openvpn no option for AES-NI

yon 0 · Nov 16, 2019, 9:49 PM

I have creat new server , the cpu support AES-NI, but pf 2.5 openvpn has no option add AES-NI, how i do enable support AES-NI in openvpn ?

Version 2.5.0-DEVELOPMENT (amd64)
built on Thu Nov 14 08:45:24 EST 2019
FreeBSD 12.0-RELEASE-p10
CPU Type AMD A8-5600K APU with Radeon(tm) HD Graphics
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)
Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM
Kernel PTI Disabled
MDS Mitigation Inactive

viragomann · Nov 17, 2019, 5:33 PM

AES-NI is used automatically if its provided. There is no need for setting an option.
Documented in the manual: https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerator-support.html

Gertjan · Nov 18, 2019, 10:07 AM

What are your options in the "Hardware Crypto" list ?

login-to-view

I guess , even when you set the "Hardware Crypto" to "No Hardware Accelaration", the hardware AES-NI is still actually used.

Anyway, you can find all answers ..... as soon as you finished reading the doc ;)

jimp · Nov 18, 2019, 3:52 PM

https://redmine.pfsense.org/issues/9646

But really you don't need it. OpenVPN is usually smart enough when using OpenSSL to latch onto AES-NI and use it.

yon 0 · Nov 19, 2019, 10:45 AM

i see that doc, but i have no feeling the speed fast. how i do check the AES-NI worked in openvpn?

/usr/bin/openssl engine -t -c
(dynamic) Dynamic engine loading support
[ unavailable ]

yon 0 · Nov 19, 2019, 10:53 AM

@yon-0 said in openvpn no option for AES-NI:

i see that doc, but i have no feeling the speed fast. how i do check the AES-NI worked in openvpn?

openssl engine -t -c
(dynamic) Dynamic engine loading support
[ unavailable ]
[2.5.0-DEVELOPMENT][admin@face.xiaoyu.net]/root: openssl engine -t -c -pre DUMP_INFO
(dynamic) Dynamic engine loading support
[Failure]: DUMP_INFO
34370957312:error:260AC089:engine routines:int_ctrl_helper:invalid cmd name:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/engine/eng_ctrl.c:87:
34370957312:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/engine/eng_ctrl.c:255:
[ unavailable ]

yon 0 · Nov 19, 2019, 10:57 AM

openssl speed -engine rdrand -evp aes-128-gcm
invalid engine "rdrand"
34370957312:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/dso/dso_dlfcn.c:117:filename(/usr/lib/engines/rdrand.so): Cannot open "/usr/lib/engines/rdrand.so"
34370957312:error:25070067:DSO support routines:DSO_load:could not load the shared library:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/dso/dso_lib.c:162:
34370957312:error:260B6084:engine routines:dynamic_load:dso not found:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/engine/eng_dyn.c:414:
34370957312:error:2606A074:engine routines:ENGINE_by_id:no such engine:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/engine/eng_list.c:334:id=rdrand
34370957312:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/dso/dso_dlfcn.c:117:filename(librdrand.so): Shared object "librdrand.so" not found, required by "openssl"
34370957312:error:25070067:DSO support routines:DSO_load:could not load the shared library:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/dso/dso_lib.c:162:
34370957312:error:260B6084:engine routines:dynamic_load:dso not found:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/engine/eng_dyn.c:414:
Doing aes-128-gcm for 3s on 16 size blocks: 42700620 aes-128-gcm's in 3.05s
Doing aes-128-gcm for 3s on 64 size blocks: 32651171 aes-128-gcm's in 3.06s
Doing aes-128-gcm for 3s on 256 size blocks: 14878766 aes-128-gcm's in 3.04s
Doing aes-128-gcm for 3s on 1024 size blocks: 4697224 aes-128-gcm's in 3.02s
Doing aes-128-gcm for 3s on 8192 size blocks: 619970 aes-128-gcm's in 3.02s
Doing aes-128-gcm for 3s on 16384 size blocks: 309228 aes-128-gcm's in 3.01s
OpenSSL 1.1.1a-freebsd 20 Nov 2018
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-gcm 223659.51k 682342.84k 1253335.23k 1595011.77k 1679807.91k 1684410.70k

Gertjan · Nov 19, 2019, 11:27 AM

Nice, you confirmed issue https://redmine.pfsense.org/issues/9646

JeGr · Nov 19, 2019, 11:42 AM

Besides it being pointless to use "idrand" if you want to check AES-NI capability? If you want that wouldn't you either use no engine at all (because automatic detection of openssl) or crypt(dev)?

viragomann · Nov 19, 2019, 11:40 AM

@yon-0
Run openssl speed without stating an engine.

