PC Engines apu2 experiences
-
This post is deleted! -
@Qinn said in PC Engines apu2 experiences:
@daemonix Nope, just install the flashrom like above, then download the latest Mainline from here
https://pcengines.github.io/then flash it and reboot, I have switched from Legacy to Mainline months ago and everything works still fine.
...and btw you don't need the force option, this is enough
flashrom -w /tmp/apu2_v4.9.0.7.rom -p internalDone without a problem!
I had a serial link to it so I did it from there so I can see the boot sequence.Now that I have time to experiment a bit.
What are the recommended combination of settings that favour performance on a openvpn server nowadays ?BSD crypto ON/OFF? CBC/GBC algo? etc..
I get 40mbit on the apu2 hosted server. -
@daemonix said in PC Engines apu2 experiences:
BSD crypto ON/OFF? CBC/GBC algo? etc..
I get 40mbit on the apu2 hosted server.From my knowledge for the APU2-Board the settings should be AES-NI (in CPU).
Regards,
fireodo -
I agree try AES-NI (in cpu) read this please, especially the reply from "jimp" https://forum.netgate.com/topic/114212/aes-ni-cryptodev-openvpn-help-a-n00b-understand/16
The setting is in :
System/Advanced/Miscellaneoustry it and see how it performs.
-
fast-io
sndbuf 524288
rcvbuf 524288added this, changed my PIA client to GCM (my server was already GCM) and I already had just the hardware acceleration only...
Gone from 45-sih mbit to 70-70mbit in both PIA and my server!!! -
@Qinn said in PC Engines apu2 experiences:
https://pcengines.github.io/
Does this mean that "AES-NI CPU-based acceleration" is better than the "AES-NI and BSD Crypto Device" option? I'm still confused what the difference between those two are.
-
@kevindd992002 said in PC Engines apu2 experiences:
Does this mean that "AES-NI CPU-based acceleration" is better than the "AES-NI and BSD Crypto Device" option? I'm still confused what the difference between those two are.
Yes! The Apu2 does not have a dedicated Crypto-Device, the Crypto-Functions are integrated in the CPU (much faster). IMHO
-
@fireodo said in PC Engines apu2 experiences:
@kevindd992002 said in PC Engines apu2 experiences:
Does this mean that "AES-NI CPU-based acceleration" is better than the "AES-NI and BSD Crypto Device" option? I'm still confused what the difference between those two are.
Yes! The Apu2 does not have a dedicated Crypto-Device, the Crypto-Functions are integrated in the CPU (much faster). IMHO
I see. But won't it use AES-NI anyway if the latter option is selected?
Also, in the OpenVPN settings you should chhose None in the Hardware Acceleration field, correct?
-
@kevindd992002 said in PC Engines apu2 experiences:
I see. But won't it use AES-NI anyway if the latter option is selected?
Freebsd will look for the Crypto-Device wich is not existent and will not fallback to AES-NI CPU based.
Also, in the OpenVPN settings you should chhose None in the Hardware Acceleration field, correct?
I admit I dont know. Sorry.
-
@fireodo said in PC Engines apu2 experiences:
@kevindd992002 said in PC Engines apu2 experiences:
I see. But won't it use AES-NI anyway if the latter option is selected?
Freebsd will look for the Crypto-Device wich is not existent and will not fallback to AES-NI CPU based.
Also, in the OpenVPN settings you should chhose None in the Hardware Acceleration field, correct?
I admit I dont know. Sorry.
Yes this is it. I did all the possible test combinations.
Indeed ONLY AES-NI should be selected -
Yes, the only thing to avoid here is enabling both aes-ni and bsd crypto. Doing that will cause the aes device to register for crypto acceleration via the framework which adds a load of additional steps. It's much faster to use the available CPU instructions directly. As long as it's enabled in the BIOS openssl, and hence openvpn, should use aes-ni.
Steve
-
@stephenw10 said in PC Engines apu2 experiences:
Yes, the only thing to avoid here is enabling both aes-ni and bsd crypto. Doing that will cause the aes device to register for crypto acceleration via the framework which adds a load of additional steps. It's much faster to use the available CPU instructions directly. As long as it's enabled in the BIOS openssl, and hence openvpn, should use aes-ni.
Steve
So you have to select AES-NI in pfSense and not in OpenVPN, then why is this option (Hardware crypto) present in OpenVPN config within pfSense? Could you please clarify this?
Cheers Qinn
-
I have personally never used that setting. But I have also never had a device with a specifically supported hardware crypto device which is where I would expect it to apply.
In testing I did when we went to OpenVPN 2.4 it was better to leave that set to None in every case.Steve
-
@stephenw10 kudos for clearing that one up!
-
@stephenw10 said in PC Engines apu2 experiences:
But I have also never had a device with a specifically supported hardware crypto device which ...
Don't want to crush this topic (and can't PM you) but lemme ask how far crypto in the SG-1100 has come? Last thing I know is that HW is present and waits for the software to follow. Anything changed in this regard?
-
That is still basically the status. I'm not sure how far along that work is, I did see some discussion of it a few days ago.
But that's a good point. On the SG-3100 where the crypto hardware is supported via the CESA driver I am currently running with BSD Crypto device set in both OpenVPN and as the system crypto device.
Steve
-
Although it is not downloadable at the moment, did anyone tried the new v4.10.0.0?
https://pcengines.github.io/ -
@Qinn said in PC Engines apu2 experiences:
Although it is not downloadable at the moment, did anyone tried the new v4.10.0.0?
https://pcengines.github.io/There isnt any 4.10.0.0 version - look here:
https://3mdeb.com/open-source-firmware/pcengines/ -
Here it is: https://pcengines.github.io/#mr-25
v4.10.0.0 Release date: '2019-08-09' Fixed/added: - rebased with official coreboot repository commit 2a20d13 - enable basic ACPI support for GPIOs -
@Veldkornet said in PC Engines apu2 experiences:
Here it is: https://pcengines.github.io/#mr-25
v4.10.0.0 Release date: '2019-08-09' Fixed/added: - rebased with official coreboot repository commit 2a20d13 - enable basic ACPI support for GPIOsHave you download it?
