OpenSSL/OpenVPN Performance - CBC and GCM ciphers



  • We have had some fun comparing CPU OpenSSL performance in the snbforums.com site recently in the Router thread. I summarized the discussion in a blog post here https://x3mtek.com/openvpn-performance/.

    Likewise, @kvic also posted similar findings in his blog site at https://kazoo.ga/quick-benchmark-cbc-vs-gcm/.

    From the tests, GCM ciphers replace CBC as the go to cipher for OpenVPN speed and performance. Hopefully, your provider has already updated to OpenVPN 2.4 so you can take advantage of the improvements.



  • can you list providers that have moved to this cipher?

    i am still using CBC with no issues

    also this: https://www.netgate.com/blog/more-on-aes-ni.html

    “AES-GCM in particular has problems with side-channel attacks on pure software implementations. ChaCha20, which nicely avoids these issues when in software, isn’t an option. This is because: a) it’s not RFC-compliant, and b) there are currently no acceleration offloads for it, and the situation is that there could be thousands, or tens of thousands of pfSense instances hitting a single (clustered) instance of our cloud management platform.”


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy