OpenVPN: engine cryptodev?
-
Hi,
According to the page Are cryptographic accelerators supported, you are supposed to put "engine cryptodev" in the advanced configuration section of your OpenVPN configuration if you want to take advantage of the AMD Geode LX Security Block on the Alix for doing AES-128-CBC crypto in hardware.
Is this "engine cryptodev" setting still required in pfSense 2 or is it sufficient just to check the "Use glxsb" checkbox on the System | Advanced | Miscellaneous page (in addition to choosing AES-128-CBC in the OpenVPN config)?
-
It seems like "engine cryptodev" is still required. With it enabled, I see "openvpn[4600]: Initializing OpenSSL support for engine 'cryptodev'" in the OpenVPN log upon startup of the OpenVPN server. Without "engine cryptodev", I do NOT see that log entry.
-
That checkbox only affects loading of the driver, to make OpenVPN use it you have to specify it.
-
I added a ticket to remind us to add a checkbox on the openvpn config pages to add this to the config in future versions:
http://redmine.pfsense.org/issues/1120
Even if someone has crypto hardware they may want to disable its use for testing/comparison (People often install an older accelerator card in fast hardware only to find out it's actually slower than using the CPU directly.)
