PC Engines apu2c4 OpenVPN performance tests
-
Hi all,
Recently I posted performance results of tests I did with an laptop, a server and a PC Engines apu2c4. Today I edited the pastebin link, so the format to view is better. Please have a look at the URL http://pastebin.com/8bAgxRaR if OpenVPN performance has interest to you. I found it quite surprising that performance was better with hardware crypto off.
-
Hi all,
Recently I posted performance results of tests I did with an laptop, a server and a PC Engines apu2c4. Today I edited the pastebin link, so the format to view is better. Please have a look at the URL http://pastebin.com/8bAgxRaR if OpenVPN performance has interest to you. I found it quite surprising that performance was better with hardware crypto off.
You can't (easily) turn off AES-NI in openvpn, it's always on. If you enable AES-NI through cryptodev it will usually be slower on any hardware (not specific to the APU2). It would be very nice if pfsense had a better UI to enable AES-NI in the kernel for IPSEC without enabling cryptodev (which slows down openvpn unless you have some rather exotic hardware). The current UI is not particularly intuitive.
-
Try again on a 2.4 snapshot with AES-CGM selected in OpenVPN
-
Try again on a 2.4 snapshot with AES-CGM selected in OpenVPN
At the moment the fact that cryptodev doesn't do AES-GCM papers over the UI issues. If GCM gets implemented in aesni.ko+cryptodev then that mode that will get slowed down also…
-
cryptodev will be a loadable module on 2.4 like aesni, and the two shouldn't be loaded together. There won't be a problem there.
Check the 2.4 board and the pfSense subreddit. There are people seeing significant gains. Though with OpenVPN there is only so much that can be done due to its design.
-
Check the 2.4 board and the pfSense subreddit. There are people seeing significant gains.
That was expected, GCM is much easier to optimize in hardware than CBC+SHA. The thing to watch for now is avoiding the trap of optimizing for the benchmark by introducing large (easily pipelined) blocks and creating a bufferbloat problem. (I've already seen some openvpn tuning suggestions going that way.)
-
-
https://forum.pfsense.org/index.php?board=69.0
-
Try again on a 2.4 snapshot with AES-CGM selected in OpenVPN
There doesn't seem to be a 2.4 snapshot for NanoBSD (embedded) / apu2c4 . At least not where I looked: https://snapshots.pfsense.org/ .
-
There is no NanoBSD on 2.4. Use a full install (even if you have an SD card). Install from the serial memstick.
-
https://forum.pfsense.org/index.php?board=69.0
ah, board more in a forum sense than in a hardware sense :). thank you.
-
https://forum.pfsense.org/index.php?board=69.0
ah, board more in a forum sense than in a hardware sense :). thank you.
Were you able to test with a recent build of 2.4? Looking for updated numbers on the apu2c4 if available.
Looks like current OpenVPN throughput is ~ 71mbps from your tests using iperf which gives a more real-world number than just local raw benchmarks. Has anyone seen higher on this hardware?
