HW Acceleration in OpenVPN



  • Hi,

    Unfortunately I stored this in redmine intially, wasn't sure of the link between the forum and redmine (different SW projects to it differently). So posting it here.

    Trying to use HW acceleration in OpenVPN. Here is what the main pfSense screen shows => HW Accel should be possible (right?)

    CPU Type: Intel(R) Core(TM) i5-2450M CPU 2.50GHz
    Current: 2500 MHz, Max: 2501 MHz
    4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads
    AES-NI CPU Crypto: Yes (active)
    Hardware crypto: AES-CBC,AES-XTS,AES-GCM,AES-ICM
    

    So, in OpenVPN I have selected only AES-256-GCM and AES-128-GCM (for my OpenVPN server) … but the only option I have available for Hardware Crypto is No Hardware Crypto Acceleration. This doesn't seem right, does it?

    Thanks!



  • Perfectly fine.
    OpenVPN makes a call to OpenSSL to do the crypto.
    OpenSSL has built-in code that will use hardware acceleration automatically if it`s available.



  • Excellent, thanks! Figured that setting would capture it also, but not a huge issue if not.

    Is there a way to check if it's using AES-NI?



  • @arrmo:

    Excellent, thanks! Figured that setting would capture it also, but not a huge issue if not.

    Is there a way to check if it's using AES-NI?

    It's fairly impossible to make it not use AES-NI. In older versions of pfsense you could turn on /dev/crypto to make openvpn slower, but that's been fixed.


  • LAYER 8 Global Moderator

    Can you not just run an openssl speed test?  This should tell you right away if your using aes-ni should it not?



  • Yep, that should be possible. Hunting around to see if there is a way to force it off and on (HW accel that is), to be able to confirm.

    Thanks!



  • With:

    openssl speed -elapsed -evp aes-256-gcm -multi 4
    

    Without:

    env OPENSSL_ia32cap=0 openssl speed -elapsed -evp aes-256-gcm -multi 4
    

    Edit, changed cbc to gcm.


  • LAYER 8 Netgate

    I would be surprised if you saw a difference in speed with AES-NI in use or not with OpenVPN. There is a lot of overhead already there that has nothing to do with crypto operations.

    If anything you might see less CPU utilization to accomplish the same speeds but that is more difficult to measure.



  • Thanks for all the help - much appreciated!



  • Welcome.

    I`ve not done tests with gcm but with cbc some time ago:
    https://forum.pfsense.org/index.php?topic=115627.msg647436#msg647436

    Curious for the gcm results…..



  • @Derelict:

    I would be surprised if you saw a difference in speed with AES-NI in use or not with OpenVPN. There is a lot of overhead already there that has nothing to do with crypto operations.

    If anything you might see less CPU utilization to accomplish the same speeds but that is more difficult to measure.

    I would expect a measurable but not dramatic speedup moving to GCM and changing from aes256 to aes128. It's worth doing, but won't fundamentally change the performance characteristics of a machine.


Log in to reply