No BSD Crypto Subsystem support in OpenVPN (pfSense 2.4)



  • I am currently configuring pfSense on my router with a Broadcom 5823 accelerator card. It is being detected, but the option is not available in OpenVPN within pfSense 2.4.

    ubsec0 mem 0xfcbf0000-0xfcbfffff irq 19 at device 15.0 on pci16
    ubsec0: Broadcom 5823

    Has this feature been removed in 2.4?


  • Netgate

    basically, yes.



  • thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?



  • @chrcoluk:

    thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?

    Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.


  • Rebel Alliance Developer Netgate



  • right so its not actually removed.

    crypto and cryptodev are two separate things and moving it to a module isnt removing it.

    thanks for pointing to the link.

    I will be testing openvpn sometime this week so I will post here if it offloads on my hardware.

    Can also see here the aesni offload is loaded on my pfsense 2.4 box.

    root@PFSENSE ~ # kldstat
    Id Refs Address            Size     Name
     1    8 0xffffffff80200000 2bdc6d8  kernel
     2    1 0xffffffff83021000 589b     fdescfs.ko
     3    1 0xffffffff83027000 79e8     aesni.ko
     4    1 0xffffffff8302f000 2bd2     coretemp.ko
    

    However on a FreeBSD server I have crypto module also loaded.

    10    2 0xffffffff81e7f000 35110    crypto.ko
    11    1 0xffffffff81eb5000 5a30     aesni.ko
    

    But its included in kernel on pfsense so not an issue as far as I can tell.

    root@PFSENSE ~ # kldload crypto
    kldload: can't load crypto: module already loaded or in kernel
    

    cryptodev slows things down, so dont put it back in the kernel.



  • @Simba7:

    @chrcoluk:

    thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?

    Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.

    Sometimes the right answer is to retire obsolete hardware. Most modern CPUs will run rings around a 5823.



  • @chrcoluk:

    I will be testing openvpn sometime this week so I will post here if it offloads on my hardware.

    I'd be very interested in the results and maybe also some iperf tests :)



  • ok what am I looking for to verify its working?



  • Speed :)
    Would be interesting to know how GCM compares to CBC in terms of performance. To test this I would connect a decent Client to my WAN switch and run iperf3 tests (with and without -R) against a server in LAN. And monitor CPU usage while testing.



  • I do see this line on startup.

    "Initializing OpenSSL support for engine 'rdrand'"



  • @VAMike:

    @Simba7:

    @chrcoluk:

    thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?

    Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.

    Sometimes the right answer is to retire obsolete hardware. Most modern CPUs will run rings around a 5823.

    Depends on the wife approval factor. I don't think throwing $300-500 on a new router, not to mention a pair of dual port 10GigE NICs and dual 4 port GigE NICs, would be approved.

    We currently are utilizing a Checkpoint 9070 box running pfSense and it has 4x10GigE ports and 10x1GigE ports.



  • @Simba7:

    Depends on the wife approval factor. I don't think throwing $300-500 on a new router, not to mention a pair of dual port 10GigE NICs and dual 4 port GigE NICs, would be approved.

    We currently are utilizing a Checkpoint 9070 box running pfSense and it has 4x10GigE ports and 10x1GigE ports.

    Well 500$ seem to be nothing compared to the monthy rates for a 10GB Internet line :)

    Doesn't that system have at least 2 Xeons? Does it really benefit from offloading crypto for OpenVPN?


Log in to reply