Private Networks: Real-World Evaluation of WireGuard
Hubert Djuitcheu, Andrew Sergeev, Khurshid Alam, Danny Santhosh, Achim Autenrieth, Jochen Seitz
TL;DR
Industrial Open RAN expands the attack surface; IPsec secures UP traffic but adds complexity and overhead. The authors implement WireGuard for both end-to-end UP encryption and N2 mutual authentication in a real Terafactory Open RAN, and compare it with IPsec. Results show WireGuard delivers comparable throughput and CPU usage with lower latency overhead and much simpler configuration, making it a viable lightweight security layer. The work argues for considering WireGuard as a complement to IPsec to unify security across multiple interfaces in O-RAN deployments.
Abstract
This paper explores WireGuard as a lightweight alternative to IPsec for securing the user plane as well as the control plane in an industrial Open RAN deployment at the Adtran Terafactory in Meiningen. We focus on a realistic scenario where external vendors access their hardware in our 5G factory network, posing recurrent security risks from untrusted gNBs and intermediate network elements. Unlike prior studies limited to lab setups, we implement a complete proof-of-concept in a factory environment and compare WireGuard with IPsec under industrial traffic conditions. Our approach successfully protects user data (N3 interface) against untrusted gNBs and man-in-the-middle attacks while enabling control plane (N2 interface) authentication between the access and mobility management functions (AMF) and gNB. Performance measurements show that WireGuard adds minimal overhead in throughput, latency, and Central Processing Unit (CPU) usage, achieving performance comparable to IPsec. These findings demonstrate that WireGuard offers competitive performance with significantly reduced configuration complexity, making it a strong candidate for broader adoption in O-RAN, providing a unified, lightweight security layer across multiple interfaces and components.