Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AES-NI not selectable and graph weirdness

    Scheduled Pinned Locked Moved 2.4 Development Snapshots
    5 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BlackDwarf
      last edited by

      Upgraded my 2.3.2 to 2.4 to test out the new OVPN 2.4 stuff. AES-NI is selected in the System>Advanced>Miscellaneous Crypto section, however my PIA OpenVPN client has no hardware crypto options available? This has had the effect of reducing my VPN throughput from 250Mbps+ on 2.3.2 (I have a 300/20 connection), to <100Mbps connected to the same server. I also use "fast-io; sndbuf 524288; rcvbuf 524288" in my advanced config, these haven't been tweaked at all, have they?

      Also, the new traffic graph is really nice, but I notice switching tabs in Chrome (on v55.0.2883.87 m) resets the graph like reloading the page. Is this intended?

      1 Reply Last reply Reply Quote 0
      • A
        athurdent
        last edited by

        IIRC if you want to use AES-NI acceleration on 2.3x you just turn it on for your system, OpenVPN conf does not have to be changed. At least on my C2758 board OpenVPN actually slows down with AES-NI enabled.
        According to this:
        https://community.openvpn.net/openvpn/ticket/301
        with OpenVPN 2.4 the newly introduced AES-GCM modes should be utilizing AES-NI, maybe give AES-256-GCM a try?

        1 Reply Last reply Reply Quote 0
        • B
          BlackDwarf
          last edited by

          Thanks for reply. Unfortunately PIA does not support GCM.

          There should definitely be "AES-NI" available as an OpenVPN setting as the text in System>Advanced>Miscellaneous>Crypto says "OpenVPN should be set for AES-128-CBC and have cryptodev enabled for hardware acceleration". Trying to add a new OVPN client profile still shows "No Hardware Crypto Accelleration" as the only option.

          My dashboard shows:

          CPU Type	Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz
                4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads
Hardware crypto	AES-CBC,AES-XTS,AES-GCM,AES-ICM

          So it knows the capabilities of my assigned CPU, and as far as I'm aware, the module is loaded, but its still not selectable.

          1 Reply Last reply Reply Quote 0
          • PippinP
            Pippin
            last edited by

            For OpenVPN do not select any module, no need and there was no need in the past too.
            OpenSSL version 1.x and up automatically uses AES-NI if available.

            I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
            Halton Arp

            1 Reply Last reply Reply Quote 0
            • A
              athurdent
              last edited by

              Nothing needs selected for OpenVPN to utilize AES-NI. The OpenSSL engine has its own code for handling AES-NI that works well without using the BSD Cryptodev Engine.

              Source: https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported#OpenVPN

              Not sure where "OpenVPN should be set for AES-128-CBC and have cryptodev enabled for hardware acceleration" comes from, I think it might be valid for ALIX boards with "Geode LX Security Block" selected.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.