openssl speed -elapsed -evp aes-128-gcm

than run it again with AES-NI turned off:

OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcm

yon 0 · Nov 19, 2019, 11:54 AM

@viragomann said in openvpn no option for AES-NI:

openssl speed -elapsed -evp aes-128-gcm

openssl speed -elapsed -evp aes-128-gcm
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-gcm for 3s on 16 size blocks: 41969785 aes-128-gcm's in 3.01s
Doing aes-128-gcm for 3s on 64 size blocks: 32052818 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 256 size blocks: 14958024 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 1024 size blocks: 4775151 aes-128-gcm's in 3.07s
Doing aes-128-gcm for 3s on 8192 size blocks: 619225 aes-128-gcm's in 3.02s
Doing aes-128-gcm for 3s on 16384 size blocks: 309571 aes-128-gcm's in 3.01s
OpenSSL 1.1.1a-freebsd 20 Nov 2018
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-gcm 223257.45k 683793.45k 1276418.05k 1592591.84k 1677789.34k 1686279.07k

yon 0 · Nov 19, 2019, 6:14 PM

@JeGr said in openvpn no option for AES-NI:

AES-NI

The question is how do I know that vpn works with AES-NI

viragomann · Nov 20, 2019, 3:54 AM

@yon-0 said in openvpn no option for AES-NI:

The question is how do I know that vpn works with AES-NI

I gave you two benchmarks, one uses AES-NI if available, the other runs without.
So run both, compare the results and you will see if your system benefits from AES-NI or not.

yon 0 · Nov 20, 2019, 3:54 AM

@viragomann

OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcm
OPENSSL_ia32cap=-0x200000200000000: Command not found.

viragomann · Nov 20, 2019, 11:58 AM

@yon-0
Run it in the GUI.

jimp · Nov 20, 2019, 1:18 PM

Use env to set variables like that, for example:

# env OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcm

So... With AES-NI active:

[2.5.0-DEVELOPMENT][]/root: openssl speed -elapsed -evp aes-128-gcm
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-gcm for 3s on 16 size blocks: 20389193 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 64 size blocks: 10049858 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 256 size blocks: 3680033 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 1024 size blocks: 1042002 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 8192 size blocks: 134501 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 16384 size blocks: 67574 aes-128-gcm's in 3.00s
OpenSSL 1.1.1a-freebsd  20 Nov 2018
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) 
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-gcm     108742.36k   214396.97k   314029.48k   355670.02k   367277.40k   369044.14k

With AES-NI disabled:

[2.5.0-DEVELOPMENT][]/root: env OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcm
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-gcm for 3s on 16 size blocks: 5138331 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 64 size blocks: 1531164 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 256 size blocks: 403121 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 1024 size blocks: 102245 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 8192 size blocks: 12855 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 16384 size blocks: 6428 aes-128-gcm's in 3.00s
OpenSSL 1.1.1a-freebsd  20 Nov 2018
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr) 
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-gcm      27404.43k    32664.83k    34399.66k    34899.63k    35102.72k    35105.45k

yon 0 · Nov 21, 2019, 5:13 AM

@jimp said in openvpn no option for AES-NI:

env OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcm

but i test it is slow

env OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcm
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-gcm for 3s on 16 size blocks: 12357003 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 64 size blocks: 3672554 aes-128-gcm's in 3.02s
Doing aes-128-gcm for 3s on 256 size blocks: 960619 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 1024 size blocks: 246105 aes-128-gcm's in 3.03s
Doing aes-128-gcm for 3s on 8192 size blocks: 31427 aes-128-gcm's in 3.08s
Doing aes-128-gcm for 3s on 16384 size blocks: 15772 aes-128-gcm's in 3.09s
OpenSSL 1.1.1a-freebsd 20 Nov 2018
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-gcm 65904.02k 77740.47k 81972.82k 83137.82k 83638.57k 83525.96k

JeGr · Nov 21, 2019, 11:51 AM

Of course it's slow, the ENV command disables AES-NI. Did you read what @viragomann or @jimp wrote?

@viragomann said in openvpn no option for AES-NI:

Run openssl speed without stating an engine.
openssl speed -elapsed -evp aes-128-gcm

than run it again with AES-NI turned off:
OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcm

So of course your test with the ENV in front is slow:

@yon-0 said in openvpn no option for AES-NI:

env OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcm

...
aes-128-gcm 65904.02k 77740.47k 81972.82k 83137.82k 83638.57k 83525.96k

compared to the one before without the ENV trigger:

openssl speed -elapsed -evp aes-128-gcm
...
aes-128-gcm 223257.45k 683793.45k 1276418.05k 1592591.84k 1677789.34k 1686279.07k