OpenVPN accelerator on AlixBoard using PfSense

I have setup an Open Source firewall/VPN terminator using an excellent AlixBoard 2D.13 and PfSense.

Actually PfSense release 2.0 has just been released, but I’ll upgrade as soon as possible and this post is related to PfSense 1.2.3

I think that AlixBoard 2D.13 + PfSense setup is a really good solution to have an OpenSource UTM box for small networks (SOHO): stable, cheap and open-source! In this post I will not explain how to setup PfSense on AlixBoard (you can find lots of great HowTo’s on Google) but how to improve your OpenVPN performance using the AlixBoard embedded cryptographic accelerator.

This post is based on great articles and site available on PfSense Web Site and Gorlani.com

1) Verify that cryptographic accelerator is onboard and detected by PfSense using the following command:

$ dmesg | grep AES

Tips: You can run the command from SSH session or using Diagnostics > Command in PfSense Web Interface.
The following information will be displayed:

glxsb0: <AMD Geode LX Security Block (AES-128-CBC, RNG)> mem 0xefff4000-0xefff7fff irq 9 at device 1.2 on pci0

2) Test Alix SSL performance without cryptographic accelerator:

alix:~#  openssl speed -evp aes-128-cbc
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 977706 aes-128-cbc's in 2.96s
Doing aes-128-cbc for 3s on 64 size blocks: 265799 aes-128-cbc's in 2.89s
Doing aes-128-cbc for 3s on 256 size blocks: 70799 aes-128-cbc's in 2.98s
Doing aes-128-cbc for 3s on 1024 size blocks: 17854 aes-128-cbc's in 2.98s
Doing aes-128-cbc for 3s on 8192 size blocks: 2242 aes-128-cbc's in 2.99s
OpenSSL 0.9.8e 23 Feb 2007
built on: Fri May 15 13:50:54 EDT 2009
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      5291.37k     5885.35k     6076.70k     6130.61k     6141.80k

2) Test Alix SSL performance using cryptographic accelerator:

alix:~#  openssl speed -evp aes-128-cbc -engine cryptodev
engine "cryptodev" set.
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 110894 aes-128-cbc's in 0.10s
Doing aes-128-cbc for 3s on 64 size blocks: 107049 aes-128-cbc's in 0.11s
Doing aes-128-cbc for 3s on 256 size blocks: 92452 aes-128-cbc's in 0.11s
Doing aes-128-cbc for 3s on 1024 size blocks: 58844 aes-128-cbc's in 0.06s
Doing aes-128-cbc for 3s on 8192 size blocks: 12051 aes-128-cbc's in 0.00s
OpenSSL 0.9.8e 23 Feb 2007
built on: Fri May 15 13:50:54 EDT 2009
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      17739.14k    64203.92k   206499.31k   952502.43k 22441871.33k

As you can see best performance are on large chunk, but unfortunately OpenVPN does not use large amount of data and the improvement will not be dramatic.

3) Configure PfSense to use the cryptographic accelerator:

Using PfSense WebInterface go to VPN > OpenVPN and edit your current OpenVPN configuration.
As shown by dmesg command, this hardware support only AES-128-CBC encryption so we need to match this configuration on our VPN configuration.

Now we can enable cryptographic accelerator in OpnVPN server configuration:

Save your settings and restart OpenVPN configuration.

4) Verifiy on your OpnVPN clients that configuration file match the same crypto you are using on your AlixBoard: AES-128-CBC

That’s All ! You are ready to use your new improved OpenVPN 🙂

If you need to have much more throughput on your AlixBoard and your Mini-PCI slot is free, you can evaluate Soekris VPN1411 crypto accelerator to have up to 34 Mbps !!!!