Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No BSD Crypto Subsystem support in OpenVPN (pfSense 2.4)

    Scheduled Pinned Locked Moved 2.4 Development Snapshots
    13 Posts 6 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jwt Netgate
      last edited by

      basically, yes.

      1 Reply Last reply Reply Quote 0
      • C
        chrcoluk
        last edited by

        thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?

        pfSense CE 2.7.2

        1 Reply Last reply Reply Quote 0
        • S
          Simba7
          last edited by

          @chrcoluk:

          thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?

          Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            https://redmine.pfsense.org/issues/5976

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • C
              chrcoluk
              last edited by

              right so its not actually removed.

              crypto and cryptodev are two separate things and moving it to a module isnt removing it.

              thanks for pointing to the link.

              I will be testing openvpn sometime this week so I will post here if it offloads on my hardware.

              Can also see here the aesni offload is loaded on my pfsense 2.4 box.

              root@PFSENSE ~ # kldstat
              Id Refs Address            Size     Name
               1    8 0xffffffff80200000 2bdc6d8  kernel
               2    1 0xffffffff83021000 589b     fdescfs.ko
               3    1 0xffffffff83027000 79e8     aesni.ko
               4    1 0xffffffff8302f000 2bd2     coretemp.ko
              

              However on a FreeBSD server I have crypto module also loaded.

              10    2 0xffffffff81e7f000 35110    crypto.ko
              11    1 0xffffffff81eb5000 5a30     aesni.ko
              

              But its included in kernel on pfsense so not an issue as far as I can tell.

              root@PFSENSE ~ # kldload crypto
              kldload: can't load crypto: module already loaded or in kernel
              

              cryptodev slows things down, so dont put it back in the kernel.

              pfSense CE 2.7.2

              1 Reply Last reply Reply Quote 0
              • V
                VAMike
                last edited by

                @Simba7:

                @chrcoluk:

                thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?

                Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.

                Sometimes the right answer is to retire obsolete hardware. Most modern CPUs will run rings around a 5823.

                1 Reply Last reply Reply Quote 0
                • A
                  athurdent
                  last edited by

                  @chrcoluk:

                  I will be testing openvpn sometime this week so I will post here if it offloads on my hardware.

                  I'd be very interested in the results and maybe also some iperf tests :)

                  1 Reply Last reply Reply Quote 0
                  • C
                    chrcoluk
                    last edited by

                    ok what am I looking for to verify its working?

                    pfSense CE 2.7.2

                    1 Reply Last reply Reply Quote 0
                    • A
                      athurdent
                      last edited by

                      Speed :)
                      Would be interesting to know how GCM compares to CBC in terms of performance. To test this I would connect a decent Client to my WAN switch and run iperf3 tests (with and without -R) against a server in LAN. And monitor CPU usage while testing.

                      1 Reply Last reply Reply Quote 0
                      • C
                        chrcoluk
                        last edited by

                        I do see this line on startup.

                        "Initializing OpenSSL support for engine 'rdrand'"

                        pfSense CE 2.7.2

                        1 Reply Last reply Reply Quote 0
                        • S
                          Simba7
                          last edited by

                          @VAMike:

                          @Simba7:

                          @chrcoluk:

                          thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?

                          Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.

                          Sometimes the right answer is to retire obsolete hardware. Most modern CPUs will run rings around a 5823.

                          Depends on the wife approval factor. I don't think throwing $300-500 on a new router, not to mention a pair of dual port 10GigE NICs and dual 4 port GigE NICs, would be approved.

                          We currently are utilizing a Checkpoint 9070 box running pfSense and it has 4x10GigE ports and 10x1GigE ports.

                          1 Reply Last reply Reply Quote 0
                          • A
                            athurdent
                            last edited by

                            @Simba7:

                            Depends on the wife approval factor. I don't think throwing $300-500 on a new router, not to mention a pair of dual port 10GigE NICs and dual 4 port GigE NICs, would be approved.

                            We currently are utilizing a Checkpoint 9070 box running pfSense and it has 4x10GigE ports and 10x1GigE ports.

                            Well 500$ seem to be nothing compared to the monthy rates for a 10GB Internet line :)

                            Doesn't that system have at least 2 Xeons? Does it really benefit from offloading crypto for OpenVPN?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.