openvpn no option for AES-NI
-
i see that doc, but i have no feeling the speed fast. how i do check the AES-NI worked in openvpn?
/usr/bin/openssl engine -t -c
(dynamic) Dynamic engine loading support
[ unavailable ]
-
@yon-0 said in openvpn no option for AES-NI:
i see that doc, but i have no feeling the speed fast. how i do check the AES-NI worked in openvpn?
openssl engine -t -c
(dynamic) Dynamic engine loading support
[ unavailable ]
[2.5.0-DEVELOPMENT][admin@face.xiaoyu.net]/root: openssl engine -t -c -pre DUMP_INFO
(dynamic) Dynamic engine loading support
[Failure]: DUMP_INFO
34370957312:error:260AC089:engine routines:int_ctrl_helper:invalid cmd name:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/engine/eng_ctrl.c:87:
34370957312:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/engine/eng_ctrl.c:255:
[ unavailable ] -
openssl speed -engine rdrand -evp aes-128-gcm
invalid engine "rdrand"
34370957312:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/dso/dso_dlfcn.c:117:filename(/usr/lib/engines/rdrand.so): Cannot open "/usr/lib/engines/rdrand.so"
34370957312:error:25070067:DSO support routines:DSO_load:could not load the shared library:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/dso/dso_lib.c:162:
34370957312:error:260B6084:engine routines:dynamic_load:dso not found:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/engine/eng_dyn.c:414:
34370957312:error:2606A074:engine routines:ENGINE_by_id:no such engine:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/engine/eng_list.c:334:id=rdrand
34370957312:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/dso/dso_dlfcn.c:117:filename(librdrand.so): Shared object "librdrand.so" not found, required by "openssl"
34370957312:error:25070067:DSO support routines:DSO_load:could not load the shared library:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/dso/dso_lib.c:162:
34370957312:error:260B6084:engine routines:dynamic_load:dso not found:/build/ce-crossbuild-master/pfSense/tmp/FreeBSD-src/crypto/openssl/crypto/engine/eng_dyn.c:414:
Doing aes-128-gcm for 3s on 16 size blocks: 42700620 aes-128-gcm's in 3.05s
Doing aes-128-gcm for 3s on 64 size blocks: 32651171 aes-128-gcm's in 3.06s
Doing aes-128-gcm for 3s on 256 size blocks: 14878766 aes-128-gcm's in 3.04s
Doing aes-128-gcm for 3s on 1024 size blocks: 4697224 aes-128-gcm's in 3.02s
Doing aes-128-gcm for 3s on 8192 size blocks: 619970 aes-128-gcm's in 3.02s
Doing aes-128-gcm for 3s on 16384 size blocks: 309228 aes-128-gcm's in 3.01s
OpenSSL 1.1.1a-freebsd 20 Nov 2018
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-gcm 223659.51k 682342.84k 1253335.23k 1595011.77k 1679807.91k 1684410.70k -
Nice, you confirmed issue https://redmine.pfsense.org/issues/9646
-
Besides it being pointless to use "idrand" if you want to check AES-NI capability? If you want that wouldn't you either use no engine at all (because automatic detection of openssl) or crypt(dev)?
-
@yon-0
Run openssl speed without stating an engine.openssl speed -elapsed -evp aes-128-gcmthan run it again with AES-NI turned off:
OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcm -
@viragomann said in openvpn no option for AES-NI:
openssl speed -elapsed -evp aes-128-gcm
openssl speed -elapsed -evp aes-128-gcm
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-gcm for 3s on 16 size blocks: 41969785 aes-128-gcm's in 3.01s
Doing aes-128-gcm for 3s on 64 size blocks: 32052818 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 256 size blocks: 14958024 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 1024 size blocks: 4775151 aes-128-gcm's in 3.07s
Doing aes-128-gcm for 3s on 8192 size blocks: 619225 aes-128-gcm's in 3.02s
Doing aes-128-gcm for 3s on 16384 size blocks: 309571 aes-128-gcm's in 3.01s
OpenSSL 1.1.1a-freebsd 20 Nov 2018
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-gcm 223257.45k 683793.45k 1276418.05k 1592591.84k 1677789.34k 1686279.07k -
@JeGr said in openvpn no option for AES-NI:
AES-NI
The question is how do I know that vpn works with AES-NI
-
@yon-0 said in openvpn no option for AES-NI:
The question is how do I know that vpn works with AES-NI
I gave you two benchmarks, one uses AES-NI if available, the other runs without.
So run both, compare the results and you will see if your system benefits from AES-NI or not. -
OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcm
OPENSSL_ia32cap=-0x200000200000000: Command not found. -
@yon-0
Run it in the GUI. -
Use
envto set variables like that, for example:# env OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcmSo... With AES-NI active:
[2.5.0-DEVELOPMENT][]/root: openssl speed -elapsed -evp aes-128-gcm You have chosen to measure elapsed time instead of user CPU time. Doing aes-128-gcm for 3s on 16 size blocks: 20389193 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 64 size blocks: 10049858 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 256 size blocks: 3680033 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 1024 size blocks: 1042002 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 8192 size blocks: 134501 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 16384 size blocks: 67574 aes-128-gcm's in 3.00s OpenSSL 1.1.1a-freebsd 20 Nov 2018 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128-gcm 108742.36k 214396.97k 314029.48k 355670.02k 367277.40k 369044.14kWith AES-NI disabled:
[2.5.0-DEVELOPMENT][]/root: env OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcm You have chosen to measure elapsed time instead of user CPU time. Doing aes-128-gcm for 3s on 16 size blocks: 5138331 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 64 size blocks: 1531164 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 256 size blocks: 403121 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 1024 size blocks: 102245 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 8192 size blocks: 12855 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 16384 size blocks: 6428 aes-128-gcm's in 3.00s OpenSSL 1.1.1a-freebsd 20 Nov 2018 built on: reproducible build, date unspecified options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128-gcm 27404.43k 32664.83k 34399.66k 34899.63k 35102.72k 35105.45k -
@jimp said in openvpn no option for AES-NI:
env OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcm
but i test it is slow
env OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcm
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-gcm for 3s on 16 size blocks: 12357003 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 64 size blocks: 3672554 aes-128-gcm's in 3.02s
Doing aes-128-gcm for 3s on 256 size blocks: 960619 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 1024 size blocks: 246105 aes-128-gcm's in 3.03s
Doing aes-128-gcm for 3s on 8192 size blocks: 31427 aes-128-gcm's in 3.08s
Doing aes-128-gcm for 3s on 16384 size blocks: 15772 aes-128-gcm's in 3.09s
OpenSSL 1.1.1a-freebsd 20 Nov 2018
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-gcm 65904.02k 77740.47k 81972.82k 83137.82k 83638.57k 83525.96k -
Of course it's slow, the ENV command disables AES-NI. Did you read what @viragomann or @jimp wrote?
@viragomann said in openvpn no option for AES-NI:
Run openssl speed without stating an engine.
openssl speed -elapsed -evp aes-128-gcmthan run it again with AES-NI turned off:
OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcmSo of course your test with the ENV in front is slow:
@yon-0 said in openvpn no option for AES-NI:
env OPENSSL_ia32cap="-0x200000200000000" openssl speed -elapsed -evp aes-128-gcm
...
aes-128-gcm 65904.02k 77740.47k 81972.82k 83137.82k 83638.57k 83525.96kcompared to the one before without the ENV trigger:
openssl speed -elapsed -evp aes-128-gcm
...
aes-128-gcm 223257.45k 683793.45k 1276418.05k 1592591.84k 1677789.34k 1686279.07k
