Is AES-NI supported by OpenVPN in pfSense?

OpenVPN
Log in to reply
  • R

    Is AES-NI supported by OpenVPN in pfSense?

    OpenVPN itself seems to support AES-NI in Linux, the question is, does it in pfSense 2.2?

    0
  • 2
    Banned

    …I don't see it here with 2.2 nano 32bit...

    aes.jpg

    0
  • V

    Yes, it is supported by pfSense if the hardware supports it.

    You can set this in System > Advanced settings > Miscellaneous > Cryptographic hardware and then at the OpenVPN server configurations tab.

    0
  • L

    Is it called AES-NI in the OVPN Server page?

    0
  • V

    As described in the docs https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported, AES-NI is used automatically by OpenSSL if it is available. So it is just to be selected in the advanced settings.

    The 32bit version does not support AES-NI. If you have an AMD Geode processor you can use the Geode LX encryption engine.

    0
  • T

    @viragomann:

    As described in the docs https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported, AES-NI is used automatically by OpenSSL if it is available. So it is just to be selected in the advanced settings.

    The 32bit version does not support AES-NI. If you have an AMD Geode processor you can use the Geode LX encryption engine.

    Bump…

    The doc seems to contradict itself in regards to whether or not anything needs to be set in the OpenVPN Client settings

    Practical Use

    OpenVPN
    To take advantage of acceleration in OpenVPN, choose a supported cipher such as aes-128-cbc on each end of a given tunnel, then select BSD Cryptodev Engine for Hardware Crypto.

    Similarly, if the system employs the VIA Padlock engine, choose an appropriate cipher and select VIA Padlock for Hardware Crypto.

    Nothing needs selected for OpenVPN to utilize AES-NI. The OpenSSL engine has its own code for handling AES-NI that works well without using the BSD Cryptodev Engine.

    The first line says we need to choose a supported Cipher and select BSD Crypt yet, the last line says that using the BSD Crypt is not necessary. So which is it?

    0
  • H

    aes-ni is supported but,currently, the advantage is minimal afaik.

    the problem is that openvpn 2.3.X doesn't support aes-gcm (https://community.openvpn.net/openvpn/ticket/301)
    once openvpn 2.4 gets released, this should be included and then we might be able to get the same speed increase like we have seen with IPSEC

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy