Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cryptographic Hardware Acceleration options inconsistent v2.1 RELEASE

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 4 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      robi
      last edited by

      Guys, I found two inconsistencies in the web interface:

      In System > Advanced > Miscellaneous > Cryptographic Hardware Acceleration, VIA Padlock is missing from the dropdown list.
      In VPN > OpenVPN > Server configuration > Hardware Crypto, AMD Geode and AES-NI are missing from the dropdown list.

      On my system, which runs on a VIA C7 CPU, VIA Padlock Hardware Acceleration is present and works with OpenVPN, drastically reducing CPU workload.

      I suggest to make these options visible in both lists, to be selectable in all the places.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        There's certainly no AMD Geode missing in OpenVPN (engine cryptopdev). Actually, only available and usable ones are shown in the dropdown list there. Works just fine with Alix/AMD Geode. No idea about VIA padlock, cannot test in any way.

        1 Reply Last reply Reply Quote 0
        • S
          Sn3ak
          last edited by

          I am fairly certain the reason for this, at least for  System > Advanced > Miscellaneous > Cryptographic Hardware Acceleration, is that VIA Padlock is not a kernel module that can be loaded/unloaded. Similarly, you will notice HiFn is not reported in that list, for the same reason, even though the hardware is utilized if present.

          I don't use OpenVPN, so I can't comment on that part.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            @Sn3ak:

            I am fairly certain the reason for this, at least for  System > Advanced > Miscellaneous > Cryptographic Hardware Acceleration, is that VIA Padlock is not a kernel module that can be loaded/unloaded. Similarly, you will notice HiFn is not reported in that list, for the same reason, even though the hardware is utilized if present.

            I don't use OpenVPN, so I can't comment on that part.

            You are correct. VIA padlock, Hifn, and others not listed there are in the kernel, not modules.

            AES-NI and glxsb are modules because certain use cases warrant not having nor wanting them loaded.

            Also selecting the cryptodev engine in OpenVPN isn't entirely necessary, we have found. OpenSSL will use a chip that claims support for a specific cipher if that cipher is the one in use. So if glxsb is on, says it does AES-128, and OpenVPN is set for AES-128, then it would use the accelerator chip no matter what the OpenVPN GUI was set for. Same for VIA padlock and so on.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.