Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HW Acceleration in OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 5 Posters 4.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • PippinP Offline
      Pippin
      last edited by

      Perfectly fine.
      OpenVPN makes a call to OpenSSL to do the crypto.
      OpenSSL has built-in code that will use hardware acceleration automatically if it`s available.

      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
      Halton Arp

      1 Reply Last reply Reply Quote 0
      • arrmoA Offline
        arrmo
        last edited by

        Excellent, thanks! Figured that setting would capture it also, but not a huge issue if not.

        Is there a way to check if it's using AES-NI?

        1 Reply Last reply Reply Quote 0
        • V Offline
          VAMike
          last edited by

          @arrmo:

          Excellent, thanks! Figured that setting would capture it also, but not a huge issue if not.

          Is there a way to check if it's using AES-NI?

          It's fairly impossible to make it not use AES-NI. In older versions of pfsense you could turn on /dev/crypto to make openvpn slower, but that's been fixed.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator
            last edited by

            Can you not just run an openssl speed test?  This should tell you right away if your using aes-ni should it not?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

            1 Reply Last reply Reply Quote 0
            • arrmoA Offline
              arrmo
              last edited by

              Yep, that should be possible. Hunting around to see if there is a way to force it off and on (HW accel that is), to be able to confirm.

              Thanks!

              1 Reply Last reply Reply Quote 0
              • PippinP Offline
                Pippin
                last edited by

                With:

                openssl speed -elapsed -evp aes-256-gcm -multi 4

                Without:

                env OPENSSL_ia32cap=0 openssl speed -elapsed -evp aes-256-gcm -multi 4

                Edit, changed cbc to gcm.

                I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                Halton Arp

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  I would be surprised if you saw a difference in speed with AES-NI in use or not with OpenVPN. There is a lot of overhead already there that has nothing to do with crypto operations.

                  If anything you might see less CPU utilization to accomplish the same speeds but that is more difficult to measure.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • arrmoA Offline
                    arrmo
                    last edited by

                    Thanks for all the help - much appreciated!

                    1 Reply Last reply Reply Quote 0
                    • PippinP Offline
                      Pippin
                      last edited by

                      Welcome.

                      I`ve not done tests with gcm but with cbc some time ago:
                      https://forum.pfsense.org/index.php?topic=115627.msg647436#msg647436

                      Curious for the gcm results…..

                      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                      Halton Arp

                      1 Reply Last reply Reply Quote 0
                      • V Offline
                        VAMike
                        last edited by

                        @Derelict:

                        I would be surprised if you saw a difference in speed with AES-NI in use or not with OpenVPN. There is a lot of overhead already there that has nothing to do with crypto operations.

                        If anything you might see less CPU utilization to accomplish the same speeds but that is more difficult to measure.

                        I would expect a measurable but not dramatic speedup moving to GCM and changing from aes256 to aes128. It's worth doing, but won't fundamentally change the performance characteristics of a machine.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.