IPsec VPN in Industrial Networks: How It Works and a Comparison with OpenVPN and WireGuard
- Admin
- 3 days ago
- 10 min read
Target audience: OT/network engineers, IT infrastructure decision-makers
IPsec, OpenVPN, or WireGuard — VPN protocol selection for industrial networks is not just a performance comparison; it involves topology, device compatibility, and operational complexity.
As industrial networks transition from closed systems to remote interconnection, VPN has evolved from an optional IT security feature into a foundational architecture decision for every industrial router deployment. SCADA backhaul, PLC remote maintenance, substation interconnection, ATM terminal networks — each scenario requires encrypted, authenticated communication channels between sites, devices, and operations personnel.
The cost of choosing the wrong protocol is not trivial. Misconfigured IPsec can prevent tunnels from traversing carrier NAT; OpenVPN may create WAN throughput bottlenecks on low-power devices; WireGuard lacks native support on legacy OT equipment. Protocol selection is not simply a matter of ranking performance test results — it requires a holistic assessment of network topology, the existing device ecosystem, compliance requirements, and the team's operational capabilities.
This article focuses on real industrial router deployment scenarios, breaking down the working mechanisms, key differences, and applicable boundaries of all three protocols, and provides scenario-based configuration recommendations to help network engineers and procurement decision-makers quickly find the solution that best fits their project requirements.
Table of Contents
Why Industrial Networks Must Use VPN
When deploying industrial routers for SCADA, PLC remote access, substations, water treatment stations, ATM networks, or video surveillance systems, the choice of VPN protocol directly impacts security, uptime, maintenance costs, and long-term scalability. In these environments, VPN is not an optional IT security feature — it is part of the industrial communication architecture.
Modern industrial networks are no longer fully isolated closed systems. Common deployments include remote SCADA terminals transmitting data back over 4G/5G, multiple substations sending telemetry to a control center, remote sites uploading water quality monitoring data to cloud platforms, and engineers remotely diagnosing equipment hundreds of kilometers away from their laptops. Every remote connection is a potential attack surface.
Security incidents in OT environments typically have more severe consequences than in ordinary enterprise IT networks. Unauthorized access to SCADA systems or PLCs can cause equipment damage, production downtime, compliance risk, or even safety incidents — not merely data breaches. VPN is therefore the foundational mechanism for encrypting and authenticating communication between sites, devices, and operations personnel in industrial networks. It must be planned alongside account permissions, port exposure, remote access policies, and firmware maintenance — not patched in as an afterthought after the system goes live. A comprehensive overview of security risks and mitigation strategies in industrial router deployments can serve as a companion reference to this article.
For procurement teams and network engineers, the real question is not whether to use VPN, but which industrial VPN protocol to use: IPsec, OpenVPN, or WireGuard. That choice depends on network topology, existing equipment, compliance requirements, and how much operational complexity the team can sustain.
Quick Conclusions: Which Protocol to Choose for Different Scenarios
For a quick assessment, refer to the comparison table below. When making the actual selection, consider protocol type, deployment topology, remote access method, and router-side configuration together.
Criteria | IPsec | OpenVPN | WireGuard |
Best Use Case | Fixed site-to-site links | Flexible remote access | Low-latency, lightweight deployments |
Throughput | High | Medium | Highest |
Configuration Complexity | High | Medium | Low |
Legacy OT Device Compatibility | Best | Good | Limited |
Hardware Acceleration | Supported | Partial | Supported |
NAT Traversal | Requires NAT-T | Good | Good |
Typical Industrial Applications | SCADA backhaul, ATM networks, utilities | Engineer remote maintenance, temporary site connections | New builds, Linux gateways, video surveillance backhaul |
Choose IPsec: if you need fixed site-to-site tunnels, if there are large numbers of legacy OT devices on site, or if industry compliance requirements explicitly favor IPsec.
Choose OpenVPN: if the primary need is remote access for engineers and technicians to on-site equipment, or if upstream network firewalls impose strict restrictions.
Choose WireGuard: if deployed on modern Linux industrial gateways, if low latency and high throughput are required, and if there is no need to support legacy hardware.
Recommended VPN Configurations for Industrial Routers
VPN protocols should not be chosen purely based on performance benchmarks — selection should be driven by network topology and operational model. Routing, firewall, remote management, and failover capabilities also directly affect whether these configurations can operate stably over the long term.
Industrial Scenario | Recommended Protocol | Recommended Configuration | Reason |
SCADA site interconnection | IPsec | IKEv2 + ESP + Tunnel Mode | Suited for persistent connections between fixed sites |
PLC remote maintenance | OpenVPN | UDP preferred; TCP 443 when firewall is restrictive | Facilitates engineer client access |
Substation/utility networks | IPsec | IKEv2 + certificate authentication + NAT-T | Strong compatibility, supports compliance auditing |
4G/5G industrial routers | IPsec | IKEv2 + NAT-T over UDP 4500 | Suited for carrier CGNAT environments |
Temporary site connections | OpenVPN | Single-port VPN profile | Faster to deploy than full site-to-site IPsec |
Video surveillance backhaul | WireGuard | Peer-to-peer tunnel on modern Linux gateway | Low latency, high throughput |
Multi-site modern IIoT networks | WireGuard or IPsec | WireGuard for modern gateways; IPsec for mixed legacy devices | Balances performance and compatibility |
In general, IPsec with IKEv2 is the default secure choice for fixed industrial networks; OpenVPN is better suited for remote maintenance access; WireGuard is appropriate for high-performance deployments with a modern device ecosystem.
How IPsec Works in Industrial Networks
IPsec (Internet Protocol Security) is a set of security protocols operating at the network layer (Layer 3). It can authenticate and encrypt each IP packet in a communication session, making it nearly transparent to upper-layer industrial applications. This matters in OT environments where many SCADA, PLC, or industrial protocol applications cannot be easily modified.
IKEv1 vs. IKEv2
IPsec requires a key exchange mechanism to establish tunnels. IKEv1 is the older standard and still exists in many legacy industrial routers and firewalls; IKEv2 establishes tunnels faster, is more resilient to network interruptions, and handles NAT traversal more easily. New deployments should generally prefer IKEv2; IKEv1 should only be used when compatibility with legacy equipment is required.
Tunnel Mode vs. Transport Mode
Industrial deployments almost universally use Tunnel Mode. Tunnel Mode fully encapsulates the original IP packet within a new IP packet, hiding the original source and destination addresses. This is especially important for site-to-site VPNs where one private subnet needs to access another private subnet over a public or 4G/5G network. Transport Mode only encrypts the payload and is primarily used for host-to-host communication; it is rarely used in industrial networks.
AH vs. ESP
IPsec includes two security protocol types: AH (Authentication Header) and ESP (Encapsulating Security Payload). AH provides authentication only, without encrypting the payload; ESP provides both authentication and encryption. In industrial environments where operational data confidentiality must be protected, real-world deployments almost always use ESP.
Typical Industrial Topologies
Hub-and-spoke: A central control room or cloud-based SCADA serves as the IPsec hub, with substations, pump stations, and field devices as spokes; all remote sites forward traffic through the central node.
Full mesh: Each site establishes direct IPsec tunnels with every other site, providing higher resilience but increasing management complexity at scale.
Router-to-cloud: An on-site cellular industrial router establishes an IPsec tunnel directly to a cloud SCADA system or data historian.
How OpenVPN Works and Where It Applies
OpenVPN is a TLS/SSL-based VPN that runs in user space rather than kernel space. It can use a single TCP or UDP port and can be configured to run on port 443 — the same port used by HTTPS traffic — making it easier to pass through networks with strict firewall restrictions.
This flexibility makes OpenVPN well-suited for engineers or technicians who need remote access to on-site equipment. For example, when a maintenance engineer needs to temporarily connect to a remote PLC for diagnostics, an OpenVPN client can quickly establish an encrypted tunnel to the on-site router. This type of remote access often occurs alongside on-site data acquisition, protocol conversion, and data upload.
The main trade-off with OpenVPN is performance. Because it typically runs in user space, it cannot take full advantage of the hardware crypto acceleration built into industrial routers the way IPsec can. This may become a bottleneck on low-power embedded routers, though the gap narrows considerably on newer devices with AES-NI or multi-core processors.
