HW Acceleration in OpenVPN

arrmo

Hi,

Unfortunately I stored this in redmine intially, wasn't sure of the link between the forum and redmine (different SW projects to it differently). So posting it here.

Trying to use HW acceleration in OpenVPN. Here is what the main pfSense screen shows => HW Accel should be possible (right?)

CPU Type: Intel(R) Core(TM) i5-2450M CPU 2.50GHz
Current: 2500 MHz, Max: 2501 MHz
4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads
AES-NI CPU Crypto: Yes (active)
Hardware crypto: AES-CBC,AES-XTS,AES-GCM,AES-ICM

So, in OpenVPN I have selected only AES-256-GCM and AES-128-GCM (for my OpenVPN server) … but the only option I have available for Hardware Crypto is No Hardware Crypto Acceleration. This doesn't seem right, does it?

Thanks!

Pippin

Perfectly fine.
OpenVPN makes a call to OpenSSL to do the crypto.
OpenSSL has built-in code that will use hardware acceleration automatically if it`s available.

arrmo

Excellent, thanks! Figured that setting would capture it also, but not a huge issue if not.

Is there a way to check if it's using AES-NI?

VAMike

@arrmo:

Excellent, thanks! Figured that setting would capture it also, but not a huge issue if not.

Is there a way to check if it's using AES-NI?

It's fairly impossible to make it not use AES-NI. In older versions of pfsense you could turn on /dev/crypto to make openvpn slower, but that's been fixed.

johnpoz

Can you not just run an openssl speed test?  This should tell you right away if your using aes-ni should it not?

arrmo

Yep, that should be possible. Hunting around to see if there is a way to force it off and on (HW accel that is), to be able to confirm.

Thanks!

Pippin

With:

openssl speed -elapsed -evp aes-256-gcm -multi 4

Without:

env OPENSSL_ia32cap=0 openssl speed -elapsed -evp aes-256-gcm -multi 4

Edit, changed cbc to gcm.

Derelict

I would be surprised if you saw a difference in speed with AES-NI in use or not with OpenVPN. There is a lot of overhead already there that has nothing to do with crypto operations.

If anything you might see less CPU utilization to accomplish the same speeds but that is more difficult to measure.

arrmo

Thanks for all the help - much appreciated!

Pippin

Welcome.

I`ve not done tests with gcm but with cbc some time ago:
https://forum.pfsense.org/index.php?topic=115627.msg647436#msg647436

Curious for the gcm results…..

VAMike

@Derelict:

I would be surprised if you saw a difference in speed with AES-NI in use or not with OpenVPN. There is a lot of overhead already there that has nothing to do with crypto operations.

If anything you might see less CPU utilization to accomplish the same speeds but that is more difficult to measure.

I would expect a measurable but not dramatic speedup moving to GCM and changing from aes256 to aes128. It's worth doing, but won't fundamentally change the performance characteristics of a machine.