No BSD Crypto Subsystem support in OpenVPN (pfSense 2.4)

Simba7

thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?

Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.

jimp

https://redmine.pfsense.org/issues/5976

chrcoluk

right so its not actually removed.

crypto and cryptodev are two separate things and moving it to a module isnt removing it.

thanks for pointing to the link.

I will be testing openvpn sometime this week so I will post here if it offloads on my hardware.

Can also see here the aesni offload is loaded on my pfsense 2.4 box.

root@PFSENSE ~ # kldstat
Id Refs Address            Size     Name
 1    8 0xffffffff80200000 2bdc6d8  kernel
 2    1 0xffffffff83021000 589b     fdescfs.ko
 3    1 0xffffffff83027000 79e8     aesni.ko
 4    1 0xffffffff8302f000 2bd2     coretemp.ko

However on a FreeBSD server I have crypto module also loaded.

10    2 0xffffffff81e7f000 35110    crypto.ko
11    1 0xffffffff81eb5000 5a30     aesni.ko

But its included in kernel on pfsense so not an issue as far as I can tell.

root@PFSENSE ~ # kldload crypto
kldload: can't load crypto: module already loaded or in kernel

cryptodev slows things down, so dont put it back in the kernel.

VAMike

@Simba7:

@chrcoluk:

thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?

Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.

Sometimes the right answer is to retire obsolete hardware. Most modern CPUs will run rings around a 5823.

athurdent

@chrcoluk:

I will be testing openvpn sometime this week so I will post here if it offloads on my hardware.

I'd be very interested in the results and maybe also some iperf tests :)

chrcoluk

ok what am I looking for to verify its working?

athurdent

Speed :)
Would be interesting to know how GCM compares to CBC in terms of performance. To test this I would connect a decent Client to my WAN switch and run iperf3 tests (with and without -R) against a server in LAN. And monitor CPU usage while testing.

chrcoluk

I do see this line on startup.

"Initializing OpenSSL support for engine 'rdrand'"

Simba7

@VAMike:

@Simba7:

@chrcoluk:

thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?

Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.

Sometimes the right answer is to retire obsolete hardware. Most modern CPUs will run rings around a 5823.

Depends on the wife approval factor. I don't think throwing $300-500 on a new router, not to mention a pair of dual port 10GigE NICs and dual 4 port GigE NICs, would be approved.

We currently are utilizing a Checkpoint 9070 box running pfSense and it has 4x10GigE ports and 10x1GigE ports.

athurdent

@Simba7:

Depends on the wife approval factor. I don't think throwing $300-500 on a new router, not to mention a pair of dual port 10GigE NICs and dual 4 port GigE NICs, would be approved.

We currently are utilizing a Checkpoint 9070 box running pfSense and it has 4x10GigE ports and 10x1GigE ports.

Well 500$ seem to be nothing compared to the monthy rates for a 10GB Internet line :)

Doesn't that system have at least 2 Xeons? Does it really benefit from offloading crypto for OpenVPN?