New hardware

Started by framura, January 24, 2016, 11:04:54 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 24, 2016, 11:04:54 AM
Hi,

I would like to change my actual router, an asus rtn16, with an diy machine based on supermicro mb a1srm 2758 (atom cup 8 core) with ssd, 8gb ram.

I need to use it as vpn gateway with my vpn provider: my wan speed is 100mbps.

With my asus router I get only 10 Mbps as wan speed when I use openvpn (router cpu limit) but with supermicro mb (ads-ni, Intel quickassist) I need to know if opnsense I will get full wan speed.

In few words, opnsense is capable to use aes-ni with openvpn (or l2tp-ipsec) ?

Thanks in advance

Alessandro

January 24, 2016, 11:38:21 AM #1
Hi Alessandro,

You should be able to do 100Mbps with that board, our preconfigured appliances (using an embedded/low power amd processor) do around 200Mbps.
(for example : https://www.applianceshop.eu/security-appliances/19-rack-appliances/opnsense-based/opnsense-a10-quad-core-rack.html)

Regards,

Ad
January 24, 2016, 12:12:45 PM #2
Note that only OpenSSL works with AES-NI with OpenVPN on top.
January 25, 2016, 09:21:57 AM #3
That means with LibreSLL I can't use AES-NI?

Alessandro
January 25, 2016, 09:29:06 AM #4
If I'm not mistaken it's the combination openvpn / libressl which can't use aesni, although I expect you will still do 100Mbps with libressl and your board.
January 25, 2016, 09:35:47 AM #5
Quote from: AdSchellevis on January 25, 2016, 09:29:06 AM
If I'm not mistaken it's the combination openvpn / libressl which can't use aesni, although I expect you will still do 100Mbps with libressl and your board.

For my curiosity, why openvpn/libressl can't use aesni?

I think supermicro mb is capable to get 100mbps with openvpn but with more CPU usage: so more heat, so more noise (I would like to get a silent router).

OpnSense continue to support OpenSSL?

Thanks

Alessandro
January 25, 2016, 09:40:58 AM #6
Hi Alessandro,

Maybe Franco knows what the issue is there, but OPNsense will certainly continue to support openssl (a standard install delivers openssl).

If you didn't buy your hardware yet, you might consider one of our desktop appliances, they are really silent and cool)  :)

Regards,

Ad
January 25, 2016, 09:49:20 AM #7
Hi Ad,

I don't buy yet my hardware, so I will consider your applicance.

But I don't understand one thing: in opnsense's blog, I read

ports: both LibreSSL and OpenSSL now support AES-NI acceleration

for 15.7.17 release.

Alessandro
January 25, 2016, 09:54:33 AM #8
Hi Alessandro,

For as far as I know, it's the combination openvpn and libressl.
The raw openssl/libressl performance statistics are probably very alike, but in FreeBSD not all hardware support is at  the same level as for example in linux.

You can however switch very easily between the two versions to test which one suites best in your case (after installation).

Regards,

Ad
January 25, 2016, 02:06:05 PM #9
Both OpenSSL and LibreSSL support AES-NI. Both are accelerated when being used directly.

OpenVPN, however, uses the OpenSSL engine framework to offload its encryption.

The OpenSSL engine supports FreeBSD's /dev/crypto device.

LibreSSL removed /dev/crypto support from their engine framework.

That is why OpenVPN requires OpenSSL for acceleration.
Print
Go Up Pages1
User actions