Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is AES-NI supported by OpenVPN in pfSense?

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 6 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      robi
      last edited by

      Is AES-NI supported by OpenVPN in pfSense?

      OpenVPN itself seems to support AES-NI in Linux, the question is, does it in pfSense 2.2?

      1 Reply Last reply Reply Quote 0
      • 2
        2chemlud Banned
        last edited by

        …I don't see it here with 2.2 nano 32bit...

        aes.jpg

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          Yes, it is supported by pfSense if the hardware supports it.

          You can set this in System > Advanced settings > Miscellaneous > Cryptographic hardware and then at the OpenVPN server configurations tab.

          1 Reply Last reply Reply Quote 0
          • L
            lewi3069
            last edited by

            Is it called AES-NI in the OVPN Server page?

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              As described in the docs https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported, AES-NI is used automatically by OpenSSL if it is available. So it is just to be selected in the advanced settings.

              The 32bit version does not support AES-NI. If you have an AMD Geode processor you can use the Geode LX encryption engine.

              1 Reply Last reply Reply Quote 0
              • T
                TDJ211
                last edited by

                @viragomann:

                As described in the docs https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported, AES-NI is used automatically by OpenSSL if it is available. So it is just to be selected in the advanced settings.

                The 32bit version does not support AES-NI. If you have an AMD Geode processor you can use the Geode LX encryption engine.

                Bump…

                The doc seems to contradict itself in regards to whether or not anything needs to be set in the OpenVPN Client settings

                Practical Use

                OpenVPN
                To take advantage of acceleration in OpenVPN, choose a supported cipher such as aes-128-cbc on each end of a given tunnel, then select BSD Cryptodev Engine for Hardware Crypto.

                Similarly, if the system employs the VIA Padlock engine, choose an appropriate cipher and select VIA Padlock for Hardware Crypto.

                Nothing needs selected for OpenVPN to utilize AES-NI. The OpenSSL engine has its own code for handling AES-NI that works well without using the BSD Cryptodev Engine.

                The first line says we need to choose a supported Cipher and select BSD Crypt yet, the last line says that using the BSD Crypt is not necessary. So which is it?

                1 Reply Last reply Reply Quote 0
                • H
                  heper
                  last edited by

                  aes-ni is supported but,currently, the advantage is minimal afaik.

                  the problem is that openvpn 2.3.X doesn't support aes-gcm (https://community.openvpn.net/openvpn/ticket/301)
                  once openvpn 2.4 gets released, this should be included and then we might be able to get the same speed increase like we have seen with IPSEC

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.