Share the post "OpenVPN accelerator on AlixBoard using PfSense"
I have setup an Open Source firewall/VPN terminator using an excellent AlixBoard 2D.13 and PfSense.
Actually PfSense release 2.0 has just been released, but I’ll upgrade as soon as possible and this post is related to PfSense 1.2.3
I think that AlixBoard 2D.13 + PfSense setup is a really good solution to have an OpenSource UTM box for small networks (SOHO): stable, cheap and open-source! In this post I will not explain how to setup PfSense on AlixBoard (you can find lots of great HowTo’s on Google) but how to improve your OpenVPN performance using the AlixBoard embedded cryptographic accelerator.
This post is based on great articles and site available on PfSense Web Site and Gorlani.com
1) Verify that cryptographic accelerator is onboard and detected by PfSense using the following command:
$ dmesg | grep AES
Tips: You can run the command from SSH session or using Diagnostics > Command in PfSense Web Interface.
The following information will be displayed:
glxsb0: <AMD Geode LX Security Block (AES-128-CBC, RNG)> mem 0xefff4000-0xefff7fff irq 9 at device 1.2 on pci0
2) Test Alix SSL performance without cryptographic accelerator:
alix:~# openssl speed -evp aes-128-cbc To get the most accurate results, try to run this program when this computer is idle. Doing aes-128-cbc for 3s on 16 size blocks: 977706 aes-128-cbc's in 2.96s Doing aes-128-cbc for 3s on 64 size blocks: 265799 aes-128-cbc's in 2.89s Doing aes-128-cbc for 3s on 256 size blocks: 70799 aes-128-cbc's in 2.98s Doing aes-128-cbc for 3s on 1024 size blocks: 17854 aes-128-cbc's in 2.98s Doing aes-128-cbc for 3s on 8192 size blocks: 2242 aes-128-cbc's in 2.99s OpenSSL 0.9.8e 23 Feb 2007 built on: Fri May 15 13:50:54 EDT 2009 options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) compiler: cc available timing options: USE_TOD HZ=128 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 5291.37k 5885.35k 6076.70k 6130.61k 6141.80k
2) Test Alix SSL performance using cryptographic accelerator:
alix:~# openssl speed -evp aes-128-cbc -engine cryptodev engine "cryptodev" set. To get the most accurate results, try to run this program when this computer is idle. Doing aes-128-cbc for 3s on 16 size blocks: 110894 aes-128-cbc's in 0.10s Doing aes-128-cbc for 3s on 64 size blocks: 107049 aes-128-cbc's in 0.11s Doing aes-128-cbc for 3s on 256 size blocks: 92452 aes-128-cbc's in 0.11s Doing aes-128-cbc for 3s on 1024 size blocks: 58844 aes-128-cbc's in 0.06s Doing aes-128-cbc for 3s on 8192 size blocks: 12051 aes-128-cbc's in 0.00s OpenSSL 0.9.8e 23 Feb 2007 built on: Fri May 15 13:50:54 EDT 2009 options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) compiler: cc available timing options: USE_TOD HZ=128 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type            16 bytes    64 bytes   256 bytes  1024 bytes  8192 bytes aes-128-cbc     17739.14k   64203.92k  206499.31k  952502.43k 22441871.33k
As you can see best performance are on large chunk, but unfortunately OpenVPN does not use large amount of data and the improvement will not be dramatic.
3) Configure PfSense to use the cryptographic accelerator:
Using PfSense WebInterface go to VPN > OpenVPN and edit your current OpenVPN configuration.
As shown by dmesg command, this hardware support only AES-128-CBC encryption so we need to match this configuration on our VPN configuration.
Now we can enable cryptographic accelerator in OpnVPN server configuration:
Save your settings and restart OpenVPN configuration.
4) Verifiy on your OpnVPN clients that configuration file match the same crypto you are using on your AlixBoard: AES-128-CBC
That’s All ! You are ready to use your new improved OpenVPN 🙂
If you need to have much more throughput on your AlixBoard and your Mini-PCI slot is free, you can evaluate Soekris VPN1411 crypto accelerator to have up to 34 Mbps !!!!
you posted the same speed test…
Post Updated !!!
Thank you for your comment.
🙂
Thank you for your article.
I have 3 questions/issues
1 – When I run “openssl speed -evp aes-128-cbc” with and without the engine cryptodev I get basically the same results, which are effectively values like yours with cyptodev.
With out -engine cryptodev
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 8604.16k 80545.38k 131617.14k 457490.43k infk
With -engine cryptodev
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 20670.05k 57867.12k 289891.94k 1176764.42k 2296381.44k
2 – I have a Soekris VPN1411 installed, and disabled in pfSense. The results of dmseg| greAES does not indicate the card. Is this the correct querry? Is openssl speed -evp aes-128-cbc -engine cryptodev the correct querry fo this card?
dmesg | grep AES
glxsb0: mem 0xefff4000-0xefff7fff irq 9 at device 1.2 on pci0
Am I missing something? Is the card working?
3 – If the 8192 is not the data size used by VPN, what is?