MACsec (802.1AE) with 802.1X (EAPOL) key management with wpa_supplicant
I've benchmarked MACsec on the hardware (Zyxel NWA50AX Pro) and it outperforms Wireguard by about 30% (presumably because the SoC includes AES extensions which Linux's MACsec implementation is using, whereas Wireguard's chacha20 encryption runs a slower SIMD algorithm).
Using MACsec also keeps things simpler in some ways because it's a layer 2 option, so I don't have to implement workarounds for zeroconf etc. and wifi roaming works in a straightforward way (something like GRETAP over Wireguard would be a lower performance alternative option for this particular hardware).
Although I won't be using it in this particular scenario, some "business/enterprise" oriented rack-mount switches commonly implement MACsec in hardware, which sometimes makes it a good option for those type of environments. The Linux kernel also now has MACsec hardware offload support, and I believe MACsec offload is includes in various silicon including "Enterprise" PCIe NICs, QCA hardware, and a few Ethernet PHYs (e.g. Aquantia, Realtek, and Microchip all have offerings).
It is possible to set up MACsec with a set of static keys using ip from the OpenWRT ip-full package, but this alone isn't a viable solution because unless you implement some custom solution for manual key rotation, the link "stops" after 2^32 packets (at this point 802.1AE requires key rotation to prevent replay attacks).
