Hardware Crypto Accelerator OpenVPN



  • I currently have a Silicom's HW Accelerator Crypto Compression PCI Express Server Adapter (PE2iSCC2) in my Supermicro X10SDV-TP8F Server running 2.4.4p2.

    Im setting up OpenVPN and within the "Cryptographic Settings" / "Hardware Crypto" there is three options:
    -No Hardware Crypto Acceleration
    -BSD Cryptodev Engine
    -Intel RDRAND Engine

    This is only a single Road-Warrior setup for home access and I know I might not need the acceleration. I'd just like to use the Crypto Acceleration Adapter if possible just because I have it. So not the first one :)
    But out of the other two, im trying to find which would be the one to go with for the Adapter I have above?

    Thanks in advance for any help....


  • Netgate Administrator

    That adapter is Intel Quick Assist from the early gen 'Cave Creek'. Unfortunately there is no FreeBSD driver for it and it looks like there never will be. It's very unlikely that will ever work in pfSense. ☹

    https://mobile.twitter.com/gonzopancho/status/885862474712526848

    Steve



  • @stephenw10
    Boooo... lol.
    Thanks for the info !!! After posting this I was seeing mixed info about it when Googling it. I just had no knowledge or way of seeing if pfSense was seeing the adapter or testing for it.

    I’m running a Supermicro X10SDV-TP8F with a Xeon D-1518 32GB RAM.

    I was seeing that this Processor supports it and that the “HW Accelerator Crypto PCI-E Adapter (PE2iSCC2)” card that had come with the Server did, so I just thought the Adapter Card would be good to go with pfSense/BSD.... dang !!! So be it.

    Ill just go to System/Advance/Miscellaneous
    and choose “AES-NI CPU-basses Acceleration” and then “No Hardware Crypto Acceleration” for the OpenVPN Hardware Crypto section.

    Thanks again !!!


  • Netgate Administrator

    For OpenVPN acceleration it doesn't really matter what you have set there. OpenSSL will use AES-NI if your CPU supports it. The only thing to watch out for is don't set AES-NI + BSD crypto. Doing that causes the AES-NI module to register all it's capabilities in the BSD framework which then takes all the crypto load for those cyphers introducing a large unnecessary overhead. That can slow things down significantly.

    Steve


  • LAYER 8 Moderator

    @stephenw10 said in Hardware Crypto Accelerator OpenVPN:

    For OpenVPN acceleration it doesn't really matter what you have set there. OpenSSL will use AES-NI if your CPU supports it. The only thing to watch out for is don't set AES-NI + BSD crypto. Doing that causes the AES-NI module to register all it's capabilities in the BSD framework which then takes all the crypto load for those cyphers introducing a large unnecessary overhead. That can slow things down significantly.

    Steve

    Is that still the case? I can remember in 2.4 snapshots prior to release that one had tested various combinations of settings and that AES+Cryptodev in Adv. Settings und setting cryptodev in OVPN server actually gave the best performance? In 2.3 it was true, but still in 2.4+?


  • Netgate Administrator

    I believe it is. I tested it a few days ago. Though it was a local synthetic test.


Log in to reply