Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No BSD Crypto Subsystem support in OpenVPN (pfSense 2.4)

    Scheduled Pinned Locked Moved 2.4 Development Snapshots
    13 Posts 6 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Simba7
      last edited by

      @chrcoluk:

      thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?

      Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        https://redmine.pfsense.org/issues/5976

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          chrcoluk
          last edited by

          right so its not actually removed.

          crypto and cryptodev are two separate things and moving it to a module isnt removing it.

          thanks for pointing to the link.

          I will be testing openvpn sometime this week so I will post here if it offloads on my hardware.

          Can also see here the aesni offload is loaded on my pfsense 2.4 box.

          root@PFSENSE ~ # kldstat
          Id Refs Address            Size     Name
           1    8 0xffffffff80200000 2bdc6d8  kernel
           2    1 0xffffffff83021000 589b     fdescfs.ko
           3    1 0xffffffff83027000 79e8     aesni.ko
           4    1 0xffffffff8302f000 2bd2     coretemp.ko
          

          However on a FreeBSD server I have crypto module also loaded.

          10    2 0xffffffff81e7f000 35110    crypto.ko
          11    1 0xffffffff81eb5000 5a30     aesni.ko
          

          But its included in kernel on pfsense so not an issue as far as I can tell.

          root@PFSENSE ~ # kldload crypto
          kldload: can't load crypto: module already loaded or in kernel
          

          cryptodev slows things down, so dont put it back in the kernel.

          pfSense CE 2.7.2

          1 Reply Last reply Reply Quote 0
          • V
            VAMike
            last edited by

            @Simba7:

            @chrcoluk:

            thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?

            Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.

            Sometimes the right answer is to retire obsolete hardware. Most modern CPUs will run rings around a 5823.

            1 Reply Last reply Reply Quote 0
            • A
              athurdent
              last edited by

              @chrcoluk:

              I will be testing openvpn sometime this week so I will post here if it offloads on my hardware.

              I'd be very interested in the results and maybe also some iperf tests :)

              1 Reply Last reply Reply Quote 0
              • C
                chrcoluk
                last edited by

                ok what am I looking for to verify its working?

                pfSense CE 2.7.2

                1 Reply Last reply Reply Quote 0
                • A
                  athurdent
                  last edited by

                  Speed :)
                  Would be interesting to know how GCM compares to CBC in terms of performance. To test this I would connect a decent Client to my WAN switch and run iperf3 tests (with and without -R) against a server in LAN. And monitor CPU usage while testing.

                  1 Reply Last reply Reply Quote 0
                  • C
                    chrcoluk
                    last edited by

                    I do see this line on startup.

                    "Initializing OpenSSL support for engine 'rdrand'"

                    pfSense CE 2.7.2

                    1 Reply Last reply Reply Quote 0
                    • S
                      Simba7
                      last edited by

                      @VAMike:

                      @Simba7:

                      @chrcoluk:

                      thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?

                      Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.

                      Sometimes the right answer is to retire obsolete hardware. Most modern CPUs will run rings around a 5823.

                      Depends on the wife approval factor. I don't think throwing $300-500 on a new router, not to mention a pair of dual port 10GigE NICs and dual 4 port GigE NICs, would be approved.

                      We currently are utilizing a Checkpoint 9070 box running pfSense and it has 4x10GigE ports and 10x1GigE ports.

                      1 Reply Last reply Reply Quote 0
                      • A
                        athurdent
                        last edited by

                        @Simba7:

                        Depends on the wife approval factor. I don't think throwing $300-500 on a new router, not to mention a pair of dual port 10GigE NICs and dual 4 port GigE NICs, would be approved.

                        We currently are utilizing a Checkpoint 9070 box running pfSense and it has 4x10GigE ports and 10x1GigE ports.

                        Well 500$ seem to be nothing compared to the monthy rates for a 10GB Internet line :)

                        Doesn't that system have at least 2 Xeons? Does it really benefit from offloading crypto for OpenVPN?

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.