Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    About Cryptographic Accelerator Support

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 619 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcury Rebel Alliance
      last edited by

      System: SG-4100 running 23.09.1 firmware.
      Environment: Wireguard Server and OpenVPN client setup.

      OpenVPN:
      Data Encryption Algorithms: AES-256 GCM
      Auth digest algorithm: SHA-256
      DCO disabled since the server I'm connecting to requires compression.

      I'm kind of confused now, I enabled IPSEC-MB to accelerate ChaCha20-Poly1305 for Wireguard.
      This part is clear to me, however, what about OpenVPN ?

      I know that QAT won't help OpenVPN if DCO is disabled, this is also clear to me.

      But, when configuring the OpenVPN client, I can see only this option ?
      d02e445f-82d5-45a1-b7fd-99b531b6e735-image.png

      I can't find any documentation about Intel RDRAND engine, does it mean that AES_NI will be used ?

      This is how my pfSense is configured:

      9266c5a6-b216-432a-9bb3-3e82c3470fa9-image.png

      Since I'm not using QAT, I suppose the best thing would be to change the setting above Cryptographic Hardware to one of these ?

      • AES-NI CPU-based Acceleration
      • AES-NI and BSD Crypto Device (aesni,cryptodev)

      And what is the difference between the two settings above ?

      dead on arrival, nowhere to be found.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @mcury
        last edited by

        @mcury openVPN does its own thing, take a look at https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-server-crypto.html#hardware-crypto

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        M 1 Reply Last reply Reply Quote 1
        • M
          mcury Rebel Alliance @SteveITS
          last edited by

          @SteveITS said in About Cryptographic Accelerator Support:

          @mcury openVPN does its own thing, take a look at https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-server-crypto.html#hardware-crypto

          hmmm, thanks SteveITS.

          I did some tests right now, disabled Intel QuickAssist (QAT) and enabled AES-NI and BSD Crypto Device (aesni,cryptodev), then rebooted.

          Kept Intel RDRAND engine -RAND enabled in the OpenVPN client settings, and indeed I can't see any difference in performance and/or resources usage in the Firewall.

          Since I'm not using QAT, I'll keep it disabled, and will use AES-NI and BSD Crypto Device and Intel RDRAND in OpenVPN, along with IPSEC-MB to help Wireguard.

          Thanks again SteveITS ๐Ÿ‘

          dead on arrival, nowhere to be found.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.