Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AES-NI and OpenVPN?

    Scheduled Pinned Locked Moved Hardware
    45 Posts 5 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JimBob Indiana
      last edited by JimBob Indiana

      Also in terms of impact with those changes you are working on the down hill side of the change Bell curve. You need a lot of investment of resources to see a difference. That’s the thing being on the down hill side.

      You may find the actual real world performance doesn’t change that much between Off and On.

      Same reality regarding all the various NIC tweaks. Default results that are not that worse then with all the tweaks.

      N8LBVN 1 Reply Last reply Reply Quote 0
      • N8LBVN
        N8LBV @JimBob Indiana
        last edited by

        @jimbob-indiana For now the best would be to place a similar processor, same generation/core count and speed that does not have AES-NI.
        And run my tests.
        It will not be a direct match nor have the exact effect of turning off AES-NI but it will be close
        enough for what I am doing or trying to get an idea of.

        I feel more like I do now.

        N8LBVN 1 Reply Last reply Reply Quote 0
        • N8LBVN
          N8LBV @N8LBV
          last edited by N8LBV

          Also on the PFSense dishboard page we see: AES-NI CPU Crypto: Yes (inactive)
          If that is not true, it really should be changed. 
          Or should say module not loaded.
          Or should say really is active but is not.
          Or is.
          Or is not
          Or "maybe it is".

          I feel more like I do now.

          J 1 Reply Last reply Reply Quote 0
          • J
            JimBob Indiana @N8LBV
            last edited by

            @n8lbv I don’t think it will show “Active” unless you are using it as in VPN, etc.

            If not using any of the Apps that use it means “Inactive” is correct.

            AFAIK

            N8LBVN 1 Reply Last reply Reply Quote 0
            • N8LBVN
              N8LBV @JimBob Indiana
              last edited by

              @jimbob-indiana Thanks!
              I will test that.
              Steve

              I feel more like I do now.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                The line in the system information widget currently shows if the CPU is reporting it supports AES-NI. It shows as active if the kernel module is loaded.

                N8LBVN RobbieTTR 2 Replies Last reply Reply Quote 1
                • N8LBVN
                  N8LBV @stephenw10
                  last edited by N8LBV

                  @stephenw10 Yep my testing shows same.
                  Now for a repeat and continued confused person question...
                  open VPN uses AES-NI whether you load the module or not?

                  Openvpn uses module if module is loaded.

                  Does openvpn use AES-NI in a different way if the module is loaded versus if the module is not loaded?

                  Also openvpn client and server have their own option to or "disable "hardware crypto acceleration"

                  I wonder if this could be made less confusing in the future once I understand it better.

                  I hope you understand my confusion a bit and are not frustrated with me asking over & over.

                  I feel more like I do now.

                  stephenw10S 1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator @N8LBV
                    last edited by

                    @n8lbv said in AES-NI and OpenVPN?:

                    open VPN uses AES-NI whether you load the module or not?

                    Correct. Because OpenSSL does, except in DCO mode.

                    @n8lbv said in AES-NI and OpenVPN?:

                    Openvpn uses module if module is loaded.

                    No. Except in DCO mode.

                    @n8lbv said in AES-NI and OpenVPN?:

                    Does openvpn use AES-NI in a different way if the module is loaded versus if the module is not loaded?

                    No. Not any longer. That used to be the case a number of versions back, like in 2.3.X

                    Steve

                    N8LBVN 1 Reply Last reply Reply Quote 0
                    • N8LBVN
                      N8LBV @stephenw10
                      last edited by

                      @stephenw10 Thanks! excellent clarifcations.
                      -Steve

                      I feel more like I do now.

                      N8LBVN 1 Reply Last reply Reply Quote 0
                      • N8LBVN
                        N8LBV @N8LBV
                        last edited by

                        Laptop single nic OpenVPN HTTP throughput test.
                        35Watt Laptop CPU from Jan 2009. NO-AES-NI.

                        Intel® Core™2 Duo Processor T6400
                        2M Cache, 2.00 GHz, 800 MHz FSB
                        c2.jpg

                        I feel more like I do now.

                        N8LBVN 1 Reply Last reply Reply Quote 0
                        • N8LBVN
                          N8LBV @N8LBV
                          last edited by

                          Same test through dual NAT no OpenVPN.
                          That early 2009 laptop (running PFsense) has a Broadcom NIC on the mainboard.
                          nat.jpg

                          I feel more like I do now.