How WireGuard Works and Where It Applies
WireGuard is a newer VPN protocol natively integrated into the modern Linux kernel. Its codebase is compact, making it easier to audit and maintain, and it outperforms IPsec and OpenVPN in many benchmark tests. WireGuard uses modern cryptographic primitives such as ChaCha20 and Curve25519, takes a peer-to-peer connection model, and has a simpler configuration structure.
In industrial contexts, WireGuard's primary limitation is not security but device support. Many embedded industrial routers, RTUs, and proprietary systems run older firmware versions that do not natively support WireGuard. It is therefore best suited for new builds, modern Linux gateways, and scenarios with demanding throughput and latency requirements.
HD video surveillance, for example, generates significant bandwidth demands. When a smart factory backhauls video streams from multiple cameras over wireless or cellular networks, WireGuard's low latency and low CPU overhead can provide a clear advantage. These scenarios prioritize high bandwidth, low latency, and stable backhaul.
Key Comparisons in Industrial Deployments
7.1 High-Load Performance
On modern hardware, WireGuard typically delivers the highest throughput and lowest CPU overhead; IPsec with hardware acceleration is close behind; OpenVPN is generally slower under high encryption load. However, for common SCADA polling, sensor data, and low-bandwidth telemetry, performance differences may not be the primary bottleneck.
7.2 Legacy OT Device Compatibility
IPsec is the safest choice. It has been deployed in industrial routers, firewalls, and remote terminal equipment for many years and offers significantly better compatibility than WireGuard. OpenVPN also has broad support, though not as universal as IPsec.
7.3 Firewall and NAT Traversal
OpenVPN's advantage lies in port flexibility, particularly its ability to run on TCP 443. IPsec deployments behind NAT typically require enabling NAT Traversal, which encapsulates traffic over UDP 4500. WireGuard uses UDP and is relatively straightforward to adapt for NAT, though it still requires the corresponding ports to be opened in strict firewall environments.
7.4 Certificate and Key Management
IPsec with IKEv2 supports mature PKI certificate-based authentication, making it well-suited for environments with strict compliance requirements. OpenVPN also uses a certificate-based system with a mature toolchain. WireGuard uses static public/private key pairs, which simplifies initial configuration but requires separate planning for large-scale key rotation and revocation.
7.5 Hardware Acceleration Support
Many modern industrial routers include AES-NI or dedicated cryptographic co-processors that can significantly improve IPsec encryption performance. WireGuard's ChaCha20 also performs well on modern ARM processors. OpenVPN, due to its user-space model, typically makes less effective use of hardware acceleration compared to IPsec.
Real-World Industrial Application Scenarios
ATM and Financial Terminal Networks: IPsec
Bank ATMs and financial terminals require encrypted, always-on, and auditable connections. IPsec site-to-site over 4G is a common architecture: each terminal router establishes a persistent IPsec tunnel with the bank's central network, and all transaction traffic passes through the encrypted channel. These fixed terminal-to-central-network backhaul scenarios typically prioritize authentication, auditability, and tunnel stability. Detailed deployment cases are available in Wavetel cellular router for bank ATM machine networking solution.
Distributed Water Quality Monitoring: IPsec over 4G
Water treatment stations, river monitoring points, and reservoir sensors typically involve low bandwidth, multiple nodes, and remote deployment. IPsec over 4G/5G can transparently encrypt data backhaul at the IP layer without modifying on-site sensor or PLC applications. The distributed water quality monitoring system architecture demonstrates how this approach is implemented in real projects.
SCADA Remote Operations: OpenVPN
When control engineers need to remotely view alarms, access HMIs, or modify PLC configurations, OpenVPN is typically more convenient. Engineers connect on-demand to the on-site router using a software client, without requiring a persistent site-to-site tunnel. Industrial router applications in SCADA systems covers more details of this remote access architecture.
Smart Factory Video Surveillance Backhaul: WireGuard
HD IP cameras generate significant bandwidth demands. For new smart factory projects using modern Linux industrial gateways, WireGuard can carry encrypted video backhaul with lower CPU overhead, making it especially well-suited for low-latency, high-throughput scenarios.
