Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unclear cryptographic practical use for OpenVPN

    Documentation
    1
    2
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MarcoP
      last edited by

      Hello,

      my mother language is not English and this is probably why the document seems erroneous to me.

      https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

      Practical Use - OpenVNP

      To take advantage of acceleration in OpenVPN, choose a supported cipher such as aes-128-cbc on each end of a given tunnel, then select BSD Cryptodev Engine for Hardware Crypto.

      Similarly, if the system employs the VIA Padlock engine, choose an appropriate cipher and select VIA Padlock for Hardware Crypto.

      Nothing needs selected for OpenVPN to utilize AES-NI. The OpenSSL engine has its own code for handling AES-NI that works well without using the BSD Cryptodev Engine.

      On the first paragraph it says to select cryptodev, but on the 3rd one says it has it's own code that works well without cryptodev.

      O.T.:
      I do have EAS-NI support and it is selected under Advanced - Miscellaneous config, but on my OpenVPN Server edit page I cannot select any crypt engine at all.
      As I don't remember the prev Server config (I have xml backups, so I can find the answer) I thought to have a look at docs for any mistake on my side, or for issues cause by upgrading from 2.3.4-p1 to 2.4.0-RC (amd64).

      Cheers

      1 Reply Last reply Reply Quote 0
      • M
        MarcoP
        last edited by

        After some reading I understood that OpenSSL does have AES-NI built in and it will try to use it when available on chip, it doesn't need any kernel module to be loaded.

        I believe the documentation should include the above info, and clarify possible scenarios on Advanced - Miscellaneous - Cryptographic Hardware settings, for example:

        With AES-NI chip
        When "none" or "AES-NI CPU": OpenVPN will use OpenSSL built-in AES-NI support.
        When "BSD cryptodev": OpenVPN will use ASE-NI trough BSD Cryptodev.

        … that is if I actually understood correctly.

        Cheers

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.