AES-NI not selectable and graph weirdness

BlackDwarf · Jan 2, 2017, 7:31 PM

Upgraded my 2.3.2 to 2.4 to test out the new OVPN 2.4 stuff. AES-NI is selected in the System>Advanced>Miscellaneous Crypto section, however my PIA OpenVPN client has no hardware crypto options available? This has had the effect of reducing my VPN throughput from 250Mbps+ on 2.3.2 (I have a 300/20 connection), to <100Mbps connected to the same server. I also use "fast-io; sndbuf 524288; rcvbuf 524288" in my advanced config, these haven't been tweaked at all, have they?

Also, the new traffic graph is really nice, but I notice switching tabs in Chrome (on v55.0.2883.87 m) resets the graph like reloading the page. Is this intended?

athurdent · Jan 3, 2017, 9:54 AM

IIRC if you want to use AES-NI acceleration on 2.3x you just turn it on for your system, OpenVPN conf does not have to be changed. At least on my C2758 board OpenVPN actually slows down with AES-NI enabled.
According to this:
https://community.openvpn.net/openvpn/ticket/301
with OpenVPN 2.4 the newly introduced AES-GCM modes should be utilizing AES-NI, maybe give AES-256-GCM a try?

BlackDwarf · Jan 3, 2017, 11:26 AM

Thanks for reply. Unfortunately PIA does not support GCM.

There should definitely be "AES-NI" available as an OpenVPN setting as the text in System>Advanced>Miscellaneous>Crypto says "OpenVPN should be set for AES-128-CBC and have cryptodev enabled for hardware acceleration". Trying to add a new OVPN client profile still shows "No Hardware Crypto Accelleration" as the only option.

My dashboard shows:

CPU Type	Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz
                4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads
Hardware crypto	AES-CBC,AES-XTS,AES-GCM,AES-ICM

So it knows the capabilities of my assigned CPU, and as far as I'm aware, the module is loaded, but its still not selectable.

Pippin · Jan 3, 2017, 11:45 AM

For OpenVPN do not select any module, no need and there was no need in the past too.
OpenSSL version 1.x and up automatically uses AES-NI if available.

athurdent · Jan 3, 2017, 11:53 AM

Nothing needs selected for OpenVPN to utilize AES-NI. The OpenSSL engine has its own code for handling AES-NI that works well without using the BSD Cryptodev Engine.

Source: https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported#OpenVPN

Not sure where "OpenVPN should be set for AES-128-CBC and have cryptodev enabled for hardware acceleration" comes from, I think it might be valid for ALIX boards with "Geode LX Security Block" selected.