What to Look for When Selecting an Industrial Router That Supports All Three VPNs
Protocol support is only the first step. An industrial router that is truly suitable for field deployment also needs reliable hardware, failover, and remote management capabilities.
Hardware crypto acceleration: AES-NI or a dedicated cryptographic co-processor prevents VPN encryption from becoming a WAN throughput bottleneck.
IKEv2 support: New deployments should prioritize IPsec routers that support IKEv2.
Dual SIM and cellular failover: 4G/5G VPN tunnels need to automatically reconnect after carrier or SIM switching.
Remote management platform: Large-scale deployments require centralized configuration distribution, tunnel status monitoring, and key rotation. The Wavetel RMS remote management platform supports VPN template management and bulk tunnel monitoring.
Protocol flexibility: A single device that simultaneously supports IPsec, OpenVPN, and WireGuard allows different VPN profiles to be used for different business needs. Wavetel's WRTOS-based routers support all three protocols plus L2TP and PPTP on the same hardware, with built-in AES hardware acceleration and dual SIM failover.
FAQ
Can IPsec and OpenVPN run simultaneously on the same router?
Yes. A common approach is to use IPsec as a persistent site-to-site tunnel to the central SCADA system while enabling an OpenVPN server for temporary engineer remote access.
Is WireGuard secure enough for industrial use?
WireGuard uses modern cryptographic algorithms and has a small codebase that is easy to audit. In industrial use, the primary concerns are typically not security, but whether existing equipment and management platforms support it.
Can IPsec work over 4G/5G cellular networks?
Yes. Because mobile carriers commonly use CGNAT, deployments typically need to enable NAT-T so that IPsec ESP traffic is encapsulated over UDP 4500.
What is the difference between site-to-site VPN and remote access VPN?
Site-to-site VPN connects two fixed networks — such as a substation and a control center — and typically remains online persistently. Remote access VPN allows individual devices to connect to a field network on demand, such as an engineer's laptop accessing a factory PLC.
Do industrial 4G/5G routers support IPsec VPN?
Most industrial 4G/5G routers support IPsec, typically including IKEv1/IKEv2 options. NAT-T is recommended when deploying over cellular networks.
Is IPsec more suitable than OpenVPN for SCADA networks?
For long-term fixed SCADA site-to-site connections, IPsec is generally more appropriate because it operates at the network layer, offers strong compatibility, and is well-suited to hardware acceleration. OpenVPN is better for on-demand remote access.
How should I select a VPN router for PLC remote access?
Choose an industrial router that supports OpenVPN, IPsec, user authentication, firewall policies, remote management, and cellular failover. If the project has high performance requirements, WireGuard support is also valuable. The WR677 5G industrial router specifications can be used as a baseline reference for comparison.
Technical References
IETF RFC 4301: Security Architecture for the Internet Protocol
IETF RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2)
IETF RFC 4303: IP Encapsulating Security Payload (ESP)
RFC 3948: UDP Encapsulation of IPsec ESP Packets
OpenVPN Official Documentation: OpenVPN Daemons Interface and Ports
Conclusion
Selecting an industrial VPN protocol is not simply a matter of which protocol is technically more advanced — it requires assessing whether it fits the site topology, existing equipment, compliance requirements, and operational model. IPsec remains the workhorse protocol for industrial network security: it is versatile, mature, broadly compatible, supports hardware acceleration, and is well-suited for fixed site-to-site interconnection in compliance-intensive environments. OpenVPN fills the gap for remote access and firewall traversal scenarios. WireGuard represents the direction of modern, low-overhead encrypted connectivity and is well-suited for new builds with Linux gateways and high-performance applications.
On the device side, whether a router simultaneously supports IPsec, OpenVPN, and WireGuard determines whether it can cover the full range of scenarios — SCADA, PLC remote access, video surveillance, ATM networks, utilities, and multi-site industrial networks. AES hardware acceleration, dual SIM cellular failover, and remote management capabilities further affect tunnel stability, failure recovery, and bulk operational efficiency. For specific router models suited to your project, contact the Wavetel team or browse the industrial router product catalog.