Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenSSL/OpenVPN Performance - CBC and GCM ciphers

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 611 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • XentrkX
      Xentrk
      last edited by

      We have had some fun comparing CPU OpenSSL performance in the snbforums.com site recently in the Router thread. I summarized the discussion in a blog post here https://x3mtek.com/openvpn-performance/.

      Likewise, @kvic also posted similar findings in his blog site at https://kazoo.ga/quick-benchmark-cbc-vs-gcm/.

      From the tests, GCM ciphers replace CBC as the go to cipher for OpenVPN speed and performance. Hopefully, your provider has already updated to OpenVPN 2.4 so you can take advantage of the improvements.

      pfSense 2.4.4_2 | Intel i5-3450 @ 3.10GHz  | AES-NI enabled |  pfBlockerNG | Snort
      Blog Site: https://x3mtek.com || GitHub: https://github.com/Xentrk

      1 Reply Last reply Reply Quote 0
      • B
        bcruze
        last edited by

        can you list providers that have moved to this cipher?

        i am still using CBC with no issues

        also this: https://www.netgate.com/blog/more-on-aes-ni.html

        "AES-GCM in particular has problems with side-channel attacks on pure software implementations. ChaCha20, which nicely avoids these issues when in software, isn’t an option. This is because: a) it’s not RFC-compliant, and b) there are currently no acceleration offloads for it, and the situation is that there could be thousands, or tens of thousands of pfSense instances hitting a single (clustered) instance of our cloud management platform."

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.