OPNsense Forum

English Forums => Hardware and Performance => Topic started by: TrustedComputer on May 01, 2019, 07:51:34 pm

Title: OpenVPN: No Hardware Crypto Acceleration
Post by: TrustedComputer on May 01, 2019, 07:51:34 pm

Deciso DEC600 A10 Dual Core
OPNsense 19.1.4-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
OpenSSL 1.0.2r 26 Feb 2019

Scratching my head on this one. What are the proper combination of settings to enable hardware assisted crypto in OpenVPN?

Is this help still valid under Miscellaneous: Settings: Cryptography settings: Hardware acceleration (Current setting: AES-NI CPU-based Acceleration (aesni))

"... OpenVPN should be set for AES-128-CBC and have cryptodev enabled for hardware acceleration."

VPN: OpenVPN: Servers: Hardware Crypto shows "No Hardware Crypto Acceleration" and no other options can be selected for that field.

From the hardware documentation:

"Hardware acceleration:    SoC has integrated AESNI instructionset including support for GCM"
"Hardware Assisted Encryption: 600Mbps IPsec (AES256GCM16)"

Title: Re: OpenVPN: No Hardware Crypto Acceleration
Post by: franco on May 02, 2019, 06:53:40 am

That's true for non-AESNI. However, AESNI is built into OpenSSL / LibreSSL so you don't have to set cryptodev because cryptodev is not for AESNI devices. Leaving it blank and using an AESNI-supported cipher is all that is required to automatically gain hardware acceleration.


Cheers,
Franco