WireGuard vs OpenVPN for SCADA Systems: Key Differences

By | January 10, 2026
0 Comment

SCADA systems provide supervisory monitoring, data acquisition, and remote control of field devices by collecting alarms and status information from distributed sites. Unlike typical IT applications, SCADA traffic is event-driven, time-sensitive, and often safety-critical. Because of this, the choice of VPN technology can directly affect how well SCADA protocols behave over wide-area or untrusted networks.

WireGuard and OpenVPN are both widely used VPN solutions, but they interact very differently with SCADA communication protocols. Understanding these differences is essential when designing secure and reliable industrial networks.

SCADA Communication Requirements

SCADA communication is designed to prioritize determinism over throughput. Messages are usually small, but their timing, order, and acknowledgment status are critical. Field devices must know whether alarms and commands have been received, and control centers must be confident that events are not delayed, duplicated, or lost.

Most SCADA protocols therefore implement their own acknowledgment, sequencing, and retransmission mechanisms at the application layer. The underlying transport and VPN should support this behavior without adding unnecessary delay or interference.

Transport Behavior and VPN Impact

TCP provides reliable, ordered delivery with built-in acknowledgments and retransmissions. While this guarantees delivery, it can introduce variable latency due to congestion control, retransmission delays, and head-of-line blocking. These characteristics can be problematic for time-critical SCADA events.

UDP does not provide reliability or acknowledgments at the transport layer. However, when reliability is handled by the SCADA protocol itself, UDP can offer lower and more predictable latency. In this case, the VPN’s role is to provide security, not reliability.

This distinction is central to understanding the difference between WireGuard and OpenVPN in SCADA environments.

OpenVPN in SCADA Systems

OpenVPN is a mature and flexible VPN solution that uses TLS for security and can operate over either TCP or UDP. Its configurability makes it suitable for many enterprise and industrial environments, especially where compatibility and firewall traversal are important.

When OpenVPN is used over TCP, it adds transport-layer reliability on top of SCADA protocol reliability. This can lead to duplicated acknowledgment logic and unpredictable delays, particularly during network congestion. In alarm-heavy scenarios, retransmissions at the TCP layer can delay newer, more critical events.

When OpenVPN is used over UDP, some of these issues are reduced, but the protocol still operates in user space and introduces additional processing overhead. Configuration complexity also increases the risk of misconfiguration in industrial deployments.

WireGuard in SCADA Systems

WireGuard is a modern VPN designed to be minimal, fast, and predictable. It operates exclusively over UDP and runs in kernel space, which significantly reduces latency and processing overhead.

WireGuard does not attempt to provide transport-level reliability. Instead, it focuses on encryption, authentication, integrity protection, and replay prevention. This design aligns well with SCADA protocols that already manage acknowledgments and retransmissions at the application layer.

By avoiding transport-level retransmission behavior, WireGuard allows SCADA traffic to maintain consistent timing characteristics, even during periods of packet loss or network instability.

DNP3 Over WireGuard and OpenVPN

DNP3 is a SCADA protocol specifically designed for event-driven communication. It includes application-layer acknowledgments, sequence numbers, time-stamped events, and controlled retransmission logic. These features are defined in the protocol standard and do not depend on TCP reliability.

When DNP3 is tunneled through OpenVPN using TCP, the system may experience layered reliability, where both TCP and DNP3 attempt to manage delivery. This can result in delayed event reporting and reduced responsiveness during alarm bursts.

When DNP3 is carried over WireGuard, the VPN provides security while DNP3 retains full control over acknowledgments and retransmissions. This preserves the protocol’s intended behavior and improves timing predictability.

IEC 60870-5-104 Over WireGuard and OpenVPN

IEC 60870-5-104 is widely used in electrical power systems and operates over TCP. Although it uses TCP as its transport, the protocol defines its own send and receive sequence counters and application-level acknowledgment logic.

Running IEC-104 over OpenVPN in TCP mode creates a TCP-over-TCP scenario. This can cause interaction between two independent congestion and retransmission mechanisms, leading to increased latency, jitter, and delayed spontaneous transmissions during network stress.

When IEC-104 is tunneled through WireGuard, the protocol’s TCP connection runs over a UDP-based secure tunnel. This avoids TCP-over-TCP behavior and results in more stable timing characteristics, allowing IEC-104 sequence control and acknowledgments to function as intended.

Security Responsibilities and Separation of Functions

In a well-designed SCADA network, each layer has a clear responsibility. The VPN layer should provide confidentiality, authentication, and integrity. The SCADA protocol layer should handle event acknowledgment, sequencing, prioritization, and retransmission.

WireGuard supports this separation by focusing solely on secure transport, while OpenVPN can blur these responsibilities when used with TCP. Clear separation leads to more predictable and reliable system behavior.

Practical Design Considerations

OpenVPN may still be appropriate in environments where UDP traffic is blocked, legacy systems require TLS-based authentication, or existing infrastructure is already standardized on OpenVPN. In these cases, careful configuration is required to minimize timing issues.

WireGuard is generally better suited for modern SCADA systems where low latency, predictable behavior, and clean protocol layering are priorities. Its simplicity also reduces operational complexity and long-term maintenance risk.

Conclusion

SCADA protocols such as DNP3 and IEC 60870-5-104 are designed to manage their own reliability and acknowledgments. VPN technologies should support, not interfere with, this design.

WireGuard’s secure UDP-based approach aligns naturally with SCADA protocol standards and event-driven communication models. OpenVPN remains a valid solution for compatibility and legacy use cases but requires careful consideration when used with time-critical industrial traffic.

Choosing the correct VPN architecture is essential to ensuring that alarms arrive on time, acknowledgments are reliable, and SCADA systems remain safe and dependable.

Blog
Author: Zakaria El Intissar

I'm an automation and industrial computing engineer with 12 years of experience in power system automation, SCADA communication protocols, and electrical protection. I build tools and write guides for Modbus, DNP3, IEC 101/103/104, and IEC 61850 on ScadaProtocols.com to help engineers decode, analyze, and troubleshoot real industrial communication systems.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *