VPN and AES CPUs



  • I have a question regarding AES hardware decoding.  How important is it to have a CPU that supports hardware AES decoding if you are running OpenVPN?  What speed limitations would there be running pfsense on OpenVPN with a modern processor (eg Celeron 1037U)?

    I am trying to decide what type of hardware to get for my first pfsense router build.

    Thanks



  • it all depends on the vpn speeds / #users/ internet speed.

    even without aes ni, most modern cpus can saturate a 100mbs vpn. the celeron -j 1900 lacks aes-ni, but can push 267 megabytes per second in truecrypt(1gbs = 125 megabytes per second). aes-ni either allows for faster connections or for cpu cycles to be used for something else.

    the previous celeron 1037u, i am not sure about.

    for most internet lines, vpns,etc - almost anything is fine. just use intel lan cards if possible.



  • @messerchmidt:

    the celeron -j 1900 lacks aes-ni, but can push 267 megabytes per second in truecrypt(1gbs = 125 megabytes per second).

    Really? Is a Celeron 1900 able to do 2Gbit OpenVPN? Any tests with plain old AES-256-CBC?



  • Hello folks,

    I have a question regarding AES hardware decoding.

    Related to the VPN throughput I think really it must not be done in hardware
    directly, but the CPU(s) should be then really powerful. So it is not a "must be"
    to have this done in hardware, but for sure mostly it gains a higher throughput.

    How important is it to have a CPU that supports hardware AES decoding if you are running OpenVPN?

    This is pointed to many other things and circumstances, ok for sure it sounds now perhaps
    a little bit crazy for many peoples, but if you install a crypto or vpn accelerator card that will
    be doing the job and is unload this crypto action from the CPU, it can be that this is speeding
    up the entire pfSense system and not only the VPN connection.

    Well known cards of the class supported by pfSense would be folowing;

    • Soekris vpn1411 and vpn1401
      - Cavium CVB200 and CVB400, Nitrox CN501

    Those cards, if supported by drivers, would mostly speeding up the VPN crypto tasks.

    What speed limitations would there be running pfsense on OpenVPN with a modern
    processor (eg Celeron 1037U)?

    This is more related to the power of the used hardware and not only owed to the cpu.
    As @messerschmidt was telling, a really powerful cpu without crypto support is even
    able to bring more vpn throughput as a less powerful cpu with crypto support.

    I am trying to decide what type of hardware to get for my first pfsense router build.

    What are you expect or imagine from the new hardware?
    What is the budget?
    How fast is your Internet connection?
    For how many users this must be running smooth?
    Is VPN a main point in this setup or "the" main point?
    Is there anything else you want to drive by side, tasks and
    services like Squid + SquidGuard, ClamAV, Snort, syslog, …...

    • Alix APU if VPN is not the goal
    • Soekris net6801 if you have time until Q4-2015
    • Netgate Appliance if money is not the problem
    • Lanner if hardware quality is a must be, it costs but it runs


  • @BlueKobold:

    Well known cards of the class supported by pfSense would be folowing;

    • Cavium CVB200 and CVB400, Nitrox CN501

    Last I heard, Cavium/Nitrox cards were useless in pfSense. Closed-source drivers were available, but they did not interact with the crypto subsystem.



  • What are you expect or imagine from the new hardware?
    What is the budget?
    How fast is your Internet connection?
    For how many users this must be running smooth?
    Is VPN a main point in this setup or "the" main point?
    Is there anything else you want to drive by side, tasks and
    services like Squid + SquidGuard, ClamAV, Snort, syslog, …...

    • Alix APU if VPN is not the goal
    • Soekris net6801 if you have time until Q4-2015
    • Netgate Appliance if money is not the problem
    • Lanner if hardware quality is a must be, it costs but it runs

    Thanks for the reply. 
    So the goal here is for my home router with a VPN as I currently use vpn with a Windows client on each machine but would like to extend the vpn to all my various set top boxes and wifi devices and we all know current routers suck with vpn implementation ,  my connection could be up to 120Mbps. Only users will be myself and wife.  We do stream Netflix and what not quite a bit.

    I would like to try and keep costs below $300.

    So basically I'm trying to determine if the mini PCs that use celeron 1037u or even the j1900 will be sufficient for running our household with vpn at speeds up to 120Mbps



  • @robi:

    @messerchmidt:

    the celeron -j 1900 lacks aes-ni, but can push 267 megabytes per second in truecrypt(1gbs = 125 megabytes per second).

    Really? Is a Celeron 1900 able to do 2Gbit OpenVPN? Any tests with plain old AES-256-CBC?

    for most users, the celeron-j without aes-ni is more than sufficient



  • @YoMan:

    I have a question regarding AES hardware decoding.  How important is it to have a CPU that supports hardware AES decoding if you are running OpenVPN?  What speed limitations would there be running pfsense on OpenVPN with a modern processor (eg Celeron 1037U)?

    I am trying to decide what type of hardware to get for my first pfsense router build.

    Thanks

    Today:  not really.

    But when OpenVPN 2.4 ships (and we get it in pfSense), then AEAD (basically: aes-gcm) will be supported in OpenVPN, and you're really going to want a CPU that can do AES-NI (or the ARM analog, or better: QuickAssist) at that point.

    The other issue is that tun/tap are a terrible performance bottleneck, but we're working on that, too.


Log in to reply