New hardware

[framura]

Hi,

I would like to change my actual router, an asus rtn16, with an diy machine based on supermicro mb a1srm 2758 (atom cup 8 core) with ssd, 8gb ram.

I need to use it as vpn gateway with my vpn provider: my wan speed is 100mbps.

With my asus router I get only 10 Mbps as wan speed when I use openvpn (router cpu limit) but with supermicro mb (ads-ni, Intel quickassist) I need to know if opnsense I will get full wan speed.

In few words, opnsense is capable to use aes-ni with openvpn (or l2tp-ipsec) ?

Thanks in advance

Alessandro

[AdSchellevis]

Hi Alessandro,

You should be able to do 100Mbps with that board, our preconfigured appliances (using an embedded/low power amd processor) do around 200Mbps.
(for example : https://www.applianceshop.eu/security-appliances/19-rack-appliances/opnsense-based/opnsense-a10-quad-core-rack.html)

Regards,

Ad

[franco]

Note that only OpenSSL works with AES-NI with OpenVPN on top.

[framura]

That means with LibreSLL I can't use AES-NI?

Alessandro

[AdSchellevis]

If I'm not mistaken it's the combination openvpn / libressl which can't use aesni, although I expect you will still do 100Mbps with libressl and your board.

[framura]

If I'm not mistaken it's the combination openvpn / libressl which can't use aesni, although I expect you will still do 100Mbps with libressl and your board.

For my curiosity, why openvpn/libressl can't use aesni?

I think supermicro mb is capable to get 100mbps with openvpn but with more CPU usage: so more heat, so more noise (I would like to get a silent router).

OpnSense continue to support OpenSSL?

Thanks

Alessandro

[AdSchellevis]

Hi Alessandro,

Maybe Franco knows what the issue is there, but OPNsense will certainly continue to support openssl (a standard install delivers openssl).

If you didn't buy your hardware yet, you might consider one of our desktop appliances, they are really silent and cool) 

Regards,

Ad

[framura]

Hi Ad,

I don't buy yet my hardware, so I will consider your applicance.

But I don't understand one thing: in opnsense's blog, I read

ports: both LibreSSL and OpenSSL now support AES-NI acceleration

for 15.7.17 release.

Alessandro

[AdSchellevis]

Hi Alessandro,

For as far as I know, it's the combination openvpn and libressl.
The raw openssl/libressl performance statistics are probably very alike, but in FreeBSD not all hardware support is at  the same level as for example in linux.

You can however switch very easily between the two versions to test which one suites best in your case (after installation).

Regards,

Ad

[franco]

Both OpenSSL and LibreSSL support AES-NI. Both are accelerated when being used directly.

OpenVPN, however, uses the OpenSSL engine framework to offload its encryption.

The OpenSSL engine supports FreeBSD's /dev/crypto device.

LibreSSL removed /dev/crypto support from their engine framework.

That is why OpenVPN requires OpenSSL for acceleration.