English Forums => General Discussion => Topic started by: framura on January 24, 2016, 11:04:54 am
Title: New hardware
Post by: framura on January 24, 2016, 11:04:54 am
Hi,
I would like to change my actual router, an asus rtn16, with an diy machine based on supermicro mb a1srm 2758 (atom cup 8 core) with ssd, 8gb ram.
I need to use it as vpn gateway with my vpn provider: my wan speed is 100mbps.
With my asus router I get only 10 Mbps as wan speed when I use openvpn (router cpu limit) but with supermicro mb (ads-ni, Intel quickassist) I need to know if opnsense I will get full wan speed.
In few words, opnsense is capable to use aes-ni with openvpn (or l2tp-ipsec) ?
Thanks in advance
Alessandro
Title: Re: New hardware
Post by: AdSchellevis on January 24, 2016, 11:38:21 am
Hi Alessandro,
You should be able to do 100Mbps with that board, our preconfigured appliances (using an embedded/low power amd processor) do around 200Mbps. (for example : https://www.applianceshop.eu/security-appliances/19-rack-appliances/opnsense-based/opnsense-a10-quad-core-rack.html (https://www.applianceshop.eu/security-appliances/19-rack-appliances/opnsense-based/opnsense-a10-quad-core-rack.html))
Regards,
Ad
Title: Re: New hardware
Post by: franco on January 24, 2016, 12:12:45 pm
Note that only OpenSSL works with AES-NI with OpenVPN on top.
Title: Re: New hardware
Post by: framura on January 25, 2016, 09:21:57 am
That means with LibreSLL I can't use AES-NI?
Alessandro
Title: Re: New hardware
Post by: AdSchellevis on January 25, 2016, 09:29:06 am
If I'm not mistaken it's the combination openvpn / libressl which can't use aesni, although I expect you will still do 100Mbps with libressl and your board.
Title: Re: New hardware
Post by: framura on January 25, 2016, 09:35:47 am
If I'm not mistaken it's the combination openvpn / libressl which can't use aesni, although I expect you will still do 100Mbps with libressl and your board.
For my curiosity, why openvpn/libressl can't use aesni?
I think supermicro mb is capable to get 100mbps with openvpn but with more CPU usage: so more heat, so more noise (I would like to get a silent router).
OpnSense continue to support OpenSSL?
Thanks
Alessandro
Title: Re: New hardware
Post by: AdSchellevis on January 25, 2016, 09:40:58 am
Hi Alessandro,
Maybe Franco knows what the issue is there, but OPNsense will certainly continue to support openssl (a standard install delivers openssl).
If you didn't buy your hardware yet, you might consider one of our desktop appliances, they are really silent and cool) :)
Regards,
Ad
Title: Re: New hardware
Post by: framura on January 25, 2016, 09:49:20 am
Hi Ad,
I don't buy yet my hardware, so I will consider your applicance.
But I don't understand one thing: in opnsense's blog, I read
ports: both LibreSSL and OpenSSL now support AES-NI acceleration
for 15.7.17 release.
Alessandro
Title: Re: New hardware
Post by: AdSchellevis on January 25, 2016, 09:54:33 am
Hi Alessandro,
For as far as I know, it's the combination openvpn and libressl. The raw openssl/libressl performance statistics are probably very alike, but in FreeBSD not all hardware support is at the same level as for example in linux.
You can however switch very easily between the two versions to test which one suites best in your case (after installation).
Regards,
Ad
Title: Re: New hardware
Post by: franco on January 25, 2016, 02:06:05 pm
Both OpenSSL and LibreSSL support AES-NI. Both are accelerated when being used directly.
OpenVPN, however, uses the OpenSSL engine framework to offload its encryption.
The OpenSSL engine supports FreeBSD's /dev/crypto device.
LibreSSL removed /dev/crypto support from their engine framework.
That is why OpenVPN requires OpenSSL for acceleration.