Is AES-NI supported by OpenVPN in pfSense?


  • Is AES-NI supported by OpenVPN in pfSense?

    OpenVPN itself seems to support AES-NI in Linux, the question is, does it in pfSense 2.2?

  • Banned

    …I don't see it here with 2.2 nano 32bit...

    aes.jpg


  • Yes, it is supported by pfSense if the hardware supports it.

    You can set this in System > Advanced settings > Miscellaneous > Cryptographic hardware and then at the OpenVPN server configurations tab.


  • Is it called AES-NI in the OVPN Server page?


  • As described in the docs https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported, AES-NI is used automatically by OpenSSL if it is available. So it is just to be selected in the advanced settings.

    The 32bit version does not support AES-NI. If you have an AMD Geode processor you can use the Geode LX encryption engine.


  • @viragomann:

    As described in the docs https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported, AES-NI is used automatically by OpenSSL if it is available. So it is just to be selected in the advanced settings.

    The 32bit version does not support AES-NI. If you have an AMD Geode processor you can use the Geode LX encryption engine.

    Bump…

    The doc seems to contradict itself in regards to whether or not anything needs to be set in the OpenVPN Client settings

    Practical Use

    OpenVPN
    To take advantage of acceleration in OpenVPN, choose a supported cipher such as aes-128-cbc on each end of a given tunnel, then select BSD Cryptodev Engine for Hardware Crypto.

    Similarly, if the system employs the VIA Padlock engine, choose an appropriate cipher and select VIA Padlock for Hardware Crypto.

    Nothing needs selected for OpenVPN to utilize AES-NI. The OpenSSL engine has its own code for handling AES-NI that works well without using the BSD Cryptodev Engine.

    The first line says we need to choose a supported Cipher and select BSD Crypt yet, the last line says that using the BSD Crypt is not necessary. So which is it?


  • aes-ni is supported but,currently, the advantage is minimal afaik.

    the problem is that openvpn 2.3.X doesn't support aes-gcm (https://community.openvpn.net/openvpn/ticket/301)
    once openvpn 2.4 gets released, this should be included and then we might be able to get the same speed increase like we have seen with IPSEC