OpenSSL/OpenVPN Performance - CBC and GCM ciphers

Xentrk

We have had some fun comparing CPU OpenSSL performance in the snbforums.com site recently in the Router thread. I summarized the discussion in a blog post here https://x3mtek.com/openvpn-performance/.

Likewise, @kvic also posted similar findings in his blog site at https://kazoo.ga/quick-benchmark-cbc-vs-gcm/.

From the tests, GCM ciphers replace CBC as the go to cipher for OpenVPN speed and performance. Hopefully, your provider has already updated to OpenVPN 2.4 so you can take advantage of the improvements.

bcruze

can you list providers that have moved to this cipher?

i am still using CBC with no issues

also this: https://www.netgate.com/blog/more-on-aes-ni.html

"AES-GCM in particular has problems with side-channel attacks on pure software implementations. ChaCha20, which nicely avoids these issues when in software, isn’t an option. This is because: a) it’s not RFC-compliant, and b) there are currently no acceleration offloads for it, and the situation is that there could be thousands, or tens of thousands of pfSense instances hitting a single (clustered) instance of our cloud management platform."