                          1 Reply Last reply Reply Quote 0
                          • RobbieTTR
                            RobbieTT @stephenw10
                            last edited by

                            @stephenw10 said in AES-NI and OpenVPN?:

                            The line in the system information widget currently shows if the CPU is reporting it supports AES-NI. It shows as active if the kernel module is loaded.

                            Just out of curiosity, why would the kernel module not be loaded?

                             2023-04-29 at 19.39.18.png

                            ☕️

                            J Dobby_D 2 Replies Last reply Reply Quote 0
                            • J
                              JimBob Indiana @RobbieTT
                              last edited by JimBob Indiana

                              @robbiett Good question. Mine since I can remember said “Inactive”. I played with the VPN configuration options yesterday and today, says “Active”.

                              I didn’t actually do a VPN.

                              CPU Type Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz
                              Current: 2800 MHz, Max: 3601 MHz
                              8 CPUs: 1 package(s) x 4 core(s) x 2 hardware threads
                              AES-NI CPU Crypto: Yes (active)
                              QAT Crypto: No
                              Hardware crypto AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS

                              RobbieTTR Dobby_D 2 Replies Last reply Reply Quote 0
                              • RobbieTTR
                                RobbieTT @JimBob Indiana
                                last edited by

                                @jimbob-indiana I had presumed (and we all know where assumptions lead) was that QAT was being preferred* over AES-NI; now I am not so sure.

                                ☕️


                                *As it is rather excellent

                                1 Reply Last reply Reply Quote 0
                                • Dobby_D
                                  Dobby_ @RobbieTT
                                  last edited by Dobby_

                                  @robbiett

                                  please have a look at the Intel QAT, because this is loaded instead of the AES-NI!!!! You can use AES-NI or Intel QAT
                                  but not both!

                                  1682793716026-2023-04-29-at-19.39.18.jpg

                                  #~. @Dobby

                                  Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
                                  PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
                                  PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

                                  RobbieTTR 1 Reply Last reply Reply Quote 0
                                  • Dobby_D
                                    Dobby_ @JimBob Indiana
                                    last edited by

                                    @jimbob-indiana said in AES-NI and OpenVPN?:

                                    Good question. Mine since I can remember said “Inactive”. I played with the VPN configuration options yesterday and today, says “Active”.

                                    Mine fresh installed says "active" too!
                                    You can see with no configured VPN actual!

                                    AES-NI.jpg

                                    #~. @Dobby

                                    Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
                                    PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
                                    PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

                                    J 1 Reply Last reply Reply Quote 1
                                    • RobbieTTR
                                      RobbieTT @Dobby_
                                      last edited by

                                      @dobby_ said in AES-NI and OpenVPN?:

                                      @robbiett

                                      please have a look at the Intel QAT, because this is loaded instead of the AES-NI!!!! You can use AES-NI or Intel QAT
                                      but not both!

                                      Err, I did.

                                      I literally stated my assumption that QAT was preferred over AES-NI and the graphic showing QAT (active) & AES-NI (inactive) is my own (!!!!...?).

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        JimBob Indiana @Dobby_
                                        last edited by

                                        @dobby_ I have no idea why mine said Inactive and now says Active. All I did was mess with the vpn stuff just to see what is required.

                                        Dobby_D 1 Reply Last reply Reply Quote 0
                                        • Dobby_D
                                          Dobby_ @JimBob Indiana
                                          last edited by

                                          @jimbob-indiana said in AES-NI and OpenVPN?:

                                          @dobby_ I have no idea why mine said Inactive and now says Active. All I did was mess with the vpn stuff just to see what is required.

                                          I was only changing the settings in the filed shown below
                                          in the picture (red arrow), after that the AES-NI was shown
                                          permanent as "active" and this also with no configured VPN! I was choosing both entries from the menue:
                                          AES-NI & CryptoDev

                                          So I think since that, the CryptoDev is taking contact to the
                                          AES-NI and there fore it will be announced as "active".

                                          AES_NI Cryptodev.jpg

                                          #~. @Dobby

                                          Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
                                          PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
                                          PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

                                          1 Reply Last reply Reply Quote 0
                                          • stephenw10S
                                            stephenw10 Netgate Administrator
                                            last edited by

                                            The active/inactive label only indicates whether or not the module is loaded. Not whether it's actually in use.

                                            Technically you could load both modules but since both would attempt to register for the same crypto algorithms the result would be confusing. So the webgui only offers the choice to load one of them.

                                            RobbieTTR 1 Reply Last reply Reply Quote 2
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.