AES-NI Active But No Significant Increase In Speed Test

Poindexter · May 24, 2023, 4:58 PM

I have AES-NI showing active but I see no significant speed increase over inactive. Without VPN running I get approx. 820.83 Down and 939.14 Up. With VPN and AES-NI I only get approx. 361.92 Down and 174.86 Up.

Intel(R) Core(TM) i5-7400 CPU @ 3.00GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)
QAT Crypto: No

Nord VPN server protocol file says:
client
dev tun
proto udp
remote 185.247.70.187 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
verify-x509-name CN=us8118.nordvpn.com

remote-cert-tls server

auth-user-pass
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

Custom Options:
tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;

Are there any other changes needed to take advantage of the AES-NI or any other tuning required?

Thanks

SteveITS · May 24, 2023, 6:27 PM

@Poindexter I recall a thread discussing this topic in recent months but can't seem to find it. Perhaps not in this subforum? I believe it was stated that OpenVPN will use AES-NI regardless of the setting in pfSense.

OpenVPN uses only one core so check top and see if one core is pegged.

Poindexter · May 24, 2023, 7:52 PM

This post is deleted!

Poindexter · May 24, 2023, 8:05 PM

@SteveITS

Nothing real obvious during a speed test through the VPN:

last pid: 36473; load averages: 0.37, 0.25, 0.20 up 0+07:26:08 15:02:54
57 processes: 2 running, 55 sleeping
CPU 0: 12.5% user, 0.0% nice, 12.5% system, 0.0% interrupt, 74.9% idle
CPU 1: 0.0% user, 0.0% nice, 3.9% system, 0.0% interrupt, 96.1% idle
CPU 2: 15.3% user, 0.0% nice, 12.5% system, 0.0% interrupt, 72.2% idle
CPU 3: 0.0% user, 0.0% nice, 3.1% system, 0.0% interrupt, 96.9% idle
Mem: 49M Active, 117M Inact, 489M Wired, 15G Free
ARC: 190M Total, 32M MFU, 155M MRU, 32K Anon, 693K Header, 2956K Other
54M Compressed, 138M Uncompressed, 2.55:1 Ratio
Swap: 1024M Total, 1024M Free

Bob.Dig · May 24, 2023, 8:17 PM

Install the official client and check some servers if they are able to provide more speed.

Poindexter · May 24, 2023, 9:03 PM

@Bob-Dig I am using the same server to test before and after VPN. The difference is massive and enabling AES-NI made no significant difference. Maybe I am overlooking your point.

When I ran the official client the speed did look better but it showed my real IP rather than my VPN IP. I am not sure if the official client is avoiding the VPN somehow.

SteveITS · May 24, 2023, 9:13 PM

@Poindexter If you're testing through the third party VPN to the Internet then you're at the mercy of their inbound and outbound connections, and how busy they are. Did they tell you to expect 1 Gbps? I would guess at 4 am it would be faster...

Dobby_ · May 24, 2023, 9:19 PM

@Poindexter said in AES-NI Active But No Significant Increase In Speed Test:

I have AES-NI showing active but I see no significant speed increase over inactive. Without VPN running I get approx. 820.83 Down and 939.14 Up. With VPN and AES-NI I only get approx. 361.92 Down and 174.86 Up.

You could try out to use AES-GCM-128 instead
of the AES-CBC.

Poindexter · May 24, 2023, 9:25 PM

@Dobby_

I wasn't sure if I could change the encryption since the available options were provided by Nord:

Nord VPN server protocol file says:
client
dev tun
proto udp
remote 185.247.70.187 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
verify-x509-name CN=us8118.nordvpn.com
remote-cert-tls server
auth-user-pass
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

Dobby_ · May 24, 2023, 9:29 PM

@Poindexter said in AES-NI Active But No Significant Increase In Speed Test:

I wasn't sure if I could change the encryption since the available options were provided by Nord:

Oh I was not really knowing that. I thought you
were creating an account and choose there the
method and algorithm.

Poindexter · May 24, 2023, 10:03 PM

@Dobby_ I tried AES-128-GCM and it is faster!

AES-128-GCM 651.97 Down 234.10 Up
vs.
AES-256-CBC 361.92 Down and 174.86 Up

There is a pretty good difference in usage between the cores but I am still uncertain if AES-NI is working. Thoughts?

last pid: 93570; load averages: 0.35, 0.27, 0.18 up 0+09:20:49 16:57:35
58 processes: 2 running, 56 sleeping
CPU 0: 1.5% user, 0.0% nice, 6.9% system, 0.4% interrupt, 91.2% idle
CPU 1: 0.4% user, 0.0% nice, 1.9% system, 0.0% interrupt, 97.7% idle
CPU 2: 8.8% user, 0.0% nice, 30.8% system, 0.0% interrupt, 60.4% idle
CPU 3: 0.0% user, 0.0% nice, 5.8% system, 0.0% interrupt, 94.2% idle
Mem: 56M Active, 119M Inact, 534M Wired, 15G Free

Dobby_ · May 24, 2023, 10:09 PM

@Poindexter

There is a pretty good difference in usage between the cores but I am still uncertain if AES-NI is working. Thoughts?

The most peoples will be sitting in a thinking trap.
AES-NI is speeding up the entire software and it
will be used by and not your entire task such VPN.

But, the AES-GCM is benefitting too from the
AES-NI directly like you can see by your numbers.

Poindexter · May 24, 2023, 10:32 PM

@Dobby_ I believe you. Thank you and @SteveITS for the assistance. I really appreciate you guys taking the time to help.

I will check speeds again later tonight to see maximum throughput.