Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CPU usage on Atom C2518 too high even at lower speeds

    OpenVPN
    1
    2
    229
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AWeidner
      last edited by

      Main office:
      Fibre connection 300MBit/s symmetrical
      pfSense CE 2.7.2 on a Lanner appliance, Atom C2518, 8GB memory, 14x Intel I210
      System/Advanced/Miscellaneous/Cryptographic Hardware setting: AES-NI CPU-based Acceleration
      OpenVPN/Clients/Edit/Hardware Crypto: No Hardware Crypto Acceleration

      Branch office:
      Fibre connection 100MBit/s symmetrical
      pfSense CE 2.7.2 on an APU2, AMD GX-412TC SOC, 4GB memory, 3x Intel I210
      System/Advanced/Miscellaneous/Cryptographic Hardware setting: AES-NI and BSD Crypto device (aesni, cryptodev)
      OpenVPN/Servers/Hardware Crypto: No Hardware Crypto Acceleration

      Connection via OpenVPN, TAP mode. I use iperf3 for performance testing across the OpenVPN tunnel network (not the bridged interfaces)

      Problem description:
      When using iperf, the CPU load on the appliance in the main office goes above 90% and the bandwidth maxes out at about 60MBit/s. Even the supposedly slower APU2 CPU has a lower load of around 60% during testing. With only network noise on the connection the cpu load sits below two percent for the corresponding openvpn process.
      Same problem occurs on other branch offices with similar configurations, too.

      I suppose it has something to do with the ciphers used for the encryption (see below for shortened client config). Any hints for figuring out why this maxes out the CPU usage are apreciated.

      ...
dev-type tap
...
proto udp4
auth SHA256
...
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
..
fast-io
sndbuf 524288
rcvbuf 524288
...
      A 1 Reply Last reply Reply Quote 0
      • A
        AWeidner @AWeidner
        last edited by AWeidner

        @AWeidner
        To answer myself:

        openssl speed -elapsed -evp aes-128[256]-gcm (we use AES-256-GCM)
...
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
AES-128-GCM      72691.83k   150891.86k   222610.26k   254092.97k   263097.25k   265530.03k
...
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
AES-256-GCM      67697.40k   132661.67k   188492.12k   212024.45k   219474.60k   219228.84k

        vs. AES-256-CBC (which we don't use)

        type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
AES-256-CBC      98913.39k   159960.60k   197932.39k   211052.54k   214461.10k   214832.47k

        And as far as i can tell, the block size used for VPN connections via openssl is 128 Bit (16 Bytes). The CPU is the limiting factor it seems.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.