Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Enabling AES instructions

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TomHBP
      last edited by

      I have an AES enabled processor (AMD Kabini A4-5000), but I'm struggling to get the AES crypto instructions working.

      I have gone to 'System > Advanced > Misc > Cryptographic Hardware accel' and tried both 'aesni' and 'glxsb' options, but during download tests I still see the same CPU usage % on the dashboard.
      (does changine these settings require a reboot?)

      In 'VPN > OpenVPN > Client > (edit my client)', under 'Hardware Crypto' I have selected 'BSD cryptodev engine', as that seems to be the only option offering AES acceleration.

      Before anyone asks - yes I'm using AES encryption, specifically AES-128-CBC.

      Is there anything I'm missing or other settings to check to try and get this working? It's not HUGELY important, as I'm getting 100Mbps throughput, using <30% CPU utilisation, but I want to increase to AES-256 soon, so hardware crypto may become more vital.

      Many thanks,
      Tom.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        OpenVPN will attempt to use AES-NI on its own with nothing selected (and with the module unloaded). Though it does not see the most gain there.

        The algorithm that gains the most from AES-NI on pfSense at the moment is AES-GCM, but that is not supported by OpenVPN at this time, only IPsec.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • T
          TomHBP
          last edited by

          Thanks jimp - that would seem to make sense considering the 30% util. of 1.5GHz core at 100Mbps.
          Do you have any idea if AES-GCM support is coming to OpenVPN? Is it something that the individual VPN providers would need to make available upon its release, or would it just 'work' once supported by OpenVPN?

          Many thanks,
          Tom.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            It's supposedly going to be in OpenVPN 2.4: https://community.openvpn.net/openvpn/ticket/301

            Once they add in support, it should just be a matter of configuring the tunnel to use it.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • T
              Teddy
              last edited by

              And, additionally, is it enabled in your Bios?
              On my server it was NOT enabled by default.  ;)

              There must be a point like "Activate AES NI" or "Use AES NI"…

              1 Reply Last reply Reply Quote 0
              • T
                TomHBP
                last edited by

                Teddy - Cheers, I will check the Bios! If connected, I'm just going to assume it's working!

                Jimp - I have also had confirmation from my VPN provider that support will be added immediately post 2.4 release.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.