AES-NI and OpenVPN?
-
@n8lbv said in AES-NI and OpenVPN?:
I'm still failing to understand why the toggleable options are there both in system\advanced
and within the openvpn client or server items.
Why are there they to turn on/off if it is going to go ahead and use AES-NI anyware regardless of the toggles?The crypto hardware option in System > Advanced it to choose which kernel module to load. Those modules are used by the bsd crypto framework for kernel mode crypto operations. So that's IPSec or OpenVPN in DCO mode.
The hardware crypto option in the OpenVPN config is the equivalent of specifiying the 'engine' for OpenSSL operations. In current pfSense versions OpenSSL can't use the AES-NI module for that (and doesn't need to anyway). It exists only for much older crypto offload hardware that may still be use. Most users should not select anything there.
If you're looking for the best OpenVPN throughput the best option currently, by some way, is to use QAT supported hardware and run OpenVPN in DCO mode.
Steve
-
Also in terms of impact with those changes you are working on the down hill side of the change Bell curve. You need a lot of investment of resources to see a difference. That’s the thing being on the down hill side.
You may find the actual real world performance doesn’t change that much between Off and On.
Same reality regarding all the various NIC tweaks. Default results that are not that worse then with all the tweaks.
-
@jimbob-indiana For now the best would be to place a similar processor, same generation/core count and speed that does not have AES-NI.
And run my tests.
It will not be a direct match nor have the exact effect of turning off AES-NI but it will be close
enough for what I am doing or trying to get an idea of. -
Also on the PFSense dishboard page we see: AES-NI CPU Crypto: Yes (inactive)
If that is not true, it really should be changed.
Or should say module not loaded.
Or should say really is active but is not.
Or is.
Or is not
Or "maybe it is". -
@n8lbv I don’t think it will show “Active” unless you are using it as in VPN, etc.
If not using any of the Apps that use it means “Inactive” is correct.
AFAIK
-
@jimbob-indiana Thanks!
I will test that.
Steve -
The line in the system information widget currently shows if the CPU is reporting it supports AES-NI. It shows as active if the kernel module is loaded.
-
@stephenw10 Yep my testing shows same.
Now for a repeat and continued confused person question...
open VPN uses AES-NI whether you load the module or not?Openvpn uses module if module is loaded.
Does openvpn use AES-NI in a different way if the module is loaded versus if the module is not loaded?
Also openvpn client and server have their own option to or "disable "hardware crypto acceleration"
I wonder if this could be made less confusing in the future once I understand it better.
I hope you understand my confusion a bit and are not frustrated with me asking over & over.
-
@n8lbv said in AES-NI and OpenVPN?:
open VPN uses AES-NI whether you load the module or not?
Correct. Because OpenSSL does, except in DCO mode.
@n8lbv said in AES-NI and OpenVPN?:
Openvpn uses module if module is loaded.
No. Except in DCO mode.
@n8lbv said in AES-NI and OpenVPN?:
Does openvpn use AES-NI in a different way if the module is loaded versus if the module is not loaded?
No. Not any longer. That used to be the case a number of versions back, like in 2.3.X
Steve
-
@stephenw10 Thanks! excellent clarifcations.
-Steve -
Laptop single nic OpenVPN HTTP throughput test.
35Watt Laptop CPU from Jan 2009. NO-AES-NI.Intel
Core
2 Duo Processor T6400
2M Cache, 2.00 GHz, 800 MHz FSB
-
Same test through dual NAT no OpenVPN.
That early 2009 laptop (running PFsense) has a Broadcom NIC on the mainboard.
-
@stephenw10 said in AES-NI and OpenVPN?:
The line in the system information widget currently shows if the CPU is reporting it supports AES-NI. It shows as active if the kernel module is loaded.
Just out of curiosity, why would the kernel module not be loaded?
️ -
@robbiett Good question. Mine since I can remember said “Inactive”. I played with the VPN configuration options yesterday and today, says “Active”.
I didn’t actually do a VPN.
CPU Type Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz
Current: 2800 MHz, Max: 3601 MHz
8 CPUs: 1 package(s) x 4 core(s) x 2 hardware threads
AES-NI CPU Crypto: Yes (active)
QAT Crypto: No
Hardware crypto AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS -
@jimbob-indiana I had presumed (and we all know where assumptions lead) was that QAT was being preferred* over AES-NI; now I am not so sure.
️
*As it is rather excellent
-
please have a look at the Intel QAT, because this is loaded instead of the AES-NI!!!! You can use AES-NI or Intel QAT
but not both!
-
@jimbob-indiana said in AES-NI and OpenVPN?:
Good question. Mine since I can remember said “Inactive”. I played with the VPN configuration options yesterday and today, says “Active”.
Mine fresh installed says "active" too!
You can see with no configured VPN actual!
-
@dobby_ said in AES-NI and OpenVPN?:
please have a look at the Intel QAT, because this is loaded instead of the AES-NI!!!! You can use AES-NI or Intel QAT
but not both!Err, I did.
I literally stated my assumption that QAT was preferred over AES-NI and the graphic showing QAT (active) & AES-NI (inactive) is my own (!!!!...?).
-
@dobby_ I have no idea why mine said Inactive and now says Active. All I did was mess with the vpn stuff just to see what is required.
-
@jimbob-indiana said in AES-NI and OpenVPN?:
@dobby_ I have no idea why mine said Inactive and now says Active. All I did was mess with the vpn stuff just to see what is required.
I was only changing the settings in the filed shown below
in the picture (red arrow), after that the AES-NI was shown
permanent as "active" and this also with no configured VPN! I was choosing both entries from the menue:
AES-NI & CryptoDevSo I think since that, the CryptoDev is taking contact to the
AES-NI and there fore it will be announced as "active".